To solve the problems that RoQ covert attacks are hidden in overwhelming background traffic and difficult to identify, besides the existing samples are scarce and cannot provide large-scale learning data, an unsupervised detection method of RoQ covert attacks based on multilayer features was proposed under the condition of very little prior knowledge. First, considering that most normal flow might interfere with subsequent results, a classification method based on semi-supervised spectral clustering was studied by flow characteristics, so that the proportion of normal samples in the filtered traffic was close to 100%. Secondly, in order to distinguish the nuance between the hidden attack features and normal flow without relying on the attack samples, an unsupervised detection model based on the n-Shapelet subsequence was constructed by packet characteristics, and the subsequences with obvious difference were used, which enabled detection of RoQ convert attacks. Experimental results demonstrate that with only a small number of learning samples, the proposed method has higher precision and recall rate than existing methods, and is robust to evading attacks.

• 单位
  中国科学院大学