Ming Liu,Qichao Yang,Wenqing Wang,Shengli Liu

DOI: https://doi.org/10.3390/s24206507

IF: 3.9

2024-10-11

Sensors

Abstract:The exponential growth of encrypted network traffic poses significant challenges for detecting malicious activities online. The scale of emerging malicious traffic is significantly smaller than that of normal traffic, and the imbalanced data distribution poses challenges for detection. However, most existing methods rely on single-category features for classification, which struggle to detect covert malicious traffic behaviors. In this paper, we introduce a novel semi-supervised approach to identify malicious traffic by leveraging multimodal traffic characteristics. By integrating the sequence and topological information inherent in the traffic, we achieve a multifaceted representation of encrypted traffic. We design two independent neural networks to learn the corresponding sequence and topological features from the traffic. This dual-feature extraction enhances the model's robustness in detecting anomalies within encrypted traffic. The model is trained using a joint strategy that minimizes both the reconstruction error from the autoencoder and the classification loss, allowing it to effectively utilize limited labeled data alongside a large amount of unlabeled data. A confidence-estimation module enhances the classifier's ability to detect unknown attacks. Finally, our method is evaluated on two benchmark datasets, UNSW-NB15 and CICIDS2017, under various scenarios, including different training set label ratios and the presence of unknown attacks. Our model outperforms other models by 3.49% and 5.69% in F1 score at labeling rates of 1% and 0.1%, respectively.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Xiang Luo,Chang Liu,Gaopeng Gou,Gang Xiong,Zhen Li,Binxing Fang

DOI: https://doi.org/10.1007/s11432-023-4010-4

2024-01-01

Science China Information Sciences

Abstract:Accurate identification of malicious traffic is crucial for implementing effective defense counter-measures and has led to extensive research efforts. However, the continuously evolving techniques employed by adversaries have introduced the issues of concept drift, which significantly affects the performance of existing methods. To tackle this challenge, some researchers have focused on improving the separability of malicious traffic representation and designing drift detectors to reduce the number of false positives. Nevertheless, these methods often overlook the importance of enhancing the generalization and intraclass consistency in the representation. Additionally, the detectors are not sufficiently sensitive to the variations among different malicious traffic classes, which results in poor performance and limited robustness. In this paper, we propose intraclass consistency enhanced variational autoencoder with Class-Perception detector (ICE-CP) to identify malicious traffic under concept drift. It comprises two key modules during training: intraclass consistency enhanced (ICE) representation learning and Class-Perception (CP) detector construction. In the first module, we employ a variational autoencoder (VAE) in conjunction with Kullback-Leibler (KL)-divergence and cross-entropy loss to model the distribution of each input malicious traffic flow. This approach simultaneously enhances the generalization, interclass consistency, and intraclass differences in the learned representation. Consequently, we obtain a compact representation and a trained classifier for non-drifting malicious traffic. In the second module, we design the CP detector, which generates a centroid and threshold for each malicious traffic class separately based on the learned representation, depicting the boundaries between drifting and non-drifting malicious traffic. During testing, we utilize the trained classifier to predict malicious traffic classes for the testing samples. Then, we use the CP detector to detect the potential drifting samples using the centroid and threshold defined for each class. We evaluate ICE-CP and some advanced methods on various real-world malicious traffic datasets. The results show that our method outperforms others in identifying malicious traffic and detecting potential drifting samples, demonstrating outstanding robustness among different concept drift settings.

Lixin Zhao,Lijun Cai,Aimin Yu,Zhen Xu,Dan Meng

DOI: https://doi.org/10.1007/978-3-030-41579-2_1

2019-01-01

Abstract:Automated malware classification using deep learning techniques has been widely researched in recent years. However, existing studies addressing this problem are always based on the assumption of closed world, where all the categories are known and fixed. Thus, they lack robustness and do not have the ability to recognize novel malware instances. In this paper, we propose a prototype-based approach to perform robust malware traffic classification with novel class detection. We design a new objective function where a distance based cross entropy (DCE) loss term and a metric regularization (MR) term are included. The DCE term ensures the discrimination of different classes, and the MR term improves the within-class compactness and expands the between-class separateness in the deeply learned feature space, which enables the robustness of novel class detection. Extensive experiments have been conducted on datasets with real malware traffic. The experimental results demonstrate that our proposed approach outperforms the existing methods and achieves state-of-the-art results.

Candong Rong,Gaopeng Gou,Mingxin Cui,Gang Xiong,Zhen Li,Li Guo

DOI: https://doi.org/10.1109/ISCC50000.2020.9219609

2020-01-01

Abstract:Malicious events pose a significant threat to the current increasingly interconnected Internet community. Detection based on features of network traffic and machine learning algorithms is a common approach to identify malicious events. The performance of approaches is associated with the used features and algorithms. In this paper, we propose MalFinder, an ensemble learning-based framework for malicious traffic detection. Considering the trend of network traffic encryption and the complexity of decrypting traffic, we utilize statistical features and sequence features to describe network traffic. We extend the dimensions of these two types of features to enhance their capability for representing traffic data. Feature importance analysis and contrast experiments illustrate the effectiveness of our new features. Among our selected classifiers suitable for malicious traffic detection, boosting-based classifiers XGBoost and LightGBM can reduce bias, and bagging-based classifier Random Forest can reduce variance. Stacking, which is the integration method of the classification results used in our framework, can improve the generalization ability of the method. MalFinder can achieve 96.58% F-measure and 95.44% accuracy in the malicious traffic detection task on a real-world dataset, whose results are better than those of comparison methods. In terms of unseen malicious traffic discovery, MalFinder still provides good performance with 93.46% F-measure and 91.04% accuracy, which even surpasses the results in the task of known malicious traffic detection of other comparative methods. With consideration of the scarcity of public data sets used for malicious traffic detection, we have exposed our self-built dataset for more extensive researches.

Ziming Zhao,Zhaoxuan Li,Xiaofei Xie,Jiongchi Yu,Fan Zhang,Rui Zhang,Binbin Chen,Xiangyang Luo,Ming Hu,Wenrui Ma

DOI: https://doi.org/10.1109/tnet.2024.3413789

2024-01-01

Abstract:Anomaly-based network intrusion detection systems (NIDSs) are essential for ensuring cybersecurity. However, the security communities realize some limitations when they put most existing proposals into practice. The challenges are mainly concerned with fine-grained unknown attack detection and ever-changing legitimate traffic adaptation. To tackle these problem, we present three key design norms. The core idea is to construct a model to split the data distribution hyperplane and leverage the concept of isolation, as well as advance the incremental model update. We utilize the isolation tree as the backbone to design our model, named, to echo back three norms. By analyzing the popular dataset of network intrusion traces, we show that significantly outperforms the state-of-the-art methods. Further, we perform an initial deployment of by working with the Internet Service Provider (ISP) to detect distributed denial of service (DDoS) attacks. With real-world tests and manual analysis, we demonstrate the effectiveness of to identify previously-unseen attacks in a fine-grained manner.

Xixi Zhang,Qin Wang,Maoyang Qin,Yu Wang,Tomoaki Ohtsuki,Bamidele Adebisi,Hikmet Sari,Guan Gui

DOI: https://doi.org/10.1109/tifs.2024.3396624

IF: 7.231

2024-05-14

IEEE Transactions on Information Forensics and Security

Abstract:Malware traffic classification (MTC) is one of the important research topics in the field of cyber security. Existing MTC methods based on deep learning have been developed based on the assumption of enough high-quality samples and powerful computing resources. However, both are hard to obtain in real applications especially in availability of IoT. In this paper, we propose a few-shot MTC (FS-MTC) method combining knowledge transfer and neural architecture search (i.e. NAS-based FS-MTC) with limited training samples as well as acceptable computational resources, in order to mitigate the identified challenges. Specifically, our proposed method first converts the raw network traffic into traffic images through data pre-processing to serve as input data for the neural network. Second, we use neural architecture search to adaptively search for the effective feature extraction model on the source domain (including Edge-IIoTset, Bot-IoT, and benign USTC-TFC2016). Third, the searched model is pre-trained on source task to achieve the generic feature representation of malware traffic. Finally, we only use few-shot malware traffic samples to fine-tune the pre-trained model to quickly adapt to new types of MTC tasks in realistic network environments. The experimental results show that the proposed NAS-based FS-MTC method has great scalability and classification performance in different FS-MTC tasks, including 5-way K-shot USTC-TFC2016 dataset and 10-way K-shot CIC-IoT dataset. Compared with state-of-the-art methods in the field of malware classification, the proposed NAS-based FS-MTC has higher classification accuracy. Especially in the 1-shot case of the USTC-TFC2016 dataset, its average accuracy is as high as 86.91%.

computer science, theory & methods,engineering, electrical & electronic

Li,Fei,Xie,Li,Jiang,Wang,Qi

DOI: https://doi.org/10.3390/electronics12020323

IF: 2.9

2023-01-09

Electronics

Abstract:Existing machine learning-based malware traffic recognition techniques can effectively detect abnormal behaviors in the network. However, almost all of them focus on a closed-set scenario in which the data used for training and testing come from the same label space. Since sophisticated malware and advanced persistent threats are evolving, it is impossible to exhaust all attacks to train a complete recognition model under the existing technical conditions. Therefore, recognition in the real network is an open-set problem, i.e., the recognition system should identify unknown and unseen attacks at test time. In this paper, we propose an uncertainty-aware method to identify known malicious traffic accurately and handle unknown traffic effectively. This method employs predictive uncertainty in deep learning as an indicator for unknown class detection. The predictive uncertainty represents the confidence in neural network predictions. In particular, the Deep Evidence Malware Traffic Recognition (DEMTR) model is presented to provide the multi-classification probability and predictive uncertainty in open-set scenarios using evidential deep learning. We demonstrate the performance of DEMTR on the MCFP dataset. Experimental results indicate that the proposed model outperforms the baseline methods in accuracy and F1-score.

engineering, electrical & electronic,computer science, information systems,physics, applied

Jinhui Ning,Yu Wang,Jie Yang,Haris Gacanin,Song Ci

DOI: https://doi.org/10.1109/vtc2021-fall52928.2021.9625438

2021-01-01

Abstract:Malware traffic classification (MTC) is a key technology for solving anomaly detection and intrusion detection problems. And hence it plays an important role in the field of network security. Traditional MTC methods based on port, payload and statistic depend on the manual-designed features, which have low accuracy. Recently, deep learning methods have attracted significant attention due to their high accuracy in terms of classification. However, in practical application scenarios, deep learning methods require a large amount of labeled samples for training, while the available labeled samples for training are very rare. Furthermore, the preparation of a large amount of labeled samples requires a lot of labor costs. To solve these problems, this paper proposes two methods based on semi-supervised learning (SSL) and transfer learning (TL), respectively. Our proposed methods use a large amount of unlabeled data collected in the Internet traffic, which can greatly improve the accuracy classification with few labeled samples. Through experiments, we obtained the best method to improve the accuracy of few labeled samples in different situations. Experiment results show that our proposed methods can satisfy the requirement of MTC in the case of few labeled samples.

Zequn Niu,Jingfeng Xue,Dacheng Qu,Yong Wang,Jun Zheng,Hongfei Zhu

DOI: https://doi.org/10.1016/j.ins.2022.04.018

IF: 8.1

2022-01-01

Information Sciences

Abstract:The continuous emergence of new malware has been a severe threat to Industrial Internet of Things (IIoT), while identifying malware through detecting malicious traffic in encrypted, drift, and imbalanced traffic streams is a challenge. This paper proposes an approach based on adaptive online analysis to accurately determine the families of malware by analyzing traffic streams which are encrypted, drift, and imbalanced. This approach is based on Improved Adaptive Random Forests (IARF), to obtain the ability of adaptive update of parameters when processing new types of malware traffic in traffic streams and being sensitive to families of malware with few samples in imbalanced traffic. We build a prototype of this approach and evaluate the performance through experiments. The experiments are based on a mixed dataset composed of data from malware-traffic-analysis.net, Lastline Inc, MCFP dataset, and CTU-13 dataset. In addition, our approach is also compared with three state-of-the-art methods. The results of the experiments show that we have obtained a 99.66% F1-score in the classification of malware families, and our classifier also performs better than the other classifiers.

Xiaochun Yun,Jiang Xie,Shuhao Li,Yongzheng Zhang,Peishuai Sun

DOI: https://doi.org/10.1016/j.cose.2022.102834

2023-09-07

Abstract:Malicious communication behavior is the network communication behavior generated by malware (bot-net, spyware, etc.) after victim devices are infected. Experienced adversaries often hide malicious information in HTTP traffic to evade detection. However, related detection methods have inadequate generalization ability because they are usually based on artificial feature engineering and outmoded datasets. In this paper, we propose an HTTP-based Malicious Communication traffic Detection Model (HMCD-Model) based on generated adversarial flows and hierarchical traffic features. HMCD-Model consists of two parts. The first is a generation algorithm based on WGAN-GP to generate HTTP-based malicious communication traffic for data enhancement. The second is a hybrid neural network based on CNN and LSTM to extract hierarchical spatial-temporal features of traffic. In addition, we collect and publish a dataset, HMCT-2020, which consists of large-scale malicious and benign traffic during three years (2018-2020). Taking the data in HMCT-2020(18) as the training set and the data in other datasets as the test set, the experimental results show that the HMCD-Model can effectively detect unknown HTTP-based malicious communication traffic. It can reach F1 = 98.66% in the dataset HMCT-2020(19-20), F1 = 90.69% in the public dataset CIC-IDS-2017, and F1 = 83.66% in the real traffic, which is 20+% higher than other representative methods on average. This validates that HMCD-Model has the ability to discover unknown HTTP-based malicious communication behavior.

Cryptography and Security,Networking and Internet Architecture

Mingxing Li,Xuyan Song,Jingling Zhao,Baojiang Cui

DOI: https://doi.org/10.1109/iccc56324.2022.10065869

2022-01-01

Abstract:Encryption protocols can protect personal privacy, but attackers can also use it to evade detection by intrusion detection systems. If an intrusion detection system can identify the malware family class to which the encrypted malicious traffic belongs, it can take targeted measures to mitigate the damage. Traditional payload-based methods are no longer effective for encrypted malicious traffic classification, while deep learning-based methods have made some progress. In this paper, we propose a hybrid deep learning model TCMal, which consists of two sub-networks: T-net and C-net. T-net can be unsupervised pre-trained through transformer for representation learning of raw packets, while C-net for flow-level feature extraction through convolutional neural network. The experimental results show that TCMal outperforms the other four models and a control group model on all three datasets(the average F1-Score is 91.71%, 95.56%, and 91.92% on the three datasets, 2.8%, 3.51%, and 5.66% higher than the second place model, respectively). TCMal also proves the feasibility of transformer in encrypted malicious traffic classification.

Xueying Han,Song Liu,Junrong Liu,Bo Jiang,Zhigang Lu,Baoxu Liu

DOI: https://doi.org/10.1109/tifs.2024.3426304

IF: 7.231

2024-07-20

IEEE Transactions on Information Forensics and Security

Abstract:Malicious traffic detection in the real world faces the challenge of dealing with a diverse mix of known, unknown, and variant malicious traffic, requiring methods that are accurate, generalizable, and reliable for identifying both known and emerging threats. However, existing methods are unable to fully meet these requirements. Supervised methods can accurately detect known malicious traffic, but their performance declines significantly when encountering unknown attacks. Additionally, the misclassification is usually silent, leading to doubts about the reliability and practicality. Unsupervised methods can deal with unknown attacks, but their high false positive rate and inability to utilize the knowledge of existing attack data constitute obvious shortcomings. To overcome these limitations, we propose ECNet, an end-to-end robust malicious network traffic detection method. Particularly, ECNet incorporates multi-view features, including content and pattern features, and employs a gated-based feature fusion approach, providing an efficient and robust representation. Moreover, ECNet introduces a confidence mechanism and combines category probability and confidence values during training and detection; therefore, it can accurately detect both known and unknown malicious traffic while ensuring the credibility of results. To validate the performance of ECNet, we conduct comprehensive experiments on six reorganized datasets and compare ECNet with seven state-of-the-art methods. The results demonstrate that ECNet outperforms others, particularly showing significant improvements in detecting unknown attacks, with up to a 14.15% increase in F1 compared to the best-performing method.

computer science, theory & methods,engineering, electrical & electronic

Chaopeng Li,Jinlin Wang,Xiaozhou Ye

DOI: https://doi.org/10.14704/nq.2018.16.5.1391

2018-01-01

NeuroQuantology

Abstract:In the studies of intrusion detection/prevention systems (IDS/IPS) and network security situational awareness, malicious traffic detection has been given significantly more attention to prevent malicious traffic. Meanwhile, with the development of machine learning technology, an increasing number of algorithms and models have been employed for attack detection. Previous studies generally used common and typical machine learning models such as SVM, KNN, or a random forest. However, the bottleneck of these types of approaches is two-fold. The input of the model is constructed using the feature engineering method of artificially designed representation, which requires a substantial amounts expertise. Additionally, most detection methods ignore the temporal information between network packets in one micro-flow. In this paper, we regard malicious traffic detection as a classification task and propose a hybrid model that combines a recurrent neural network (RNN) with restricted Boltzmann machines (RBM) which take byte-level raw data as input without feature engineering. Specifically, distributed embedding is utilized to pre-process network data to make it more suitable for deep neural network models. Subsequently, an RBM model is used to extract the feature vectors of the network packets and an RNN model is used to extract the flow feature vector. Finally, the flow vectors are sent to the Softmax layer to obtain the detection result. Experiments based on the ISCX-2012 and DARPA-1998 published datasets show that our proposed RNN-RBM model has a greater detection accuracy, recall rate, and lower false alarm rate than most traditional machine learning models. This proves the effectiveness of the proposed RNN-RBM model in malicious traffic detection.

R. E. Davis,Jingsheng Xu,Kaushik Roy

DOI: https://doi.org/10.1109/access.2024.3391022

IF: 3.9

2024-04-30

IEEE Access

Abstract:Network traffic classification plays a crucial role in detecting malware threats. However, most existing research focuses on extracting statistical features from the network traffic, ignoring the rich information contained within raw packet capture (pcap) files. To achieve higher accuracy in malware traffic classification, a novel approach is proposed that fully utilizes the information contained in the pcap files by representing them with images and then training deep Convolutional Neural Networks (CNN) to learn the features automatically and classify them with higher accuracy. Selected fields of the IP headers in network sessions are transformed into RGB images. These images serve as input to CNN, and malware samples are grouped by class or malware name. The model is initially trained and validated on the MCFP dataset with more than 140 malware classes and subsequently tested on separate datasets, namely USTC-TFC2016, Taltech.ee MedBIoT, and IEEE-Mirai. The macro F1 scores and accuracy of this method are significantly higher than the baseline statistical-feature based approach both in the validation dataset and in the test datasets from different sources. The results of this research have the potential to be extended beyond malware classification to enable the classification of various types of network traffic data.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jiayong Liu,Zhiyi Tian,RongFeng Zheng,Liang Liu

DOI: https://doi.org/10.1109/access.2019.2930717

IF: 3.9

2019-01-01

IEEE Access

Abstract:The popularity of encryption method brings a great challenge to malware traffic identification. Traditional classes defined by expert experience are usually classified based on the host behaviors of malware, such as banking malware or ransomware, which are often irrelevant to its communication traffic behaviors. It leads to the fact that the boundaries of traffic feature dataset of different malware classes are fuzzy and make these traditional classes unhelpful for classification based on traffic features. Meanwhile, traditional machine learning-based encrypted malware traffic identification methods, such as using the multi-classification supervised learning model, are inefficient both in model training and detection, and its detection accuracy cannot meet the demand. In this paper, we propose a distance-based method, which utilizes unsupervised learning algorithm Gaussian mixture model (GMM) and ordering points to identify the clustering structure (OPTICS) to calculate the Distance between malwares and make use of the Distance to define the new malware class called FClass. Then, a set of models are trained by XGBoost algorithm to build an identification framework based on the FClass. The performance of the proposed method has been evaluated by comparing it with the other four methods. The results show that the proposed distance-based method is more efficient and accurate.

Weisha Zhang,Jiajia Liu,Jimin Peng,Qiang Liu,Kun Yu

DOI: https://doi.org/10.3389/fphy.2024.1350117

IF: 3.718

2024-04-23

Frontiers in Physics

Abstract:In recent years, a surge in malicious network incidents and instances of network information theft has taken place, with malware identified as the primary culprit. The primary objective of malware is to disrupt the normal functioning of computers and networks, all the while surreptitiously gathering users' private and sensitive information. The formidable concealment and latency capabilities of malware pose significant challenges to its detection. In light of the operational characteristics of malware, this paper conducts an initial analysis of prevailing malware detection schemes. Subsequently, it extracts fuzzy features based on the distinct characteristics of malware traffic. The approach then integrates traffic detection techniques with Type II fuzzy recognition theory to effectively monitor malware-related traffic. Finally, the paper classifies the identified malware instances according to fuzzy association rules. Experimental results showcase that the proposed method achieves a detection accuracy exceeding 90%, with a remarkably low false alarm rate of approximately 5%. This method adeptly addresses the challenges associated with malware detection, thereby making a meaningful contribution to enhancing our country's cybersecurity.

physics, multidisciplinary

Gonzalo Marín,Pedro Casas,Germán Capdehourat

DOI: https://doi.org/10.48550/arXiv.2003.04079

2020-03-11

Abstract:Robust network security systems are essential to prevent and mitigate the harming effects of the ever-growing occurrence of network attacks. In recent years, machine learning-based systems have gain popularity for network security applications, usually considering the application of shallow models, which rely on the careful engineering of expert, handcrafted input features. The main limitation of this approach is that handcrafted features can fail to perform well under different scenarios and types of attacks. Deep Learning (DL) models can solve this limitation using their ability to learn feature representations from raw, non-processed data. In this paper we explore the power of DL models on the specific problem of detection and classification of malware network traffic. As a major advantage with respect to the state of the art, we consider raw measurements coming directly from the stream of monitored bytes as input to the proposed models, and evaluate different raw-traffic feature representations, including packet and flow-level ones. We introduce DeepMAL, a DL model which is able to capture the underlying statistics of malicious traffic, without any sort of expert handcrafted features. Using publicly available traffic traces containing different families of malware traffic, we show that DeepMAL can detect and classify malware flows with high accuracy, outperforming traditional, shallow-like models.

Cryptography and Security,Machine Learning,Networking and Internet Architecture

Hongyu Liu,Bo Lang

DOI: https://doi.org/10.1109/lcn52139.2021.9525009

2021-01-01

Abstract:At present, private protocols are widely used on the Internet. As a result, traditional traffic classification methods including port-based and DPI methods have become restricted. Existing machine learning-based methods depend on feature engineering, which makes feature design difficult. In addition, classification models can only classify data as predefined categories, which restricts the models when they are used to detect unknown protocol traffic. To address the above problems, we propose a two-stage traffic classification method combining a CNN model and a density-based clustering algorithm, which can classify known protocol traffic and detect arbitrary kinds of unknown protocol traffic simultaneously. We conducted sufficient experiments on the Information Security Centre of Excellence (ISCX) VPN-nonVPN and Defense Advanced Research Projects Agency (DARPA) 1998 datasets, and the accuracies on the test sets containing known and unknown protocol traffic achieved 97.03% and 98.50%, respectively, which are superior to other studies.

Maoli Wang,Bowen Zhang,Xiaodong Zang,Kang Wang,Xu Ma

DOI: https://doi.org/10.3390/math11183951

IF: 2.4

2023-09-18

Mathematics

Abstract:The proliferation of smart devices in the 5G era of industrial IoT (IIoT) produces significant traffic data, some of which is encrypted malicious traffic, creating a significant problem for malicious traffic detection. Malicious traffic classification is one of the most efficient techniques for detecting malicious traffic. Although it is a labor-intensive and time-consuming process to gather large labeled datasets, the majority of prior studies on the classification of malicious traffic use supervised learning approaches and provide decent classification results when a substantial quantity of labeled data is available. This paper proposes a semi-supervised learning approach for classifying malicious IIoT traffic. The approach utilizes the encoder–decoder model framework to classify the traffic, even with a limited amount of labeled data available. We sample and normalize the data during the data-processing stage. In the semi-supervised model-building stage, we first pre-train a model on a large unlabeled dataset. Subsequently, we transfer the learned weights to a new model, which is then retrained using a small labeled dataset. We also offer an edge intelligence model that considers aspects such as computation latency, transmission latency, and privacy protection to improve the model's performance. To achieve the lowest total latency and to reduce the risk of privacy leakage, we first create latency and privacy-protection models for each local, edge, and cloud. Then, we optimize the total latency and overall privacy level. In the study of IIoT malicious traffic classification, experimental results demonstrate that our method reduces the model training and classification time with 97.55% accuracy; moreover, our approach boosts the privacy-protection factor.

mathematics

Zhicheng Liu,Shuhao Li,Yongzheng Zhang,Xiaochun Yun,Zhenyu Cheng

DOI: https://doi.org/10.1109/iscc50000.2020.9219561

2020-01-01

Abstract:With the booming of malware-based cyber-security incidents and the sophistication of attacks, previous detections based on malware sample analysis appear powerless due to time-consuming and labor-intensive analysis process. The existing detection methods based on traffic analysis rely heavily on the available traffic patterns, which hinder detecting the zero-day attacks caused by malware variants. In this paper, we propose an approach based on deep learning referred to as TrafficGAN, which analyzes (HTTP) traffic sessions to distinguish between malware-related and normal traffic. We first try to explore traffic patterns of malware variants by adding noise and category condition to the Generative Adversarial Networks (GAN), thus generating various similar but slightly different traffic. And then, we use discriminative model to seek the deviation between abnormal traffic and normal traffic by extracting the essential difference. Notablely, we increase the diversity of data by generating samples adversarially, which enhances the robustness of the system to detect zero-day attacks and highlights the lack of sensitive data in the security community. We conduct extensive experiments on the public dataset and our data collected for specific targets. The results demonstrate that our method achieves superior performance to other methods and protects specific targets from the susceptibility of malware.