"One Model Fits All Nodes": Neuron Activation Pattern Analysis-Based Attack Traffic Detection Framework for P2P Networks

Machine learning (ML) based network attack traffic detection is an emerging security paradigm, which is capable of capturing various advanced network attacks according to the features of traffic. When leveraging such promising security application to protect P2P services, particularly distributed cryptocurrency systems, one detection model should be deployed on many nodes to handle various unseen traffic patterns generated by nodes around the world. However, unseen yet benign traffic patterns are commonly classified as attack traffic, and thus trigger massive false-positive (FP) alarms. Unfortunately, the common practice of retraining models to reduce FPs is not salable for large-scale P2P networks, which incurs prohibitive labor efforts of collecting traffic on each node individually. To effectively deploy ML based attack traffic detection systems to protect distributed networks, we present tNeuronthat automatically identifies FPs triggered by unseen traffic via neuron activation pattern analysis, such that it significantly improves the performance on various nodes. Specifically, we construct a shadow model with Transformer encoders to extract the knowledge of traffic patterns. Afterward, we train a model that learns how to classify FPs among alarms raised by ML models according to neuron activation patterns of the shadow model. Our experiments on real Ethereum nodes show that tNeuroncan reduce 83.40% FP for seven state-of-the-art ML based attack detection systems, when detecting 15 kinds of P2P network attacks, thereby significantly improving detection accuracy in nine different metrics. In addition, tNeuronis robust against various adversarial examples constructed by existing evasion attacks. Besides, it achieves real-time detection and is capable of handling massive FPs generated by many nodes in large-scale distributed networks.