ZHANG Guo-qiang,XU Yong-qing,YANG Xiao-hu

2006-01-01

Journal of Computer Applications

Abstract:TCP(Transmission Control Protocol) is a widely used reliable transmission protocol,and it is designed on such assumption that most packet losses are caused by congestion.But in wireless networks,packets are lost usually because of bit-errors,which causes dramatic performance declining.Many current methods to improve TCP performance over wireless networks are TCP-aware.This paper proposed an alternative "TCP-unaware" scheme that is suitable for encrypted TCP traffic.It makes TCP source be capable of differentiating a loss due to congestion in the wired network from a loss due to bit-errors in wireless networks.Simulation results show that the scheme can improve TCP performance significantly in both LAN(Local Area Network) and WAN(Wide Area Network).

Changxing Liu,Guanglu Sun,Yibo Xue

2012-01-01

Abstract:More and more Internet applications transmit data with encrypted protocols, so how to identify network traffic which use encrypted protocols is very important to network control and management. However, traditional traffic identification methods, such as port-based, payload-based and statistic-based methods are invalid or inaccurate for most of encrypted protocols. In this paper, we propose a new method (called DRPSD) to identify encrypted traffic which uses SSL/TLS protocol. In DRPSD, we only check the first few packets in a connection, and double record protocol structure is detected in each packet, instead of checking each byte in the packet. The experimental results show that, our method can improve accuracy rate by 20% and identifying speed by 200% in identifying SSL protocol compared with the open source software OpenDPI.

Xiaoyu Ma,Feiyan Chen

DOI: https://doi.org/10.4028/www.scientific.net/amr.433-440.5193

2012-01-01

Advanced Materials Research

Abstract:The P2P streaming media technology is popular and promising in recent years, to ensure the correctness of the identification method, and improve the identification rate and accuracy of the network traffic, this paper proposes a identification principle and algorithm of the P2P network traffic, and gives the overall structure of the system, Finally, puts up the system test environment. The experimental results show that the identification method of the network traffic proposed in this paper can effectively improve the identification rate and accuracy of the network traffic, the scheme has the value of further research and promotion.

Guang-Lu Sun,Yibo Xue,Yingfei Dong,Dongsheng Wang,Chenglong Li

DOI: https://doi.org/10.1109/GLOCOM.2010.5683649

2010-01-01

Abstract:Classifying encrypted traffic is critical to effective network analysis and management. While traditional payload- based methods are powerless to deal with encrypted traffic, machine learning methods have been proposed to address this issue. However, these methods often bring heavy overhead into the system. In this paper, we propose a hybrid method that combines signature-based methods and statistical analysis methods to address this issue. We first identify SSL/TLS traffic with signature matching methods, and then apply statistical analysis to determine concrete application protocols. Our experimental results show that the proposed method is able to recognize over 99% of SSL/TLS traffic and achieve 94.52% in F-score for protocols identification.

Qianqian Zhang,Chi-Jiun Su

2023-10-11

Abstract:Quick UDP Internet Connection (QUIC) is an emerging end-to-end encrypted, transport-layer protocol, which has been increasingly adopted by popular web services to improve communication security and quality of experience (QoE) towards end-users. However, this tendency makes the traffic analysis more challenging, given the limited information in the QUIC packet header and full encryption on the payload. To address this challenge, a novel rule-based approach is proposed to estimate the application-level traffic attributes without decrypting QUIC packets. Based on the size, timing, and direction information, our proposed algorithm analyzes the associated network traffic to infer the identity of each HTTP request and response pair, as well as the multiplexing feature in each QUIC connection. The inferred HTTP attributes can be used to evaluate the QoE of application-layer services and identify the service categories for traffic classification in the encrypted QUIC connections.

Cryptography and Security

Pinghui Wang,Xiaohong Guan,Tao Qin

DOI: https://doi.org/10.1109/camad.2009.5161471

2009-01-01

Abstract:Peer-to-Peer (P2P) protocol is widely used in many network applications and P2P traffic is becoming dominating in the current Internet and may cause serious congestion. Recently, P2P applications tend to intentionally disguise their traffic flows by using arbitrary ports, which leads the accurate identification of P2P traffic to become a very difficult job and hot research topic in network traffic control. In this paper, we employ the longest common subsequence to identify the key packets from the traffic flows, and present a new method to identify the P2P flows based on the signatures of key packets with only direction and payload length in the first few packets of a flow. We test the new method with four popular P2P applications in the actual network environment and the results show that the new method has high accuracy and efficiency since only a few packets in each flow needs to be analyzed. The new method is suitable for real time traffic management and monitoring.

lan luo,qiong hai dai,chun xiang xu,shao quan jiang

DOI: https://doi.org/10.4028/www.scientific.net/AMM.128-129.637

2012-01-01

Applied Mechanics and Materials

Abstract:The cipher algorithms are categorized by block cipher, stream cipher and HASH, and they are weighed in faithful transmission which is known as independent condition. In faithful transmission, the ciphers are studied because of their root cipher. Intelligent application of ciphers is a direction that uses Bayesian model of cognition science. Bayesian inference is a rational engine for solving such problems within a probabilistic framework, and consequently is the heart of most probabilistic models of weighing the ciphers. The approach of this paper is that ciphers, which are considered as a suitable weight cipher to kinds of networks, are ranged based on root ciphers. This paper shows the other kinds of transformation among the different cipher algorithms themselves.

Ziyu Jiang

DOI: https://doi.org/10.54097/mwyge502

2024-03-13

Abstract:Network traffic identification is crucial for network resource management and improving service quality. Traditional methods, such as port-based and deep packet inspection approaches, face challenges due to the increasing complexity of network environments, privacy concerns, and the emergence of encrypted traffic. This paper aims to address the issues of low accuracy and slow operation speed in encrypted traffic classification while ensuring the protection of user privacy. We propose a data processing method that transforms network traffic into images representing bidirectional flow packet arrival timestamps and packet sizes. By employing this data processing approach and utilizing deep recognition algorithms, the study conducts service analysis on network traffic. Experimental results demonstrate that the bidirectional flow-based image representation method achieves a 90.9% accuracy rate for the traffic analysis task on a TOR-encrypted imbalanced dataset, surpassing the accuracy of the unidirectional flow image method. Furthermore, the method also shows improvements in operation speed, enabling online network traffic detection.

Zhang Luoshi,Xue Yibo,Wang Dawei

DOI: https://doi.org/10.14257/ijfgcn.2015.8.2.16

2015-01-01

International Journal of Future Generation Communication and Networking

Abstract:Due to the wide use of encrypted protocols and random ports, traditional methods that based on port number or packet payload have gradually lose their effectiveness. To address this issue, new methods that based on machine learning techniques become the research hotspots. With many further studies, some research institutions show that ML-based protocol identification methods can generally achieve over 95% accuracy. However, different from most research studies, industry claims that ML-based techniques are hardly to be deployed for practical use due to their high false positives and false negatives. In this paper, different Machine Learning techniques are evaluated for the actual accuracy under different network environments, and a variety of features are tested on different encrypted protocols. The results show that the identification accuracy will go down due to the changed network scale and network environment while the same ML-based models are used under different network environments, and the choices among different Machine Learning techniques, protocol types or statistical features are not critical.

Gaofeng He,Bingfeng Xu,Lu Zhang,Haiting Zhu

DOI: https://doi.org/10.1177/1550147718817292

IF: 1.938

2018-12-01

International Journal of Distributed Sensor Networks

Abstract:Mobile application (simply “app”) identification at a per-flow granularity is vital for traffic engineering, network management, and security practices. However, uncertainty is caused by a growing fraction of encrypted traffic such as Hypertext Transfer Protocol Secure. To address this challenge, we have carefully analyzed mobile app traffic (mainly including Domain Name System, Hypertext Transfer Protocol, and encrypted traffic such as Secure Sockets Layer and Transport Layer Security) and observed that (1) the sets of server hostnames queried by different apps are distinguishable; (2) mobile apps may query multiple server hostnames simultaneously, that is, apps may send several Domain Name System lookups within a short time interval; and (3) the encrypted traffic may be similar to various other network flows generated by the same app. Based on these three observations, in this article, we propose a novel app identification methodology for encrypted network flows. To be specific, temporal, lexical, and metadata similarity are investigated to select correlated traffic and information retrieving techniques are adopted to identify apps. We ran a thorough set of experiments to assess the performance of the proposed approaches. The experimental results show that the identification accuracy can be as high as 95%, and the proposed methods have low storage requirements as well as fast training speeds.

computer science, information systems,telecommunications

ZHANG Xinyu,ZHANG Bingsheng,MENG Quanrun,REN Kui

DOI: https://doi.org/10.11959/j.issn.2096-109x.2021057

2021-01-01

Abstract:Existing encrypted traffic detection technologies lack privacy protection for data and models, which will violate the privacy preserving regulations and increase the security risk of privacy leakage. A privacy-preserving encrypted traffic detection system was proposed. It promoted the privacy of the encrypted traffic detection model by combining the gradient boosting decision tree (GBDT) algorithm with differential privacy. The privacy-protected encrypted traffic detection system was designed and implemented. The performance and the efficiency of proposed system using the CICIDS2017 dataset were evaluated, which contained the malicious traffic of the DDoS attack and the port scan. The results show that when the privacy budget value is set to 1, the system accuracy rates are 91.7% and 92.4% respectively. The training and the prediction of our model is efficient. The training time of proposed model is 5.16 s and 5.59 s, that is only 2-3 times of GBDT algorithm. The prediction time is close to the GBDT algorithm.

Tao Qin,Lei Wang,Zhaoli Liu,Xiaohong Guan

DOI: https://doi.org/10.1016/j.knosys.2015.03.002

IF: 8.139

2015-01-01

Knowledge-Based Systems

Abstract:Application identification plays an essential role in network management such as intrusion detection and security monitoring. But the continuous growth of bandwidth and massive amount of packets pose serious challenges for efficacious and accurate application identification. In this paper, we develop a new method to reduce the number of packets being processed while achieving the goal of accurate P2P and VoIP application identification. Firstly, we employ the Bi-flow model to aggregate traffic packets into Bi-flow, which can capture the exchange behavior characteristics between different terminals. Then we employ the signature of Packet Size Distribution (PSD) to capture flow dynamics, which is defined as the payload length distribution probability of the packets in one Bi-flow. Secondly, we collect PSD of several different P2P and VoIP applications and the analysis results show that PSD of different applications are different with each other, which can be used as features to perform traffic identification. We also find the PSD characteristics of one Bi-flow can be captured by its first few packets, which demonstrate our methods can identify the Bi-flow quickly after its establishment. We employ the Renyi cross entropy to perform identification by calculating the similarity between PSD of the Bi-flow being identified and that of specific application. If the similarity is higher than a selected threshold, the Bi-flow being identified is classified to the specific application. Finally, as the PSD is a type of probability feature which is not sensitive to packet lose, we integrate the Poisson sampling method into our framework to process the massive data in backbone networks. Experimental results using the artificial and actual traces collected from monitoring platform in the Northwest Center of CERNET (China Education and Research Network) verify the accuracy and robustness of our method.

LI Chenglong,XUE Yibo,WANG Dongsheng

DOI: https://doi.org/10.3778/j.issn.1673-9418.2012.05.002

2012-01-01

Abstract:Traffic classification and protocol identification are the premise and the essential condition to effective network management. However, more and more encrypted protocols make traditional traffic classification methods less effective. To address the issue, this paper proposes an automatic reverse and message analysis (ARCA) method to identify encryption protocols. Different from traditional classification approaches, the proposed method exploits the protocol structure by automatically and reversely analyzing the target protocol, obtains the protocol interactive process by clustering messages, then identifies the protocol using the protocol structure and interactive process together. This method does not need to check payload, so it can classify the encrypted protocols. The paper evaluates the efficacy and accuracy of ARCA with real world traffic, such as encryption protocols Thunder, BitTorrent, QQ and GTalk. The experimental results show that the accuracy rates and the recall rates are over 96.9% and 93.1% respectively and only need check 0.9% of traffic. Therefore the proposed method has a great potential to accurately and quickly identify encryption protocols.

Jun Li,Shunyi Zhang,Cuilian Li,Junrong Yan

DOI: https://doi.org/10.1002/nem.735

2010-01-01

International Journal of Network Management

Abstract:Accurate and real-time classifi cation of network traffic is significant to a number of network operation and management tasks such as quality of service differentiation, traffic shaping and security surveillance. However, with emerging P2P applications using dynamic port numbers, IP masquerading techniques and payload encryption, accurate and intelligent traffic classification continues to be a big challenge despite a wide range of research work on the topic. Since each classification method has its disadvantages and hardly could meet the specific requirement of Internet traffic classification, this paper innovatively presents a composite traffic classification system. The proposed lightweight system can accurately and effectively identify Internet traffic with good scalability to accommodate both known and unknown/encrypted applications. Furthermore, It promises to satisfy various Internet uses and is feasible for use in real-time line speed applications. Our experimental results show the distinct advantages of the proposed classification system.

Pitpimon Choorod,George Weir,Anil Fernando

DOI: https://doi.org/10.1109/access.2024.3356073

IF: 3.9

2024-02-13

IEEE Access

Abstract:Tor, a network offering Internet anonymity, presented both positive and potentially malicious applications, leading to the need for efficient Tor traffic monitoring. While most current traffic classification methods rely on flow-based features, these can be unreliable due to factors like asymmetric routing, and the use of multiple packets for feature computation can lead to processing delays. Recognising the multi-layered encryption of Tor compared to nonTor encrypted payloads, our study explored distinct patterns in their encrypted data. We introduced a novel method using Deep Packet Inspection and machine learning to differentiate between Tor and nonTor traffic based solely on encrypted payload. In the first strand of our research, we investigated hex character analysis of the Tor and nonTor encrypted payloads through statistical testing across 8 groups of application types. Remarkably, our investigation revealed a significant differentiation rate of 94.53% between Tor and nonTor traffic. In the second strand of our research, we aimed to distinguish Tor and nonTor traffic using machine learning, based on encrypted payload features. This proposed feature-based approach proved effective, as evidenced by our classification performance, which attained an average accuracy rate of 95.65% across these 8 groups of applications. Thereby, this study contributes to the efficient classification of Tor and nonTor traffic through features derived solely from a single encrypted payload packet, independent of its position in the traffic flow.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xiaoxian Chen,Zhenlong Yuan,Yibo Xue

DOI: https://doi.org/10.1109/iccnc.2014.6785437

2014-01-01

Abstract:Tencent QQ is the most popular instant message communication tool in China, which has more than 780 million users and thus generates huge traffic on the Internet. However, due to its proprietary protocol and encryption mechanism, it is very hard to identify QQ traffic at a fine-grained flow level. To solve this issue, this paper proposes a novel identification method, which uses a Payload and Behavior Combination (PBC) technology. PBC combines the packet payload characteristics with behavior characteristics existing in the QQ communication process. The experimental results show that PBC has a good identification accuracy in dealing with QQ traffic.

Jun Li,Shunyi Zhang,Yanqing Lu,Junrong Yan

DOI: https://doi.org/10.1109/glocom.2008.ecp.475

2008-01-01

Abstract:Accurate and fast identification of network traffic is an important element of many network management tasks such as QoS provisioning and security monitoring. However, as many newly-emerged Peer-to-Peer (P2P) applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, the classical approaches based on port mapping and payload analysis are ineffective. An alternative approach is to classify traffic by distinguishing the behavior of an application within the first few packets of TCP connection. We pursue this approach and demonstrate that information of few packets is enough to effectively identify P2P traffic. In our work, C4.5 decision tree and REPTree are evaluated and compared with the previously used clustering method K-Means. Experimental results show that our approaches outperform K- Means algorithm in accuracy. In addition, the proposed approaches can accommodate known and unknown P2P traffic and even encrypted traffic in fast and accurate way, which ensures the real-time applications on the Internet traffic surveillance and QoS provisioning.

Kunlin Li,Baojiang Cui

DOI: https://doi.org/10.1007/978-3-030-79728-7_20

2021-06-24

Abstract:With the increasing popularity of traffic encryption protocols such as SSL/TLS, attacks based on encrypted traffic are more and more rampant, so does the need to inspect all SSL traffic. At present, the methods based on feature engineering and the methods based on deep learning and representation learning are the research hot-spots. In this paper, a new method of encrypted malicious traffic identification is proposed, which is based on deep learning and four- tuple feature. The unit of traffic identification is flow four-tuple. We extract 3 types of features which are statistical feature, handshake byte stream feature, and application data size sequence feature. We design different deep learning models to deal with various features and work together in traffic identification. We used the CTU Malware dataset to experiment. The results show that the accuracy of our method can reach 98.31%, which is better than that of other methods using four-tuple as the unit of flow identification and experimenting on the CTU Malware dataset.

Shi-Jie Xu,Guang-Gang Geng,Xiao-Bo Jin,Dong-Jie Liu,Jian Weng

DOI: https://doi.org/10.1109/tifs.2022.3179955

IF: 7.231

2022-06-22

IEEE Transactions on Information Forensics and Security

Abstract:Although many network traffic protection methods have been developed to protect user privacy, encrypted traffic can still reveal sensitive user information with sophisticated analysis. In this paper, we propose ETC-PS, a novel encrypted traffic classification method with path signature. We first construct the traffic path with a session packet length sequence to represent the interactions between the client and the server. Then, path transformations are conducted to exhibit its structure and obtain different information. A multiscale path signature is finally computed as a kind of distinctive feature to train the traditional machine learning classifier, which achieves highly robust accuracy and low training overhead. Six publicly available datasets with different traffic types of HTTPS/1, HTTPS/2, QUIC, VPN, non-VPN, Tor, and non-Tor are used to conduct closed-world and open-world evaluations to verify the effectiveness of ETC-PS. The experimental results demonstrate that ETC-PS is superior to the state-of-the-art methods in terms of accuracy, score, time complexity, and stability.

computer science, theory & methods,engineering, electrical & electronic

Liangchen Chen,Shu Gao,Baoxu Liu,Zhigang Lu,Zhengwei Jiang

DOI: https://doi.org/10.1007/s11227-020-03372-1

IF: 3.3

2020-06-29

The Journal of Supercomputing

Abstract:With the rapid increase in amount of network encrypted traffic and malware samples using encryption to evade identification, detecting encrypted malicious traffic presents challenges. The quality of the encrypted traffic sampling method directly affects the result of malware detection, but most existing machine learning methods for sampling flow-based encrypted traffic data are inherently inaccurate. To solve these problems, an innovative three-stage hierarchical sampling approach based on the improved density peaks clustering algorithm (THS-IDPC) is proposed to enhance the accuracy and efficiency of encrypted malicious traffic detection model. First, we propose an improved density peaks clustering algorithm based on grid screening, custom center decision value and mutual neighbor degree (DPC-GS-MND). In DPC-GS-MND, grid screening effectively reduces the computational complexity and mutual neighbor degree improves the clustering accuracy. Then, we extract and research the three categories features of encrypted traffic data related to malicious activities, and adopt a three-layer hierarchical clustering algorithm based on DPC-GS-MND. Finally, a three-stage sampling approach based on the three-layer hierarchical clustering algorithm (THS-IDPC) is proposed to sample the encrypted traffic data for further deep detection. The experimental results demonstrated that the proposed THS-IDPC is very effective to reduce normal traffic from massive network encrypted traffic simultaneously, and the encrypted malicious traffic detection model with THS-IDPC sampling method can detect multiple encrypted malicious traffic families with higher accuracy and efficiency. Meanwhile, DPC-GS-MND and THS-IDPC have good application prospects in network intrusion detection system under the big data environment.