Machine learning (ML) based malicious traffic detection is an emerging security paradigm, particularly for zero-day attack detection, which is complementary to existing rule based detection. However, the existing ML based detection has low detection accuracy and low throughput incurred by inefficient traffic features extraction. Thus, they cannot detect attacks in realtime especially in high throughput networks. Particularly, these detection systems similar to the existing rule based detection can be easily evaded by sophisticated attacks. To this end, we propose Whisper, a realtime ML based malicious traffic detection system that achieves both high accuracy and high throughput by utilizing frequency domain features. It utilizes sequential features represented by the frequency domain features to achieve bounded information loss, which ensures high detection accuracy, and meanwhile constrains the scale of features to achieve high detection throughput. Particularly, attackers cannot easily interfere with the frequency domain features and thus Whisper is robust against various evasion attacks. Our experiments with 42 types of attacks demonstrate that, compared with the state-of-theart systems, Whisper can accurately detect various sophisticated and stealthy attacks, achieving at most 18.36% improvement, while achieving two orders of magnitude throughput. Even under various evasion attacks, Whisper is still able to maintain around 90% detection accuracy.
翻译:基于机器的恶意交通探测是新出现的安全范式,特别是零天攻击探测,这是对现有有章可循的探测的补充。然而,基于ML的现有检测检测检测的检测检测准确性低,而且由于低效率交通特征的抽取而导致的输送量低。因此,它们无法实时检测袭击,特别是在高输送量网络中。特别是,这些与现有基于规则的检测类似的检测系统很容易被复杂的袭击所逃避。为此,我们提议采用基于Whistper的实时ML恶意交通检测系统,即实时ML的检测系统,通过利用频率域特征实现高准确性和高传输量。它利用频率域特征代表的连续特征实现封闭信息损失,确保高检测准确性,同时限制达到高输送量检测的特征。尤其是,袭击者无法轻易干扰频率域特征,因此Wisper对各种规避袭击十分强大。我们用42种类型的袭击进行的实验表明,与最先进的系统相比,Wisper能够准确检测各种尖端和偷盗袭击,最多达到18.36%,同时达到程度的精确度水平,同时达到90%。