Encryption has been commonly used in network traffic to secure transmission, but it also brings challenges for malicious traffic detection, due to the invisibility of the packet payload. Graph-based methods are emerging as promising solutions by leveraging multi-host interactions to promote detection accuracy. But most of them face a critical problem: Graph Drift, where the flow statistics or topological information of a graph change over time. To overcome these drawbacks, we propose a graph-assisted encrypted traffic detection system, MalMoE, which applies Mixture of Experts (MoE) to select the best expert model for drift-aware classification. Particularly, we design 1-hop-GNN-like expert models that handle different graph drifts by analyzing graphs with different features. Then, the redesigned gate model conducts expert selection according to the actual drift. MalMoE is trained with a stable two-stage training strategy with data augmentation, which effectively guides the gate on how to perform routing. Experiments on open-source, synthetic, and real-world datasets show that MalMoE can perform precise and real-time detection.
翻译:加密技术已被广泛应用于网络流量中以保障传输安全,但同时也因数据包载荷的不可见性给恶意流量检测带来了挑战。基于图的方法通过利用多主机交互来提高检测精度,正成为有前景的解决方案。然而,大多数方法面临一个关键问题:图漂移,即图的流统计特征或拓扑信息随时间发生变化。为克服这些缺陷,我们提出了一种图辅助的加密流量检测系统MalMoE,该系统应用专家混合模型选择最佳专家模型进行漂移感知分类。具体而言,我们设计了类1跳图神经网络的专家模型,通过分析具有不同特征的图来处理不同的图漂移。随后,重新设计的门控模型根据实际漂移情况进行专家选择。MalMoE采用包含数据增强的稳定两阶段训练策略进行训练,有效指导门控模型执行路由决策。在开源数据集、合成数据集和真实数据集上的实验表明,MalMoE能够实现精准且实时的检测。