隨著網路規模持續擴張,零信任架構(ZeroTrust Architecture, ZTA)成為現代企 業防護的重要基礎,其中軟體定義邊界(Software-Defined Perimeter, SDP)以「先驗 證、後連線」的策略有效降低外部攻擊面。然而,SDP的單一封包授權(SinglePacket Authorization, SPA)僅在連線建立前進行一次性驗證,對授權後可能出現的惡意行為 與DDoS 攻擊仍缺乏偵測能力,形成其結構性的安全缺口。為補足此一限制,亟需導 入基於流量行為的持續監測機制。 行為式偵測通常仰賴機器學習模型;然而IoT流量具有高維度、高變異與噪聲敏 感的特性,使模型容易受到冗餘特徵干擾而降低偵測效能。因此,需要能在高維度特 徵空間中挑選出具代表性訊號的特徵選取方法,以提升模型的準確度與穩健性。 基於此,本研究提出一套以灰狼最佳化演算法(GreyWolf Optimizer, GWO)結 合LightGBM 的包裝式特徵選取方法,透過搜尋高維度流量特徵組合以挑選具辨識力 的特徵子集,並建立可提升SDP授權後行為可視性的惡意流量偵測模型。實驗採用 CIC-IoT-2023 流量資料集,並於多種噪聲條件下評估方法的穩健性。結果顯示,本方 法在DDoS 流量偵測表現上較多種對照組具有更佳的準確性。;As network environments continue to expand, the Zero Trust Architecture (ZTA) has become a fundamental security paradigm, while the Software-Defined Perimeter (SDP) mitigates external attack surfaces through its “authenticate-before-connect”principle. However, SDP’s Single Packet Authorization (SPA) performs only a one-time verifica tion prior to connection establishment, leaving it unable to detect malicious activities or DDoS attacks that may occur after authorization. This limitation highlights the need for behavior-based continuous monitoring within SDP-protected systems. Behavioral detection typically relies on machine learning models. Yet, IoT network traffic is characterized by high dimensionality, variability, and sensitivity to noise, which can degrade classifier performance when redundant or irrelevant features are present. Consequently, an effective feature selection mechanism is essential to identify the most discriminative features and improve both detection accuracy and robustness. Based on this motivation, this study proposes a wrapper-based feature selection method that integrates the Grey Wolf Optimizer (GWO) with LightGBM. The method explores the high-dimensional feature space to identify discriminative feature subsets and constructs a detection model that enhances SDP’s post-authorization visibility. Experi ments conducted on the CIC-IoT-2023 dataset under various noise conditions demonstrate that the proposed method achieves more accurate and consistent DDoS detection perfor mance compared with several baseline approaches.
