Malicious mining behavior detection method and device based on content analysis
By extracting specific fields from network traffic and using Transformer to build a detection model, the problem of poor detection of malicious mining behavior caused by data imbalance is solved, and efficient and accurate identification of malicious mining behavior is achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- COMP NETWORK INFORMATION CENT CHINESE ACADEMY OF SCI
- Filing Date
- 2025-01-13
- Publication Date
- 2026-07-14
AI Technical Summary
Existing neural network-based malicious mining detection technologies suffer from poor detection performance due to data imbalance, making it difficult to effectively identify malicious mining behavior in network traffic.
By extracting specific fields from network traffic and converting them into token sequences, a detection model is built using Transformer. Malicious mining behavior is detected by combining a multi-head self-attention encoding layer and a sequence summator, and the model is optimized using a cross-entropy loss function and gradient descent.
It improves the accuracy and efficiency of malicious mining behavior detection, reduces the false alarm rate, can effectively identify various malicious mining characteristics, has efficient training capabilities and good long-distance dependency modeling capabilities, and can adapt to newly emerging malicious mining characteristics.
Smart Images

Figure CN122394818A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of internet data analysis technology, specifically to a method and apparatus for detecting malicious mining behavior based on content analysis. Background Technology
[0002] As the value of cryptocurrencies continues to rise, malicious mining, with its transparent returns and quick profits, has become the preferred choice for cybercriminals, leading to a sustained global surge in malicious mining activities.
[0003] Currently, malicious mining detection technologies based on neural networks suffer from poor performance because malicious mining traffic accounts for a small proportion of actual network traffic, resulting in a limited number of malicious mining samples that can be collected. This leads to an imbalance between positive and negative samples in the model's training data, further impairing the model's ability to detect malicious mining behavior in actual network traffic. Summary of the Invention
[0004] The purpose of this invention is to solve the problems existing in the prior art and to provide a method and device for detecting malicious mining behavior based on content analysis.
[0005] The malicious mining behavior detection method based on content analysis provided by this invention is implemented through the following technical solution: capturing network traffic; extracting specific fields from the network traffic and converting the specific fields into token sequences using a word segmentation converter, wherein the specific fields include any one or more of the following: reqheaders field, reqbodys field, respheaders field, or resbodys field; inputting the token sequence into a detection model for malicious mining behavior detection to obtain detection results, wherein the detection model is built based on Transformer; determining whether the network traffic contains malicious mining behavior based on the detection results; and outputting alarm information when the network traffic contains malicious mining behavior.
[0006] Furthermore, before inputting the token sequence into the detection model for malicious mining behavior detection and obtaining the detection result, the method further includes: mapping the token sequence to integer position information corresponding to a vocabulary; wherein, the vocabulary is constructed based on the word frequency of keywords during the data processing stage, the keywords in the vocabulary are arranged in ascending lexicographical order, and the integer position information is used to represent the position information of the keywords in the vocabulary; the step of inputting the token sequence into the detection model for malicious mining behavior detection and obtaining the detection result includes: inputting the token sequence into the embedding layer of the detection model for embedding processing to obtain embedding encoding information; inputting the embedding encoding information into the position encoding layer of the detection model to add position information to obtain position encoding information; the position encoding information carries absolute position information and relative position information, the absolute position information is used to represent the position of the input vector in the sequence, and the relative position information is used to represent the distance between different vectors in the token sequence; compressing the encoded information to a fixed length to obtain compressed encoding information, classifying the compressed encoding information, and obtaining the malicious mining behavior detection result.
[0007] Furthermore, the method also includes: constructing multiple cascaded multi-head self-attention coding layers in the detection model, and combining normalized sub-layers and inter-layer connections to form a Transformer encoder; each cascaded self-attention coding layer further performs layer normalization processing and multi-head self-attention coding based on the output information of the previous self-attention coding layer, until the last self-attention coding layer in the detection model outputs the final self-attention coding result; the final self-attention coding information is compressed to a fixed length using a sequence summer to obtain compressed coding information, and the final output layer maps the compressed coding information to traffic type to obtain the detection result.
[0008] Furthermore, the Transformer decoder is adjusted to obtain a sequence summarizer; in the sequence summarizer, a fixed-length summary sequence is used to replace the input embedding representation of the Transformer decoder, and the summary sequence is subjected to interactive attention operation with the encoding result output by the encoder to obtain compressed encoding information; the output layer outputs the probability distribution of samples on traffic categories obtained by softmax operation, where the traffic categories are mining traffic and benign traffic, and the output layer is a two-output fully connected layer; according to the probability distribution, the traffic category corresponding to the highest probability is taken as the prediction result of the model.
[0009] Furthermore, the method further includes: training an initial model to obtain the detection model; the training of the initial model to obtain the detection model includes: adjusting the learning rate of the adaptive moment estimation Adam optimizer by linearly restarting the learning rate scheduler; training the model based on the cross-entropy loss function and optimizing the model by gradient descent to obtain the detection model.
[0010] The malicious mining behavior detection device based on content analysis provided by this invention is implemented through the following technical solution: a capture module for capturing network traffic; an extraction module for extracting specific fields from the network traffic and converting the specific fields into a token sequence using a word segmentation converter, wherein the specific fields include any one or more of the following: reqheaders field, reqbodys field, respheaders field, or resbodys field; a detection module for inputting the token sequence into a detection model for malicious mining behavior detection and obtaining a detection result, wherein the detection model is built based on Transformer; and a judgment module for judging whether the network traffic contains malicious mining behavior based on the detection result; and outputting alarm information when the network traffic contains malicious mining behavior.
[0011] Furthermore, the device further includes: a mapping module, used to map the token sequence to integer position information corresponding to a vocabulary; wherein the vocabulary is constructed based on the word frequency of keywords during the data processing stage, the keywords in the vocabulary are arranged in ascending lexicographical order, and the integer position information is used to represent the position information of the keywords in the vocabulary; the detection module includes: an embedding submodule, used to input the token sequence into the embedding layer of the detection model for embedding processing to obtain embedding encoding information; a position encoding submodule, used to input the embedding encoding information into the position encoding layer of the detection model to add position information to obtain position encoding information; the position encoding information carries absolute position information and relative position information, the absolute position information is used to represent the position of the input vector in the sequence, and the relative position information is used to represent the distance between different vectors in the token sequence; and a detection submodule, used to detect malicious mining behavior on the encoded information to obtain detection results.
[0012] Furthermore, the device also includes: an encoder module, used to construct multiple cascaded multi-head self-attention coding layers in the detection model, and combine normalized sub-layers and inter-layer connections to form a Transformer encoder; each cascaded self-attention coding layer further performs layer normalization processing and multi-head self-attention coding based on the output information of the previous self-attention coding layer, until the last self-attention coding layer in the detection model outputs the final self-attention coding result; the final self-attention coding information is compressed to a fixed length using a sequence summer to obtain compressed coding information, and the final output layer maps the compressed coding information to traffic type to obtain the detection result.
[0013] Furthermore, the device also includes: a classification module, used to adjust the Transformer decoder to obtain a sequence summarizer; and in the sequence summarizer, a fixed-length summary sequence is used to replace the input embedding representation of the Transformer decoder, and the summary sequence is used to perform interactive attention operation with the encoding result output by the encoder to obtain compressed encoding information; the output layer outputs the probability distribution of samples on traffic categories obtained by softmax operation, wherein the traffic categories are mining traffic and benign traffic, and the output layer is a two-output fully connected layer; according to the probability distribution, the traffic category corresponding to the highest probability is taken as the prediction result of the model.
[0014] Furthermore, the device further includes: a training module for training an initial model to obtain the detection model; the training module is also used to adjust the learning rate of the adaptive moment estimation Adam optimizer by linearly restarting the learning rate scheduler; to train the model based on the cross-entropy loss function and to optimize the model by gradient descent to obtain the detection model.
[0015] Compared with the prior art, the beneficial effects of the present invention include:
[0016] 1. This invention extracts specific fields from network traffic for content analysis, enabling joint detection of multiple feature sequences. This allows for the effective acquisition of features of malicious mining behavior in scenarios with imbalanced malicious mining data, reducing the false alarm rate of malicious mining behavior detection through neural networks and thus improving the accuracy of malicious mining behavior detection through neural networks.
[0017] 2. This invention constructs a detection model for detecting malicious mining behavior using Transformer. It only needs to extract features related to mining behavior from network traffic, that is, only a small number of keywords from network traffic, and output a corresponding token classification result to realize the detection of malicious mining behavior in the network. This makes the model have a high inference speed. At the same time, Transformer has efficient training capabilities and excellent long-distance dependency modeling capabilities, which further improves the accuracy and efficiency of the detection model in detecting malicious mining behavior.
[0018] 3. This invention constructs multiple cascaded self-attention coding layers in the model. Each cascaded self-attention coding layer performs multi-head self-attention coding based on the output information of the previous self-attention coding layer until the last self-attention coding layer in the detection model outputs the final self-attention coding result. This allows for the extraction of higher-level features layer by layer, thereby further improving the accuracy of mining behavior detection.
[0019] 4. This invention uses a fixed-length summary sequence instead of the input embedding representation of the Transformer decoder, and compresses the encoding result to a fixed length through interactive attention operations, thus solving the problem of classifying variable-length data.
[0020] 5. Compared with existing detection methods based on blacklist matching and those targeting specific cryptocurrency timestamps, the detection model trained in this invention can fully utilize the global characteristics of mining traffic, reducing false alarms caused by the similarity of local features in benign traffic to mining traffic. This solves the problem of high alert processing workload due to high false alarm rates. Furthermore, the data-driven detection model can quickly adapt to various emerging malicious mining characteristics, improving the scalability of the detection method. Attached Figure Description
[0021] Figure 1 This is a schematic diagram of the malicious mining behavior detection method based on content analysis in this specific implementation.
[0022] Figure 2 This is another flowchart illustrating the malicious mining behavior detection method based on content analysis in this specific embodiment;
[0023] Figure 3 This is a schematic diagram of the malicious mining behavior detection device based on content analysis in this specific embodiment;
[0024] Figure 4 This is another structural schematic diagram of the malicious mining behavior detection device based on content analysis in this specific embodiment;
[0025] Figure 5This is another structural diagram of the malicious mining behavior detection device based on content analysis in this specific embodiment. Detailed Implementation
[0026] The present invention will now be described in further detail with reference to the accompanying drawings:
[0027] refer to Figure 1 As shown, the malicious mining behavior detection method based on content analysis in this specific embodiment includes:
[0028] 101. Capture network traffic.
[0029] In this embodiment of the invention, the desired network traffic can be captured using a preset traffic capture tool.
[0030] 102. Extract specific fields from the network traffic and convert the specific fields into token sequences using a word segmentation converter. The specific fields include any one or more of the following: reqheaders field, reqbodys field, respheaders field, or resbodys field.
[0031] In this embodiment of the invention, the token sequence obtained by the word segmentation converter can be used as natural language for detection in the model.
[0032] In this embodiment of the invention, by extracting specific fields from network traffic for content analysis, it is possible to support the joint detection of multiple feature sequences. This enables the effective acquisition of features of malicious mining behavior in the network under scenarios of imbalanced malicious mining data, thereby improving the accuracy of malicious mining behavior detection through neural networks.
[0033] 103. Input the token sequence into the detection model to detect malicious mining behavior and obtain the detection result. The detection model is built based on Transformer.
[0034] In this embodiment of the invention, the Transformer has been pre-adapted to the characteristics of traffic classification tasks.
[0035] 104. Determine whether the network traffic contains malicious mining behavior based on the detection results; when the network traffic contains malicious mining behavior, output alarm information.
[0036] Compared with existing technologies, the embodiments of the present invention can build a detection model for detecting malicious mining behavior through Transformer. It only needs to extract features related to mining behavior from network traffic, that is, only a small number of keywords from network traffic, and output a corresponding token classification result to realize the detection of malicious mining behavior in the network. This makes the model have a high inference speed. At the same time, Transformer has efficient training capabilities and excellent long-distance dependency modeling capabilities, which further improves the accuracy and efficiency of the detection model in detecting malicious mining behavior.
[0037] refer to Figure 2 As shown, another malicious mining behavior detection method based on content analysis in this specific embodiment includes:
[0038] 201. Capture network traffic.
[0039] In this embodiment of the invention, the desired network traffic can be captured using a preset traffic capture tool.
[0040] 202. Extract specific fields from the network traffic and convert the specific fields into token sequences using a word segmentation converter. The specific fields include any one or more of the following: reqheaders field, reqbodys field, respheaders field, or resbodys field.
[0041] In this embodiment of the invention, the token sequence obtained by the word segmentation converter can be used as natural language for detection in the model.
[0042] In this embodiment of the invention, by extracting specific fields from network traffic for content analysis, it is possible to support the joint detection of multiple feature sequences. This enables the effective acquisition of features of malicious mining behavior in the network under scenarios of imbalanced malicious mining data, thereby improving the accuracy of malicious mining behavior detection through neural networks.
[0043] 203. Map the token sequence to integer position information corresponding to the vocabulary.
[0044] The vocabulary is constructed based on the word frequency of keywords during the data processing stage. The keywords in the vocabulary are arranged in ascending lexicographical order, and the integer position information is used to represent the position information of the keywords in the vocabulary.
[0045] In this embodiment of the invention, before detecting malicious mining behavior through the model, two steps are included: inputting the sequence and embedding it, as detailed below:
[0046] (1) Input of the sequence: A list of integer sequences, the size of which depends on the feature dimension. In this embodiment of the invention, the traffic content is processed into a token sequence, which is equivalent to having only one feature dimension. The feature dimension can be expanded at any time if necessary, and this embodiment of the invention does not limit it.
[0047] (2) Sequence embedding: When there are multiple feature dimensions, the input sequences of different feature dimensions are embedded through different embedding layers. The specific process is to map the tokens in the sequence into vectors, which are word vectors in the field of natural language processing. After training, the vectors store the semantic information of the tokens learned by the model.
[0048] 204. Input the token sequence into the embedding layer of the detection model for embedding processing to obtain embedding encoding information; input the embedding encoding information into the position encoding layer of the detection model to add position information to obtain position encoding information.
[0049] The positional encoding information carries both absolute and relative positional information. The absolute positional information represents the position of the input vector within the sequence, while the relative positional information represents the distance between different vectors in the token sequence. In this embodiment of the invention, by adding positional information to the encoding method, the semantic information of words can be converted into a representation of the meaning of a sentence, and information from different vectors can be fused.
[0050] For embodiments of the present invention, it should be noted that the number of times the position code is added depends on the way the position information is added. Generally, the fixed position code contains both relative and absolute position information and only needs to be added once after embedding.
[0051] In this embodiment of the invention, absolute position information can also be added by adding a mask to the input sequence. Furthermore, to prevent the loss of this information during subsequent interactions, the same mask must be added to all subsequent attention operations. When adding absolute position information using a mask in a classification model for mining traffic detection, the starting position of the position encoding can be randomly rotated to make it difficult for it to carry absolute position information, thereby enhancing the model's generalization ability and enabling it to handle traffic data of different lengths.
[0052] In this embodiment of the invention, "multi-head" in multi-head self-attention computation refers to dividing a vector into multiple segments according to a preset rule. For example, dividing a vector into multiple segments with head=4 means dividing a 64-dimensional vector into four 16-dimensional vectors, performing self-attention operations on each segment, and finally having all vectors interact through a fully connected network of [64, d_hidden, 64], where d_hidden is the dimension of the hidden layer.
[0053] In this embodiment of the invention, "self-attention calculation" in multi-head self-attention calculation refers to scaling the dot product of any two vector sequences among multiple vectors to obtain a score matrix, and then performing a softmax operation to obtain the corresponding probability value.
[0054] 205. Compress the encoded information to a fixed length to obtain compressed encoded information. Classify the compressed encoded information to obtain the detection results of malicious mining behavior.
[0055] In this embodiment of the invention, the Transformer has been pre-adapted to the characteristics of traffic classification tasks.
[0056] In this embodiment of the invention, multiple cascaded multi-head self-attention coding layers can be constructed in the detection model, and combined with normalized sub-layers and inter-layer connections to form a Transformer encoder; each cascaded self-attention coding layer further performs layer normalization processing and multi-head self-attention coding based on the output information of the previous self-attention coding layer, until the last self-attention coding layer in the detection model outputs the final self-attention coding result; the final self-attention coding information is compressed to a fixed length using a sequence summer to obtain compressed coding information, and the final output layer maps the compressed coding information to traffic type to obtain the detection result.
[0057] In this embodiment of the invention, the Transformer decoder can be adjusted to obtain a sequence summarizer. In the sequence summarizer, a fixed-length summary sequence is used to replace the input embedding representation of the Transformer decoder. The summary sequence and the encoding result output by the encoder are subjected to interactive attention operation to obtain compressed encoding information. The output layer outputs the probability distribution of samples on traffic categories obtained by softmax operation, where the traffic categories are mining traffic and benign traffic. The output layer is a two-output fully connected layer. According to the probability distribution, the traffic category corresponding to the highest probability is taken as the prediction result of the model.
[0058] In this invention, the classification part consists of a sequence summarizer and an output layer. The sequence summarizer summarizes the encoded result containing global traffic features into a fixed-length compressed encoded result. The sequence summarizer is a Transformer decoder modified for the traffic classification task, which contains a fixed-length learnable summary sequence. Interactive attention operations are performed between the summary sequence and the encoder output to compress the encoded result to a fixed length. The output layer is a fully connected neural network. The compressed encoded result is fed into the fully connected layer with two outputs, and the outputs are passed through a softmax function to obtain the probability distribution of traffic types. The traffic type corresponding to the highest probability is the model's classification result.
[0059] In this embodiment of the invention, by constructing multiple cascaded self-attention coding layers in the model, each cascaded self-attention coding layer further performs multi-head self-attention coding based on the output information of the previous self-attention coding layer, until the last self-attention coding layer in the detection model outputs the final self-attention coding result, higher-level features can be extracted layer by layer, thereby further improving the accuracy of mining behavior detection.
[0060] This invention uses a fixed-length summary sequence instead of the input embedding representation of the Transformer decoder, and compresses the encoding result to a fixed length through interactive attention operations, thus solving the problem of classifying variable-length data.
[0061] 206. Determine whether the network traffic contains malicious mining behavior based on the detection results; when the network traffic contains malicious mining behavior, output alarm information.
[0062] In this embodiment of the invention, the method further includes: training the initial model to obtain the detection model. Specifically: adjusting the learning rate of the adaptive moment estimation Adam optimizer by linearly restarting the learning rate scheduler; training the model based on the cross-entropy loss function; and optimizing the model by gradient descent to obtain the detection model.
[0063] The Adam optimizer adjusts the gradient distribution during gradient updates and can adjust the gradient of individual parameters according to the actual situation. The linearly restarting learning rate scheduler is responsible for adjusting the learning rate based on the changes in the loss function during training. Specifically, it starts from 1e-6 and gradually increases in units of 1e-6. When the loss value fluctuates significantly and triggers the adjustment condition, the learning rate is reset.
[0064] In this embodiment of the invention, the technical solution can achieve a large learning rate when the loss surface is smooth, which greatly accelerates the model convergence speed. When the loss surface is relatively rough, the learning rate fluctuates near the starting point and has a certain degree of exploratory nature, allowing the model to temporarily jump out of the local optimum with an excessively high learning rate.
[0065] In a further embodiment of the present invention, the data can be divided into a training dataset and a test dataset in an 8:2 ratio, and the training dataset can be used for 8 rounds of training. After 8 rounds of training, the loss function values of each group of the model tend to stabilize, that is, the training is completed and the detection model is obtained.
[0066] One existing detection method is rule matching based on blacklists, which is easily circumvented by miner trojan creators, making it difficult to detect malicious mining behavior. Another existing method compares timestamps of specific cryptocurrencies, requiring connection to a mining pool to obtain real-time block creation information, thus increasing the practical difficulty of detection. Compared with existing blacklist-based and cryptocurrency-specific timestamp-based detection methods, this invention uses a trained detection model to detect malicious mining behavior in real-time network traffic. This model can detect various types of malicious mining behavior, quickly adapt to emerging malicious mining characteristics, and improve the scalability of the detection method.
[0067] Compared with existing technologies, the embodiments of the present invention can build a detection model for detecting malicious mining behavior through Transformer. It only needs to extract features related to mining behavior from network traffic, that is, only a small number of keywords from network traffic, and output a corresponding token classification result to realize the detection of malicious mining behavior in the network. This makes the model have a high inference speed. At the same time, Transformer has efficient training capabilities and excellent long-distance dependency modeling capabilities, which further improves the accuracy and efficiency of the detection model in detecting malicious mining behavior.
[0068] refer to Figure 3 As shown, the malicious mining behavior detection device based on content analysis in this specific embodiment includes:
[0069] The capture module 31 is used to capture network traffic.
[0070] Extraction module 32 is used to extract specific fields from the network traffic and convert the specific fields into token sequences through a word segmentation converter. The specific fields include any one or more of the following: reqheaders field, reqbodys field, respheaders field, or resbodys field.
[0071] The detection module 33 is used to input the token sequence into the detection model to detect malicious mining behavior and obtain the detection result. The detection model is built based on Transformer.
[0072] The judgment module 34 is used to determine whether the network traffic contains malicious mining behavior based on the detection result; when the network traffic contains malicious mining behavior, it outputs alarm information.
[0073] refer to Figure 4 As shown, the device further includes: a mapping module 35, an encoder module 36, a classification module 37, and a training module 38.
[0074] The mapping module 35 is used to map the token sequence to integer position information corresponding to the vocabulary; wherein, the vocabulary is constructed based on the word frequency of the keywords during the data processing stage, the keywords in the vocabulary are arranged in ascending order according to lexicographical order, and the integer position information is used to represent the position information of the keywords in the vocabulary.
[0075] refer to Figure 5 As shown, the detection module 33 further includes: an embedding submodule 3301, a position encoding submodule 3302, and a detection submodule 3303.
[0076] The embedding submodule 3301 is used to input the token sequence into the embedding layer of the detection model for embedding processing to obtain embedding encoding information.
[0077] The position encoding submodule 3302 is used to input the embedded encoding information into the position encoding layer of the detection model to add position information and obtain position encoding information; the position encoding information carries absolute position information and relative position information, the absolute position information is used to characterize the position of the input vector in the sequence, and the relative position information is used to characterize the distance between different vectors in the token sequence.
[0078] The detection submodule 3303 is used to compress the encoded information to a fixed length to obtain compressed encoded information, classify the compressed encoded information, and obtain the detection results of malicious mining behavior.
[0079] The encoder module 36 is used to construct multiple cascaded multi-head self-attention coding layers in the detection model, and combine them with normalized sub-layers and inter-layer connections to form a Transformer encoder. Each cascaded self-attention coding layer further performs layer normalization processing and multi-head self-attention coding based on the output information of the previous self-attention coding layer, until the last self-attention coding layer in the detection model outputs the final self-attention coding result. The final self-attention coding information is compressed to a fixed length using a sequence summer to obtain compressed coding information. Finally, the output layer maps the compressed coding information to the traffic type to obtain the detection result.
[0080] The classification module 37 is used to adjust the Transformer decoder to obtain a sequence summarizer; in the sequence summarizer, a fixed-length summary sequence is used to replace the input embedding representation of the Transformer decoder, and the summary sequence is used to perform interactive attention operation with the encoding result output by the encoder to obtain compressed encoding information; the output layer outputs the probability distribution of samples on the traffic category obtained by the softmax operation, wherein the traffic category is mining traffic and benign traffic, and the output layer is a two-output fully connected layer; according to the probability distribution, the traffic category corresponding to the highest probability is taken as the prediction result of the model.
[0081] Training module 38 is used to train the initial model to obtain the detection model.
[0082] Training module 38 is also used to adjust the learning rate of the adaptive moment estimation Adam optimizer by linearly restarting the learning rate scheduler; to train the model based on the cross-entropy loss function and to optimize the model by gradient descent, thereby obtaining the detection model.
[0083] The malicious mining behavior detection device based on content analysis provided in this specific embodiment can implement the method implementation method described above. For specific functional implementation, please refer to the description in the method embodiment, which will not be repeated here.
[0084] The above technical solution is only one embodiment of the present invention. For those skilled in the art, based on the principles disclosed in the present invention, it is easy to make various types of improvements or modifications, and not limited to the technical solutions described in the specific embodiments of the present invention. Therefore, the foregoing description is only a preferred option and is not restrictive.
Claims
1. A method for detecting malicious mining behavior based on content analysis, characterized in that, include: Capture network traffic; Extract specific fields from the network traffic and convert them into token sequences using a word segmentation converter. The specific fields include any one or more of the following: reqheaders field, reqbodys field, respheaders field, or resbodys field. The token sequence is input into the detection model to detect malicious mining behavior, and the detection result is obtained. The detection model is built based on Transformer. Based on the detection results, determine whether the network traffic contains malicious mining behavior; When the network traffic contains malicious mining activities, an alarm message is output.
2. The malicious mining behavior detection method based on content analysis according to claim 1, characterized in that, Before inputting the token sequence into the detection model to detect malicious mining behavior and obtaining the detection result, the method further includes: The token sequence is mapped to integer position information corresponding to the vocabulary; wherein, the vocabulary is constructed based on the word frequency of the keywords during the data processing stage, the keywords in the vocabulary are arranged in ascending order according to lexicographical order, and the integer position information is used to represent the position information of the keywords in the vocabulary; The step of inputting the token sequence into the detection model to detect malicious mining behavior and obtaining the detection result includes: The token sequence is input into the embedding layer of the detection model for embedding processing to obtain embedded encoding information; The embedded encoding information is input into the position encoding layer of the detection model to add position information, thereby obtaining position encoding information; the position encoding information carries absolute position information and relative position information, the absolute position information is used to characterize the position of the input vector in the sequence, and the relative position information is used to characterize the distance between different vectors in the token sequence; The encoded information is compressed to a fixed length to obtain compressed encoded information. The compressed encoded information is then classified to obtain the results of malicious mining behavior detection.
3. The malicious mining behavior detection method based on content analysis according to claim 2, the method further includes: In the detection model, multiple cascaded multi-head self-attention coding layers are constructed, and a Transformer encoder is formed by combining normalized sub-layers and inter-layer connections. Each cascaded self-attention coding layer further performs layer normalization and multi-head self-attention coding based on the output information of the previous self-attention coding layer, until the last self-attention coding layer in the detection model outputs the final self-attention coding result; The final self-attention encoded information is compressed to a fixed length using a sequence summator to obtain compressed encoded information. Finally, the output layer maps the compressed encoded information to traffic type to obtain the detection result.
4. The malicious mining behavior detection method based on content analysis according to claim 2, the method further includes: The sequence summarizer is obtained by adjusting the Transformer decoder; In the sequence summarizer, a fixed-length summary sequence is used instead of the input embedding representation of the Transformer decoder. The summary sequence is then used in an interactive attention operation with the encoding result output by the encoder to obtain compressed encoding information. The output layer outputs the probability distribution of samples in the traffic category obtained by softmax operation, where the traffic category is mining traffic and benign traffic, and the output layer is a two-output fully connected layer. Based on the probability distribution, the traffic category corresponding to the highest probability is taken as the prediction result of the model.
5. The method for detecting malicious mining behavior based on content analysis according to claim 1, the method further includes: The detection model is obtained by training the initial model; The process of training the initial model to obtain the detection model includes: The learning rate of the Adam optimizer is adjusted by linearly restarting the learning rate scheduler; The detection model is obtained by training the model based on the cross-entropy loss function and optimizing the model through gradient descent.
6. A malicious mining behavior detection device based on content analysis, characterized in that, include: The capture module is used to capture network traffic; An extraction module is used to extract specific fields from the network traffic and convert the specific fields into a token sequence using a word segmentation converter. The specific fields include any one or more of the following: The reqheaders field, reqbodys field, respheaders field, or resbodys field; The detection module is used to input the token sequence into the detection model to detect malicious mining behavior and obtain the detection result. The detection model is built based on Transformer. The judgment module is used to determine whether the network traffic contains malicious mining behavior based on the detection results; When the network traffic contains malicious mining activities, an alarm message is output.
7. The malicious mining behavior detection device based on content analysis according to claim 6, characterized in that, The device further includes: A mapping module is used to map the token sequence to integer position information corresponding to a vocabulary; wherein, the vocabulary is constructed based on the word frequency of the keywords during the data processing stage, the keywords in the vocabulary are arranged in ascending lexicographical order, and the integer position information is used to represent the position information of the keywords in the vocabulary; The detection module includes: The embedding submodule is used to input the token sequence into the embedding layer of the detection model for embedding processing to obtain embedding encoding information; The position encoding submodule is used to input the embedded encoding information into the position encoding layer of the detection model to add position information, thereby obtaining position encoding information; the position encoding information carries absolute position information and relative position information, the absolute position information is used to characterize the position of the input vector in the sequence, and the relative position information is used to characterize the distance between different vectors in the token sequence; The detection submodule is used to compress the encoded information to a fixed length to obtain compressed encoded information, classify the compressed encoded information, and obtain the detection results of malicious mining behavior.
8. The malicious mining behavior detection device based on content analysis according to claim 7, the device further comprising: The encoder module is used to construct multiple cascaded multi-head self-attention coding layers in the detection model, and combine them with normalized sub-layers and inter-layer connections to form a Transformer encoder. Each cascaded self-attention coding layer further performs layer normalization processing and multi-head self-attention coding based on the output information of the previous self-attention coding layer, until the last self-attention coding layer in the detection model outputs the final self-attention coding result. The final self-attention coding information is compressed to a fixed length using a sequence summer to obtain compressed coding information. Finally, the output layer maps the compressed coding information to traffic type to obtain the detection result.
9. The malicious mining behavior detection device based on content analysis according to claim 7, the device further comprising: The classification module is used to adjust the Transformer decoder to obtain the sequence summarizer; In the sequence summarizer, a fixed-length summary sequence is used to replace the input embedding representation of the Transformer decoder. The summary sequence is then used in an interactive attention operation with the encoding result output by the encoder to obtain compressed encoding information. The output layer outputs the probability distribution of samples in terms of traffic categories obtained by softmax operation, where the traffic categories are mining traffic and benign traffic, and the output layer is a two-output fully connected layer; based on the probability distribution, the traffic category corresponding to the highest probability is taken as the prediction result of the model.
10. The malicious mining behavior detection device based on content analysis according to claim 6, the device further comprising: The training module is used to train the initial model to obtain the detection model; The training module is also used to adjust the learning rate of the adaptive moment estimation Adam optimizer by linearly restarting the learning rate scheduler; to train the model based on the cross-entropy loss function and to optimize the model by gradient descent, thereby obtaining the detection model.