Ma Rongkuan,Zheng Hao,Wang Jingyi,Wang Mufeng,Wei Qiang,Wang Qingxian

DOI: https://doi.org/10.1631/fitee.2000709

IF: 2.526

2022-01-01

Frontiers of Information Technology & Electronic Engineering

Abstract:Proprietary (or semi-proprietary) protocols are widely adopted in industrial control systems (ICSs). Inferring protocol format by reverse engineering is important for many network security applications, e.g., program tests and intrusion detection. Conventional protocol reverse engineering methods have been proposed which are considered time-consuming, tedious, and error-prone. Recently, automatical protocol reverse engineering methods have been proposed which are, however, neither effective in handling binary-based ICS protocols based on network traffic analysis nor accurate in extracting protocol fields from protocol implementations. In this paper, we present a framework called the industrial control system protocol reverse engineering framework (ICSPRF) that aims to extract ICS protocol fields with high accuracy. ICSPRF is based on the key insight that an individual field in a message is typically handled in the same execution context, e.g., basic block (BBL) group. As a result, by monitoring program execution, we can collect the tainted data information processed in every BBL group in the execution trace and cluster it to derive the protocol format. We evaluate our approach with six open-source ICS protocol implementations. The results show that ICSPRF can identify individual protocol fields with high accuracy (on average a 94.3% match ratio). ICSPRF also has a low coarse-grained and overly fine-grained match ratio. For the same metric, ICSPRF is more accurate than AutoFormat (88.5% for all evaluated protocols and 80.0% for binary-based protocols).

Li, Chenglong,Xue, Yibo,Dong, Yingfei,Wang, Dongsheng

DOI: https://doi.org/10.1109/TST.2012.6216767

2012-01-01

Abstract:Traffic classification is critical to effective network management. However, more and more proprietary, encrypted, and dynamic protocols make traditional traffic classification methods less effective. A Message and Command Correlation (MCC) method was developed to identify interactive protocols (such as P2P file sharing protocols and Instant Messaging (IM) protocols) by session analyses. Unlike traditional packet-based classification approaches, this method exploits application session information by clustering packets into application messages which are used for further classification. The efficacy and accuracy of the MCC method was evaluated with real world traffic, including P2P file sharing protocols Thunder and Bit-Torrent, and IM protocols QQ and GTalk. The tests show that the false positive rate is less than 3% and the false negative rate is below 8%, and that MCC only needs to check 8.7% of the packets or 0.9% of the traffic. Therefore, this approach has great potential for accurately and quickly discovering new types of interactive application protocols.

Qianli Ma,Wei Huang,Yanliang Jin,Jianhua Mao

DOI: https://doi.org/10.1109/icaibd51990.2021.9459072

2021-01-01

Abstract:Network traffic classification is to classify network traffic into related traffic types, which plays a significant role in network management and network security. It can guarantee the quality of service of the network, and guarantee network security by intercepting malware traffic. The extensive usage of encryption techniques and the continuous update of encryption protocols make encrypted traffic classification become a new challenge. In this paper, we propose an encrypted traffic classification method based on traffic reconstruction, which can achieve encrypted network traffic with high precision. The main idea of this method is to extract the first 500 bytes of the payload as key data, and insert the length threshold identifier in the payload header, thenan one-dimensional convolutional neural network is used to classify the reconstructed traffic. We use the public dataset ISCX VPN-nonVPN and self-collected dataset to verify our proposed method. The experiment results show that our proposed method can achieve encrypted traffic characterization by F1 score of 98.5%, and achieve encrypted traffic application classification by F1 score of 98.91%.

Chen Yang,Zheyuan Gu,Yuhao Wei,Gang Xiong,Gaopeng Gou,Shan Yao,Yang Yu

DOI: https://doi.org/10.1109/ipec61310.2024.00125

2024-01-01

Abstract:Techniques for classifying encrypted traffic typically rely on learning the interaction patterns between communicating parties to determine the traffic category. However, with the widespread application of asymmetric routing mechanisms and link load balancing, a large volume of network equipment cannot observe the complete bidirectional traffic, posing challenges to the deployment of existing methods. In order to solve this problem, research into unidirectional encrypted traffic classification methods has gradually emerged. In this paper, we provide a comprehensive survey of existing unidirectional encrypted traffic classification methods and showcase the latest research progress in this field. Based on how to resolve the contradiction between unidirectional traffic data and model reliance on bidirectional interaction features, we categorize existing methods into three main types: 1) unidirectional feature separation-based methods, 2) unidirectional feature mining-based methods, and 3) pairwise feature prediction-based methods. This paper details the characteristics of each method and discusses their advantages and disadvantages. We hope our work will draw researchers’ attention to the real-world network environment, thereby better promoting the development of the encrypted traffic classification field.

Jun Li,Shunyi Zhang,Cuilian Li,Junrong Yan

DOI: https://doi.org/10.1002/nem.735

2010-01-01

International Journal of Network Management

Abstract:Accurate and real-time classifi cation of network traffic is significant to a number of network operation and management tasks such as quality of service differentiation, traffic shaping and security surveillance. However, with emerging P2P applications using dynamic port numbers, IP masquerading techniques and payload encryption, accurate and intelligent traffic classification continues to be a big challenge despite a wide range of research work on the topic. Since each classification method has its disadvantages and hardly could meet the specific requirement of Internet traffic classification, this paper innovatively presents a composite traffic classification system. The proposed lightweight system can accurately and effectively identify Internet traffic with good scalability to accommodate both known and unknown/encrypted applications. Furthermore, It promises to satisfy various Internet uses and is feasible for use in real-time line speed applications. Our experimental results show the distinct advantages of the proposed classification system.

Dawei Wang,Luoshi Zhang,Zhenlon Yuan,Yibo Xue,Yinfei Dong

DOI: https://doi.org/10.1109/iccnc.2014.6785298

2014-01-01

Abstract:Network traffic classification is critical to both network management and system security. However, existing traffic classification techniques become less effective as more P2P applications use proprietary protocols for delivery and encryption. Especially, current techniques usually focus on individual flows and do not consider all flows associated with an application together. To address this issue, this paper proposes a novel Application Behavior Characterization (ABC) technique. We design a novel application behavior feature extracting method and an effective classification algorithm, which explore the correlation of multiple flows of a specific application. We evaluate the proposed method with real network traffic. The experimental results show that it can correctly identify flows belonging to a set of known P2P applications (such as Skype, Thunder, and PPTV) with a probability over 90%. Moreover, it can further identify the particular application that a flow belongs to with a precision of 90% on average. More information about implementing and deploying ABC can be found in a technical report [10].

Guang-Lu Sun,Yibo Xue,Yingfei Dong,Dongsheng Wang,Chenglong Li

DOI: https://doi.org/10.1109/GLOCOM.2010.5683649

2010-01-01

Abstract:Classifying encrypted traffic is critical to effective network analysis and management. While traditional payload- based methods are powerless to deal with encrypted traffic, machine learning methods have been proposed to address this issue. However, these methods often bring heavy overhead into the system. In this paper, we propose a hybrid method that combines signature-based methods and statistical analysis methods to address this issue. We first identify SSL/TLS traffic with signature matching methods, and then apply statistical analysis to determine concrete application protocols. Our experimental results show that the proposed method is able to recognize over 99% of SSL/TLS traffic and achieve 94.52% in F-score for protocols identification.

Jun Li,Shunyi Zhang,Yanqing Lu,Junrong Yan

DOI: https://doi.org/10.1007/s11767-007-0110-4

2009-01-01

Abstract:Accurate and real-time classification of network traffic is significant to network operation and management such as QoS differentiation, traffic shaping and security surveillance. However, with many newly emerged P2P applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, traditional classification approaches turn to be ineffective. In this paper, we present a layered hybrid system to classify current Internet traffic, motivated by variety of network activities and their requirements of traffic classification. The proposed method could achieve fast and accurate traffic classification with low overheads and robustness to accommodate both known and unknown/encrypted applications. Furthermore, it is feasible to be used in the context of real-time traffic classification. Our experimental results show the distinct advantages of the proposed classification system, compared with the one-step Machine Learning (ML) approach.

Jun Li,Shunyi Zhang,Yanqing Lu,Junrong Yan

DOI: https://doi.org/10.1109/glocom.2008.ecp.475

2008-01-01

Abstract:Accurate and fast identification of network traffic is an important element of many network management tasks such as QoS provisioning and security monitoring. However, as many newly-emerged Peer-to-Peer (P2P) applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, the classical approaches based on port mapping and payload analysis are ineffective. An alternative approach is to classify traffic by distinguishing the behavior of an application within the first few packets of TCP connection. We pursue this approach and demonstrate that information of few packets is enough to effectively identify P2P traffic. In our work, C4.5 decision tree and REPTree are evaluated and compared with the previously used clustering method K-Means. Experimental results show that our approaches outperform K- Means algorithm in accuracy. In addition, the proposed approaches can accommodate known and unknown P2P traffic and even encrypted traffic in fast and accurate way, which ensures the real-time applications on the Internet traffic surveillance and QoS provisioning.

Yige Chen,Tianning Zang,Yongzheng Zhang,Yuan Zhouz,Yipeng Wang,Yuan Zhou

DOI: https://doi.org/10.1109/icnp.2019.8888043

2019-10-01

Abstract:With the unprecedented prevalence of mobile network applications, cryptographic protocols, such as the Secure Socket Layer/Transport Layer Security (SSL/TLS), are widely used in mobile network applications for communication security. The proven methods for encrypted video stream classification or encrypted protocol detection are unsuitable for the SSL/TLS traffic. Consequently, application-level traffic classification based networking and security services are facing severe challenges in effectiveness. Existing encrypted traffic classification methods exhibit unsatisfying accuracy for applications with similar state characteristics. In this paper, we propose a multiple-attribute-based encrypted traffic classification system named Multi-Attribute Associated Fingerprints (MAAF). We develop MAAF based on the two key insights that the DNS traces generated during the application runtime contain classification guidance information and that the handshake certificates in the encrypted flows can provide classification clues. Apart from the exploitation of key insights, MAAF employs the context of the encrypted traffic to overcome the attribute-lacking problem during the classification. Our experimental results demonstrate that MAAF achieves 98.69% accuracy on the real-world traceset that consists of 16 applications, supports the early prediction, and is robust to the scale of the training traceset. Besides, MAAF is superior to the state-of-the-art methods in terms of both accuracy and robustness.

Pengcheng Luo,Jian Chu,Genke Yang

DOI: https://doi.org/10.1016/j.jisa.2023.103519

IF: 4.96

2023-01-01

Journal of Information Security and Applications

Abstract:As the importance of personal data privacy increases, traffic encryption has become an important topic in network communication. In the field of network security and management, the development of encrypted traffic classification technology has drawn attention to deep learning methods. For raw encrypted traffic, deep learning models can realize end-to-end classification with high accuracy. However, deep learning methods do not explain which part of the encrypted traffic is critical to classification, and that will limit their application in some cyber security scenarios that demand high interpretability. The approach proposed in this paper features a novel feature engineering method named "BITization"to determine the encoding method of features and a sliding window technique to explore which bytes contribute the most to the classification. The accuracy of classical machine learning methods in encrypted traffic is improved by at least 14.1% through the proposed feature engineering approach. In the experiments, the enhanced methods achieve a 98.6% average accuracy and a 98.5% average F1-score on the ISCX-VPN-Service, Cross-Platform-IOS, Cross-Platform-Android, and USTC-TFC2016 datasets, from which we believe a state-of-the-art performance is achieved.

Yu Chen,Xiayu Ping,Tao Wei

DOI: https://doi.org/10.1109/ICITIS.2010.5689522

2010-01-01

Abstract:The principal technique employed in application traffic classification, a task of identifying the applications underlying network traffic, has evolved from based on port number to deep packet inspection to payload-independent classification. We propose a novel approach in the last category. The principal idea of our method is that we associate an application with temporal patterns of the command exchange modes (subsequences of packets) of TCP flows generated by the application. Since these patterns are local by nature, our approach might be able to identify an application even if only a portion of a full flow is observable. We have applied such method to classify a number of popular P2P applications and to detect suspicious botnet traffic. To identify these kinds of traffic, we not only utilize flow patterns, but also incorporate some statistics on multi-flow and host levels. We have tested our algorithm on P2P traffic collected from our institute's computer network and on botnet traffic collected from a national-wide distributed honeynet. The early results are quite encouraging. © 2010 IEEE.

Chang Liu,Gang Xiong,Gaopeng Gou,Siu-Ming Yiu,Zhen Li,Zhihong Tian

DOI: https://doi.org/10.1007/s11280-021-00940-0

2021-10-07

World Wide Web

Abstract:With the rapid development of Internet, network management and monitoring face a number of challenges, one of which is traffic classification. Meanwhile, SSL/TLS protocols are extensively used to encrypt the communication payloads, which makes traditional rule-based classification methods not applicable. Without fingerprints of sufficient distinguishing power, other existing methods cannot achieve satisfactory performances on encrypted traffic classification. In this paper, we focus on SSL/TLS encrypted traffic, and propose the Adaptive Fingerprint with Multi-level Attributes (AFMA) to classify them. AFMA combines field-level and sequence-level attributes to tackle encrypted traffic classification problem. Specifically, the distribution of server-to-client ciphersuites on applications is first imported to characterize application preferences. Moreover, besides message type sequences, length block sequences are especially designed to highlight the differences in application fingerprints. In addition, AFMA can adaptively learn the distributions for constructing the fingerprint by analyzing the overall statistics of the applications. The performance of AFMA was verified on a real-world dataset of a campus network (with 956,000+ SSL/TLS traffic flows for 18 popular applications). Our experiments show that AFMA could achieve a true positive rate of up to 99.46% and a false positive rate as low as 0.03%, which outperforms the state-of-the-art methods and our previous method.

Siyuan Pan,Yijun Wang,Zhi Xue,Xiang Lin

DOI: https://doi.org/10.3969/j.issn.1000-386x.2018.04.058

2018-01-01

Abstract:With the increasing demand for network security,the requirements for the analysis of remote control Trojan in APT attacks are also constantly increasing.Correspondingly,various methods and tools for analyzing unknown network protocols appear.In this paper,we introduced several existing methods of unknown network protocol reverse,and draw on the advantages of the existing methods.An improved method based on message data Tokenization,multiple sequence alignment and agglomerative hierarchical clustering for APT Trojan network protocol is proposed.

Tangda Yu,Futai Zou,Linsen Li,Ping Yi

DOI: https://doi.org/10.1109/cyberc.2019.00020

2019-01-01

Abstract:In recent years, with the widespread use of encrypted traffic communication technology, network traffic encryption has been gradually becoming a standard of communication. This phenomenon has a great impact on traditional traffic detection methods, especially on anomaly detection methods, which are highly dependent on the type of network protocol types and traffic data. By surveying the existing encrypted traffic classification and analyzing these methods, we found that there are two main methods for detection: payload-based detection and feature-based detection. On this basis, this paper puts forward an Encrypted Malicious Traffic Detection System which is based on multi-AEs(Autoencoder). We use malicious sandbox for traffic data collection, mark malicious flow and normal flow with labels. After that, we use multilayer networks of AEs for feature extraction and training classifier model. Our system analyzes the feature of cryptographic protocol from handshake phase to Authentication phase on the basis of existing research, and we extract the traffic feature for a better classification by further expanding flow feature vector to the higher dimensions. In addition, we compared the performance of our model with the traditional learning model under the same environment. The experimental results showed that our system had higher detection accuracy and lower loss rate. We also studied the influence of dataset imbalance on results in the detection of encrypted traffic by several experiments. According to the experimental evaluation, dataset imbalance will lead to the decrease of positive rate.

Chong Xiang,Qingrong Chen,Minhui Xue,Haojin Zhu

DOI: https://doi.org/10.1109/GLOCOM.2018.8647508

2018-01-01

Abstract:As smart phones gradually become the dominant network traffic generators, app traffic analysis methods have gained great interests for network management and targeted advertisement. Specifically, previous works have shown that the scalability of app inference via traffic meta-data has the edge over traditional payload based analysis. However, such works mainly considered the ideal inference scenario where only one app is running on the client's device, without any background traffic noise interfered. In this paper, we extend the research to a more practical scenario, by assuming that multiple apps simultaneously run on a smart phone in the noisy background with complex traffic generated by the operating system. To that end, we propose APPCLASSIFIER, an Android app fingerprinting scheme for real-time app inference. We first leverage the observed differences in packet size distributions and traffic sequential behaviors to boost inference accuracy for noise-free traffic analysis. We then propose novel heuristic based methods to re-correct mislabeled traffic flows to realize real-time traffic inference. As a result, APPCLASSIFIER achieves inference accuracy of 823% for noise-free traffic analysis and reduces error rate from 66.7% to 36.4% for real-time traffic inference.

Ibrahim A. Alwhbi,Cliff C. Zou,Reem N. Alharbi

DOI: https://doi.org/10.3390/s24113509

IF: 3.9

2024-05-31

Sensors

Abstract:Encryption is a fundamental security measure to safeguard data during transmission to ensure confidentiality while at the same time posing a great challenge for traditional packet and traffic inspection. In response to the proliferation of diverse network traffic patterns from Internet-of-Things devices, websites, and mobile applications, understanding and classifying encrypted traffic are crucial for network administrators, cybersecurity professionals, and policy enforcement entities. This paper presents a comprehensive survey of recent advancements in machine-learning-driven encrypted traffic analysis and classification. The primary goals of our survey are two-fold: First, we present the overall procedure and provide a detailed explanation of utilizing machine learning in analyzing and classifying encrypted network traffic. Second, we review state-of-the-art techniques and methodologies in traffic analysis. Our aim is to provide insights into current practices and future directions in encrypted traffic analysis and classification, especially machine-learning-based analysis.

engineering, electrical & electronic,instruments & instrumentation,chemistry, analytical

Boyu Sun,Wenyuan Yang,Mengqi Yan,Dehao Wu,Yuesheng Zhu,Zhiqiang Bai

DOI: https://doi.org/10.1109/ipccc50635.2020.9391542

2020-01-01

Abstract:The increase in the source and size of encrypted network traffic brings significant challenges for network traffic analysis. The challenging problem in the encrypted traffic classification field is obtaining high classification accuracy with small number of labeled samples. To solve this problem, we propose a novel encryption traffic classification method that learns the feature representation from the traffic structure and the traffic flow data in this paper. We construct a K-Nearest Neighbor (KNN) traffic graph to represent the structure of traffic data, which contains more similarity information about the traffic. We utilize a two-layer Graph Convolutional Network (GCN) architecture for flows feature extraction and encrypted traffic classification. We further use the autoencoder to learn the representation of the flow data itself and integrate it into the GCN-learned representation to form a more complete feature representation. The proposed method leverages the benefits of the GCN and the autoencoder, which can obtain higher classification performance with only very few labeled data. The experimental results on two public datasets demonstrate that our method achieves impressive results compared to the state-of-the-art competitors.

Zhu Li,Ruixi Yuan,Xiaohong Guan

DOI: https://doi.org/10.1007/978-3-540-73111-5_8

2007-01-01

Abstract:Timely traffic identification is critical in network security monitoring and traffic engineering. Traditional methods using well-known ports, protocols and precise signature matching are no longer accurate with the proliferation of new applications. Recently, applying pattern recognition methods to classify network application traffic based on the flow parameters (e.g. port, flow duration, etc.) has become increasing popular. However, many methods developed in the previous works are either too complex to be applied in real-time, or suffer from lower accuracy due to the insufficient knowledge of the application. In this paper, we first give an overview on the developments of pattern recognition methods as traffic classification tools. We then develop two separate pattern recognition methods: one with supervised learning, and one with un-supervised learning, and apply them to classify traffic captured from a campus backbone network. The supervised learning method (an optimized SVM method) yields approximately 99.41 % accuracy for the collected traffic. The un-supervised learning method (an entropy based clustering method) gets the average accuracy of 92.41% for the top 20 traffic generating hosts during the same time period. Performance test on a single PC with 3GHz Pentium 4 processors and 1 GB of memory show that both methods can handle more than 10000 network flows per second, close to real time requirements for many situations.

Weina Niu,Zhongliu Zhuo,Xiaosong Zhang,Xiaojiang Du,Guowu Yang,Mohsen Guizani

DOI: https://doi.org/10.1109/tvt.2019.2894290

IF: 6.8

2019-01-01

IEEE Transactions on Vehicular Technology

Abstract:In recent years, malware with strong concealment uses encrypted protocol to evade detection. Thus, encrypted traffic identification can help security analysts to be more effective in narrowing down those encrypted network traffic. Existing methods are protocol independent, such as statistical-based and machine-learning- based approaches. Statistical-based approaches, however, are confined to payload length and machine-learning-based approaches have a low recognition rate for encrypted traffic using undisclosed protocols. In this paper, we proposed a heuristic statistical testing (HST) approach that combines both statistics and machine learning and has been proved to alleviate their respective deficiencies. We manually selected four randomness tests to extract small payload features for machine learning to improve real-time performances. We also proposed a simple handshake skipping method called HST-R to increase the classification accuracy. We compared our approach with other identification approaches on a testing dataset consisting of traffic that uses two known, two undisclosed, and one custom cryptographic protocols. Experimental results showed that HST-R performs better than other traditional coding-based, entropy-based, and ML-based approaches. We also showed that our handshake skipping method could generalize better for unknown cryptographic protocols. Finally, we also conducted experimental comparisons among different classification algorithms. The results showed that C4.5, with our method, has the highest identification accuracy for secure sockets layer and secure shell traffic.