  • WANG Bin,GUO Yankai,QIAN Yaguan,WANG Jiamin,WANG Xing,GU Zhaoquan.Defense of Traffic Classifiers based on Convolutional Networks against Adversarial Examples[J].Journal of Cyber Security,2022,7(1):145-156   [点击复制]
王滨1,2, 郭艳凯1, 钱亚冠1, 王佳敏1, 王星2, 顾钊铨3
(1.浙江科技学院大数据学院 杭州 中国 310023;2.杭州海康威视网络与信息安全实验室 杭州 中国 310052;3.广州大学网络空间先进技术研究院 广州 中国 510006)
关键词:  流量分类  对抗样本  对抗训练
Defense of Traffic Classifiers based on Convolutional Networks against Adversarial Examples
WANG Bin1,2, GUO Yankai1, QIAN Yaguan1, WANG Jiamin1, WANG Xing2, GU Zhaoquan3
(1.School of Big Data Science, Zhejiang University of Science and Technology, Hangzhou 310023, China;2.Hangzhou Hikvision Network and Information Security Laboratory, Hangzhou 310052, China;3.Cyberspace Institute Advanced Technology, Guangzhou University, Guangzhou 510006, China)
With the rise of deep learning, deep neural networks have been successfully applied in many fields, but recent research shows that deep neural network is vulnerable to adversarial examples attacks. Convolutional Neural Networks (CNNs) as one type of deep neural networks have also been successfully applied to the classification of network traffic, however, recent research shows that CNN is as well vulnerable to adversarial examples. To improve the CNN traffic classifier's defense against the attack of adversarial examples, we first propose a batch-adversarial-training method, which uses the characteristics of back propagation error in the training process to calculate the example gradient and weight gradient simultaneously in the process of error back-propagation. This method can improve the training efficiency. At the same time, sine the adversarial examples for training are generated on the target mode, it can effectively defend white-box attacks. To further improve the defense against black-box attacks, we propose an enhanced-adversarial-training method. In order to prevent the transferability of the adversarial examples, we craft the adversarial examples adopted in adversarial training on multiple substitute models for diversity. The benefit of this method is the adversarial examples from these models will have misaligned gradients. We conduct experiments on the real traffic dataset USTC-TFC2016. We craft traffic composed of adversarial examples to simulate attacks. The experimental results show that batch-adversarial-training can improve the classification accuracy of adversarial examples from 17.29% to 75.37% for white-box attacks and for black-box attacks, the enhanced-adversarial-training can improve the classification accuracy of adversarial examples from 26.37% to 68.39%. Due to the black-box characteristics of deep neural network, there is no consistent understanding of its working mechanism and the real cause of adversarial examples. The next step is to further study the vulnerability mechanism of CNN, so as to find a better method to improve the effect of adversarial training.
Key words:  traffic classification  adversarial examples  adversarial training