政大機構典藏-National Chengchi University Institutional Repository(NCCUR):Item 140.119/153153
English  |  正體中文  |  简体中文  |  Post-Print筆數 : 27 |  Items with full text/Total items : 114014/145046 (79%)
Visitors : 52065824      Online Users : 631
RC Version 6.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
  • Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version
    政大典藏 > College of Commerce > Department of MIS > Theses >  Item 140.119/153153
    Please use this identifier to cite or link to this item: https://nccur.lib.nccu.edu.tw/handle/140.119/153153


    Title: HTTP 攻擊封包酬載嵌入:透過歷時性語言模型
    HTTP Attack Payload Embedding by Diachronic Language Model
    Authors: 郭宇萍
    Kuo, Yu-Ping
    Contributors: 蕭舜文
    Hsiao, Shun-Wen
    郭宇萍
    Kuo, Yu-Ping
    Keywords: HTTP 攻擊封包酬載
    歷時性語言模型
    模型漂移
    模型更新
    HTTP attack packet payload
    Diachronic language model
    Model drift
    Model updating
    Date: 2024
    Issue Date: 2024-09-04 14:04:20 (UTC+8)
    Abstract: 近年來,網路威脅的變化日益迅速且複雜,駭客持續開發新攻擊手法以達成其目的。隨著人工智慧技術的進步,AI模型已成為檢測和預測網路威脅的重要工具。然而,由於網路安全情勢的複雜性和變動性,這些模型經常面臨預測能力下降和模型漂移的挑戰,而這些問題在實務應用時尤其需要被重視。

    在本研究中,我們提出了一個調查網路安全模型生命週期的框架,該框架將生命週期分為五個階段:模型初始化、訓練、推理、漂移評估和更新。我們選擇使用HTTP攻擊封包酬載、語言模型及 MITRE ATT&CK 策略分類任務來實作此框架,並證明了其有效性。

    我們的研究結果表明,持續預訓練語言模型能顯著提升模型在下游分類任務中的表現,尤其在長期推理方面。我們發現,全面微調整個分類模型不僅能有效減緩模型預測能力隨時間下降的現象,還能顯著提升模型表現的穩定性。此外,下游任務分類器的設計對整個分類模型的表現具有重大的影響。實驗結果指出,模型預測能力下降和模型漂移是經常性發生的問題,但僅使用20%的新資料即可顯著恢復模型表現,因此我們建議在出現這些問題時應及時更新模型,採用「歷時性」網絡安全模型對於有效防禦網絡威脅並確保對攻擊採取及時且適當的應對至關重要。
    In recent years, the landscape of cyber threats has become increasingly dynamic and complex, with hackers continuously developing new attack vectors to achieve their goals. With advancements in artificial intelligence technology, AI models have become important tools for detecting and predicting cyber threats. However, due to the complexity and volatility of the cybersecurity landscape, these models often face challenges such as a deterioration in predictive performance and model drift, which are particularly critical to address in practical applications.

    In this study, we propose a framework for investigating the lifecycle of cybersecurity models, dividing the lifecycle into five stages: model initialization, training, inference, drift assessment, and updating. We choose to implement this framework using HTTP attack payloads, language models, and the MITRE ATT&CK tactic classification tasks, demonstrating its effectiveness.

    Our findings reveal that further pre-training of language models can significantly enhance downstream classification performance, particularly for long-term inference. Fine-tuning the entire classification model not only effectively mitigates the decline in predictive capability over time but also significantly improves the stability of model performance. Additionally, the design of downstream task classifiers has a major impact on the performance of the entire classification model. Experimental results show that model deterioration and model drift are recurrent issues, but using just 20% of new data can significantly restore model performance. Therefore, we recommend promptly updating the model when these issues arise. Adopting a "diachronic" cybersecurity model is crucial for effectively defending against cyber threats and ensuring timely and appropriate responses to attacks.
    Reference: Ahmed, M. and Uddin, M. N. (2020). Cyber attack detection method based on nlp and ensemble learning approach. In 2020 23rd International Conference on Computer and Information Technology (ICCIT), pages 16. IEEE.
    Alaoui, R. L. et al. (2022). Web attacks detection using stacked generalization ensemble for lstms and word embedding. Procedia Computer Science, 215:687–696.
    Andresini, G., Pendlebury, F., Pierazzi, F., Loglisci, C., Appice, A., and Cavallaro, L. (2021). Insomnia: Towards concept-drift robustness in network intrusion detection. In Proceedings of the 14th ACM workshop on artificial intelligence and security, pages 111–122.
    Bojanowski, P., Grave, E., Joulin, A., and Mikolov, T. (2016). Enriching word vectors with subword information. arXiv preprint arXiv:1607.04606.
    Bro, P. V. (1998). A system for detecting network intruders in real-time. In Proc. 7th USENIX security symposium.
    Buber, E., Diri, B., and Sahingoz, O. K. (2018). Nlp based phishing attack detection from urls. In Intelligent Systems Design and Applications: 17th International Conference on Intelligent Systems Design and Applications (ISDA 2017) held in Delhi, India, December 14-16, 2017, pages 608–618. Springer.
    Check Point Software (2024). 2024 cyber security report. https://pages.checkpoint.com/2024-cyber-security-report. Accessed: 2024-07-01.
    Chen, W.-Z. and Hsiao, S.-W. (2023). An unsupervised learning approach for cyber attack analysis with http payload embedding. https://hdl.handle.net/11296/kadj42.
    Chen, Y., Hou, J., Li, Q., and Long, H. (2020). Ddos attack detection based on random forest. In 2020 IEEE International Conference on Progress in Informatics and Computing (PIC), pages 328–334. IEEE.
    Devlin, J., Chang, M.-W., Lee, K., and Toutanova, K. (2018). Bert: Pre-training of deep bidirectional transformers for language understanding. arXiv preprint arXiv:1810.04805.
    Feldhans, R., Wilke, A., Heindorf, S., Shaker, M. H., Hammer, B., Ngonga Ngomo, A.C., and Hüllermeier, E. (2021). Drift detection in text data with document embeddings. In Intelligent Data Engineering and Automated Learning–IDEAL 2021: 22nd International Conference, IDEAL 2021, Manchester, UK, November 25–27, 2021, Proceedings
    22, pages 107–118. Springer.
    Ghanem, K., Aparicio-Navarro, F. J., Kyriakopoulos, K. G., Lambotharan, S., and Chambers, J. A. (2017). Support vector machine for network intrusion and cyber-attack detection. In 2017 sensor signal processing for defence conference (SSPD), pages 1–5. IEEE.
    Gniewkowski, M., Maciejewski, H., Surmacz, T., and Walentynowicz, W. (2023). Sec2vec: Anomaly detection in http traffic and malicious urls. In Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing, pages 1154–1162.
    Gniewkowski, M., Maciejewski, H., Surmacz, T. R., and Walentynowicz, W. (2021). Http2vec: Embedding of http requests for detection of anomalous traffic. arXiv preprint arXiv:2108.01763.
    Goodman, E. L., Zimmerman, C., and Hudson, C. (2020). Packet2vec: Utilizing word2vec for feature extraction in packet data. arXiv preprint arXiv:2004.14477.
    Greco, S. and Cerquitelli, T. (2021). Drift lens: Real-time unsupervised concept drift detection by evaluating per-label embedding distributions. In 2021 International Conference on Data Mining Workshops (ICDMW), pages 341–349. IEEE.
    Han, D., Wang, Z., Chen, W., Wang, K., Yu, R., Wang, S., Zhang, H., Wang, Z., Jin, M., Yang, J., et al. (2023). Anomaly detection in the open world: Normality shift detection, explanation, and adaptation. In NDSS.
    Hu, E. J., Shen, Y., Wallis, P., Allen-Zhu, Z., Li, Y., Wang, S., Wang, L., and Chen, W. (2021). Lora: Low-rank adaptation of large language models. arXiv preprint arXiv:2106.09685.
    Jang, J., Ye, S., Lee, C., Yang, S., Shin, J., Han, J., Kim, G., and Seo, M. (2022). Temporalwiki: A lifelong benchmark for training and evaluating ever-evolving language models. arXiv preprint arXiv:2204.14211.
    Jang, J., Ye, S., Yang, S., Shin, J., Han, J., Kim, G., Choi, S. J., and Seo, M. (2021). Towards continual knowledge learning of language models. arXiv preprint arXiv:2110.03215.
    Jemal, I., Haddar, M. A., Cheikhrouhou, O., and Mahfoudhi, A. (2021). Malicious http request detection using code-level convolutional neural network. In Risks and Security of Internet and Systems: 15th International Conference, CRiSIS 2020, Paris, France,
    November 4–6, 2020, Revised Selected Papers 15, pages 317–324. Springer.
    Jin, X., Zhang, D., Zhu, H., Xiao, W., Li, S.-W., Wei, X., Arnold, A., and Ren, X. (2021). Lifelong pretraining: Continually adapting language models to emerging corpora. arXiv preprint arXiv:2110.08534.
    Johnson, C., Khadka, B., Basnet, R. B., and Doleck, T. (2020). Towards detecting and classifying malicious urls using deep learning. J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl., 11(4):31–48.
    Joulin, A., Grave, E., Bojanowski, P., and Mikolov, T. (2016). Bag of tricks for efficient text classification. arXiv preprint arXiv:1607.01759.
    Kim, J., Kim, J., Thu, H. L. T., and Kim, H. (2016). Long short term memory recurrent neural network classifier for intrusion detection. In 2016 international conference on platform technology and service (PlatCon), pages 1–5. IEEE.
    Kiss, I., Genge, B., and Haller, P. (2015). A clustering-based approach to detect cyber attacks in process control systems. In 2015 IEEE 13th international conference on industrial informatics (INDIN), pages 142–148. IEEE.
    Laughter, A., Omari, S., Szczurek, P., and Perry, J. (2021). Detection of malicious http requests using header and url features. In Proceedings of the Future Technologies Conference (FTC) 2020, Volume 2, pages 449–468. Springer.
    Le, H., Pham, Q., Sahoo, D., and Hoi, S. C. (2018). Urlnet: Learning a url representation with deep learning for malicious url detection. arXiv preprint arXiv:1802.03162.
    Li, J., Zhang, H., and Wei, Z. (2020). The weighted word2vec paragraph vectors for anomaly detection over http traffic. IEEE Access, 8:141787–141798.
    Lin, L.-H. and Hsiao, S.-W. (2022). Attack tactic identification by transfer learning of language model. arXiv preprint arXiv:2209.00263
    Liu, H., Lang, B., Liu, M., and Yan, H. (2019). Cnn and rnn based payload classification methods for attack detection. Knowledge-Based Systems, 163:332–341.
    Loureiro, D., Barbieri, F., Neves, L., Anke, L. E., and Camacho-Collados, J. (2022). Timelms: Diachronic language models from twitter. arXiv preprint arXiv:2202.03829.
    Mikolov, T., Chen, K., Corrado, G., and Dean, J. (2013). Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781.
    MITRE ATT&CK (2024). Mitre att&ck. https://attack.mitre.org/. Accessed: 2024-07-01.
    Parizad, A. and Hatziadoniu, C. J. (2022). Cyber-attack detection using principal component analysis and noisy clustering algorithms: A collaborative machine learning-based framework. IEEE Transactions on Smart Grid, 13(6):4848–4861.
    Primartha, R. and Tama, B. A. (2017). Anomaly detection using random forest: A performance revisited. In 2017 International conference on data and software engineering (ICoDSE), pages 1–6. IEEE.
    Raffel, C., Shazeer, N., Roberts, A., Lee, K., Narang, S., Matena, M., Zhou, Y., Li, W., and Liu, P. J. (2020). Exploring the limits of transfer learning with a unified text-to-text transformer. Journal of machine learning research, 21(140):1–67.
    Röttger, P. and Pierrehumbert, J. B. (2021). Temporal adaptation of bert and performance on downstream document classification: Insights from social media. arXiv preprint arXiv:2104.08116.
    Sanh, V., Debut, L., Chaumond, J., and Wolf, T. (2019). Distilbert, a distilled version of bert: smaller, faster, cheaper and lighter. arXiv preprint arXiv:1910.01108.
    Schwengber, B. H., Vergütz, A., Prates, N. G., and Nogueira, M. (2020). A method aware of concept drift for online botnet detection. In GLOBECOM 2020-2020 IEEE Global Communications Conference, pages 1–6. IEEE.
    Seyyar, Y. E., Yavuz, A. G., and Ünver, H. M. (2022). An attack detection framework based on bert and deep learning. IEEE Access, 10:68633–68644.
    Tekerek, A. (2021). A novel architecture for web-based attack detection using convolutional neural network. Computers & Security, 100:102096.
    Terai, A., Abe, S., Kojima, S., Takano, Y., and Koshijima, I. (2017). Cyber-attack detection for industrial control system monitoring with support vector machine based on communication profile. In 2017 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pages 132–138. IEEE.
    Trend Micro (2024). Calibrating expansion: 2023 annual cybersecurity report. https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/calibrating-expansion-2023-annual-cybersecurity-threat-report. Accessed: 2024-07-01.
    Wan, K., Liang, Y., and Yoon, S. (2024). Online drift detection with maximum concept discrepancy. arXiv preprint arXiv:2407.05375.
    Yu, Y., Yan, H., Guan, H., and Zhou, H. (2018). Deephttp: semantics-structure model with attention for anomalous http traffic detection and pattern mining. arXiv preprint arXiv:1810.12751.
    Zhang, M., Xu, B., Bai, S., Lu, S., and Lin, Z. (2017). A deep learning method to detect web attacks using a specially designed cnn. In Neural Information Processing: 24th International Conference, ICONIP 2017, Guangzhou, China, November 14–18, 2017, Proceedings, Part V 24, pages 828–836. Springer.
    Description: 碩士
    國立政治大學
    資訊管理學系
    111356026
    Source URI: http://thesis.lib.nccu.edu.tw/record/#G0111356026
    Data Type: thesis
    Appears in Collections:[Department of MIS] Theses

    Files in This Item:

    File Description SizeFormat
    602601.pdf3343KbAdobe PDF0View/Open


    All items in 政大典藏 are protected by copyright, with all rights reserved.


    社群 sharing

    著作權政策宣告 Copyright Announcement
    1.本網站之數位內容為國立政治大學所收錄之機構典藏,無償提供學術研究與公眾教育等公益性使用,惟仍請適度,合理使用本網站之內容,以尊重著作權人之權益。商業上之利用,則請先取得著作權人之授權。
    The digital content of this website is part of National Chengchi University Institutional Repository. It provides free access to academic research and public education for non-commercial use. Please utilize it in a proper and reasonable manner and respect the rights of copyright owners. For commercial use, please obtain authorization from the copyright owner in advance.

    2.本網站之製作,已盡力防止侵害著作權人之權益,如仍發現本網站之數位內容有侵害著作權人權益情事者,請權利人通知本網站維護人員(nccur@nccu.edu.tw),維護人員將立即採取移除該數位著作等補救措施。
    NCCU Institutional Repository is made to protect the interests of copyright owners. If you believe that any material on the website infringes copyright, please contact our staff(nccur@nccu.edu.tw). We will remove the work from the repository and investigate your claim.
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - Feedback