| 引用本文: |
-
周梦婷,刘朴淳,李亚凯,台建玮,贾晓启,王睿怡,杜海超,杜跃进.融合行为拓扑图与图神经网络的恶意容器检测方法[J].信息安全学报,已采用 [点击复制]
- ZHOU Mengting,LIU Puchun,LI Yakai,TAI Jianwei,JIA Xiaoqi,WANG Ruiyi,DU Haichao,DU Yuejin.Combining Graph Neural Networks with Behavior Topology Maps For Malicious Container Detection Method[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| 近年来,随着容器技术的迅速发展,容器在应用程序轻量级部署和服务器资源高效调度方面扮演了重要角色。然而,尽管容器为提供安全且轻量化的运行环境做出了贡献,容器的安全性问题也变得日益突出,恶意容器逐渐成为一种新的威胁。如何精准地提取恶意容器的行为特征并对其进行识别与分类,成为网络安全领域的研究热点。现有的技术主要侧重于容器的入侵检测和异常监测,针对恶意容器行为特征的分析与恶意容器的识别研究较少,且现有方法主要检测容器内特定类型的恶意行为,检测范围不够全面、检测准确率较低。为了解决上述问题,本文提出了一种新颖的融合行为拓扑图与图神经网络的恶意容器检测方法。具体地,本文通过将容器和从动态分析中提取的系统调用映射到一个大型异构图中,将恶意容器检测问题转化为一个深度学习模型可求解的节点分类问题。在此基础上,构建了“容器-系统调用”边,形成了容器行为拓扑图。为了对容器行为拓扑图进行高维度特征分析与提取,本文设计了一种基于图注意力网络的容器行为特征识别模型,并引入多头注意力机制增强每层图神经网络的特征学习能力,通过模型迭代生成融合拓扑结构和节点特征的节点嵌入表征,最后通过准确的行为图嵌入表征对恶意容器进行检测。实验结果表明,本文提出的方法相较于所有最先进的基线模型具有明显的性能优越性,实现了99.81%的整体分类准确率,并在对未知家族的恶意容器分类中达到了99.61%的准确率,具有良好的泛化能力。 |
| 关键词: 恶意容器检测 行为拓扑图 图神经网络 深度学习 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2025.04.25 |
| 投稿时间:2024-02-01修订日期:2024-03-27 |
| 基金项目: |
|
| Combining Graph Neural Networks with Behavior Topology Maps For Malicious Container Detection Method |
|
ZHOU Mengting, LIU Puchun, LI Yakai, TAI Jianwei, JIA Xiaoqi, WANG Ruiyi, DU Haichao, DU Yuejin
|
| (Institute of Information Engineering,Chinese Academy of Sciences) |
| Abstract: |
| In recent years, with the rapid development of container technology, containers have played a crucial role in lightweight application deployment and efficient server resource scheduling. Despite their contribution to providing secure and lightweight runtime environments, the topic of container security is becoming more and more important, and malicious containers are emerging as a new threat. The accurate extraction of behavioral characteristics from malicious containers and their precise identification and classification have become a research focus in the field of cybersecurity. Current technologies primarily focus on container intrusion detection or anomaly monitoring. There is limited research on the analysis of malicious container behavior characteristics and the identification of malicious containers. Existing methods mainly detect specific types of malicious behavior within containers, resulting in a lack of comprehensive coverage and lower detection accuracy. To address these issues, this paper proposes a novel malicious container detection method com-bining graph neural networks with behavior topology maps. Specifically, the paper maps containers and system calls ex-tracted from dynamic analysis into a large heterogeneous graph, transforming the malicious container detection problem into a node classification problem solvable by a deep learning model. On this basis, "container-system call" edges are constructed, forming a container behavioral topology graph. To analyze and extract high-dimensional features from the container behavioral topology graph, the paper designs a container behavior feature recognition model based on graph attention network. It introduces a multi-head attention mechanism to enhance the feature learning capability of each layer of the graph neural network. The model iteratively generates node embeddings representing fused topological structures and node features. Finally, accurate behavioral graph embeddings are used to detect malicious containers. Experimental results demonstrate that the proposed method outperforms all state-of-the-art baseline models, achieving an overall classi-fication accuracy of 99.81%. It also attains a 99.61% accuracy in classifying malicious containers from unknown families, showcasing strong generalization capabilities. |
| Key words: malicious container detection behavior topology maps graph neural networks deep learning |
