Zhu Li,Ruixi Yuan,Xiaohong Guan

DOI: https://doi.org/10.1007/978-3-540-73111-5_8

2007-01-01

Abstract:Timely traffic identification is critical in network security monitoring and traffic engineering. Traditional methods using well-known ports, protocols and precise signature matching are no longer accurate with the proliferation of new applications. Recently, applying pattern recognition methods to classify network application traffic based on the flow parameters (e.g. port, flow duration, etc.) has become increasing popular. However, many methods developed in the previous works are either too complex to be applied in real-time, or suffer from lower accuracy due to the insufficient knowledge of the application. In this paper, we first give an overview on the developments of pattern recognition methods as traffic classification tools. We then develop two separate pattern recognition methods: one with supervised learning, and one with un-supervised learning, and apply them to classify traffic captured from a campus backbone network. The supervised learning method (an optimized SVM method) yields approximately 99.41 % accuracy for the collected traffic. The un-supervised learning method (an entropy based clustering method) gets the average accuracy of 92.41% for the top 20 traffic generating hosts during the same time period. Performance test on a single PC with 3GHz Pentium 4 processors and 1 GB of memory show that both methods can handle more than 10000 network flows per second, close to real time requirements for many situations.

Jun Li,Shunyi Zhang,Cuilian Li,Junrong Yan

DOI: https://doi.org/10.1002/nem.735

2010-01-01

International Journal of Network Management

Abstract:Accurate and real-time classifi cation of network traffic is significant to a number of network operation and management tasks such as quality of service differentiation, traffic shaping and security surveillance. However, with emerging P2P applications using dynamic port numbers, IP masquerading techniques and payload encryption, accurate and intelligent traffic classification continues to be a big challenge despite a wide range of research work on the topic. Since each classification method has its disadvantages and hardly could meet the specific requirement of Internet traffic classification, this paper innovatively presents a composite traffic classification system. The proposed lightweight system can accurately and effectively identify Internet traffic with good scalability to accommodate both known and unknown/encrypted applications. Furthermore, It promises to satisfy various Internet uses and is feasible for use in real-time line speed applications. Our experimental results show the distinct advantages of the proposed classification system.

Ziming Zhao,Zhaoxuan Li,Xiaofei Xie,Jiongchi Yu,Fan Zhang,Rui Zhang,Binbin Chen,Xiangyang Luo,Ming Hu,Wenrui Ma

DOI: https://doi.org/10.1109/tnet.2024.3413789

2024-01-01

Abstract:Anomaly-based network intrusion detection systems (NIDSs) are essential for ensuring cybersecurity. However, the security communities realize some limitations when they put most existing proposals into practice. The challenges are mainly concerned with fine-grained unknown attack detection and ever-changing legitimate traffic adaptation. To tackle these problem, we present three key design norms. The core idea is to construct a model to split the data distribution hyperplane and leverage the concept of isolation, as well as advance the incremental model update. We utilize the isolation tree as the backbone to design our model, named, to echo back three norms. By analyzing the popular dataset of network intrusion traces, we show that significantly outperforms the state-of-the-art methods. Further, we perform an initial deployment of by working with the Internet Service Provider (ISP) to detect distributed denial of service (DDoS) attacks. With real-world tests and manual analysis, we demonstrate the effectiveness of to identify previously-unseen attacks in a fine-grained manner.

Yu Chen,Xiayu Ping,Tao Wei

DOI: https://doi.org/10.1109/ICITIS.2010.5689522

2010-01-01

Abstract:The principal technique employed in application traffic classification, a task of identifying the applications underlying network traffic, has evolved from based on port number to deep packet inspection to payload-independent classification. We propose a novel approach in the last category. The principal idea of our method is that we associate an application with temporal patterns of the command exchange modes (subsequences of packets) of TCP flows generated by the application. Since these patterns are local by nature, our approach might be able to identify an application even if only a portion of a full flow is observable. We have applied such method to classify a number of popular P2P applications and to detect suspicious botnet traffic. To identify these kinds of traffic, we not only utilize flow patterns, but also incorporate some statistics on multi-flow and host levels. We have tested our algorithm on P2P traffic collected from our institute's computer network and on botnet traffic collected from a national-wide distributed honeynet. The early results are quite encouraging. © 2010 IEEE.

Yahui Yang,Yunfei Chen,Min Xia,Juan Ma

DOI: https://doi.org/10.1109/IAS.2009.224

2009-01-01

Abstract:Aiming at automated security test on communication protocols, this paper proposes an automated manipulation mechanism of testing procedure based on FSM (Finite State Machine), and designs an automated packet generation mechanism based on a protocol template library. The practical experiments and applications show that the automated security testing platform of communication protocols based on this mechanism can implement the correct evaluations, be convenient to construct the testing procedure, generate automatically test packet sequence and have smaller packet control granularity. It can be used for the systematic and efficient infiltrative security test.

Mingjiang Ye,Ke Xu,Jianping Wu,Hu Po

DOI: https://doi.org/10.1109/cit.2009.97

2009-01-01

Abstract:Classifying network traffic according to the applications is important to a broad range of network areas. Compared with the traditional method which classifies traffic using predefined well-known port numbers, the method using application signatures is more accurate. Unfortunately, analyzing signatures and maintaining up-to-date signatures for various applications is very difficult. To solve the problem, the paper proposes AutoSig which is an automatic application signature generation system. AutoSig extracts multiple common substring sequences from sample flows as application signature. First all possible common substrings in an application protocol are extracted and then a substring tree is constructed to generate the final signature of the application. The method is evaluated on campus traffic traces, and the experiment results show that AutoSig can generate effective application signatures with very high accuracy automatically.

Yi-Chuan Wang,Bin-Bin Bai,Xin-Hong Hei,Ju Ren,Wen-Jiang Ji

DOI: https://doi.org/10.6688/jise.202007_36(4).0005

2020-01-01

Journal of information science and engineering

Abstract:In recent years, unscrupulous hacker attacks have led to the information leakage of enterprise and individual network users, which makes the network security issue unprecedented concerned. Botnet and dark network, which use C & C channel of unknown protocol format to communicate, are the important parts. With the development of wireless mobile networks technology, this problem becomes more prominent. Classifying and identifying the unknown protocol features can help us to judge and predict the unknown attack behavior in the Internet of things environment, so as to protect the network security. Firstly, this paper compares the protocol features to be detected with the existing protocol features in the feature base through the vectorization operation of protocol features, selects the feature set with high recognition rate, and judges the similarity between protocols. The extracted composite features are digitized to generate 0-1 matrix, then Principal Component Analysis (PCA) dimension reduction is processed, and finally clustering analysis is carried out. A Clique to Protocol Feature Vectorization (CPFV) algorithm is designed to improve the efficiency of protocol clustering and finally generate a new protocol format. The experimental results show that compared with the traditional Clique and BIRCH algorithms, the proposed optimization algorithm improves the accuracy by 20% and the stability by 15%. It can cluster and identify unknown protocols accurately and quickly.

Guorui Xie,Qing Li,Yong Jiang,Tao Dai,Gengbiao Shen,Rui Li,Richard Sinnott,Shutao Xia

DOI: https://doi.org/10.1145/3405671.3405811

2020-01-01

Abstract:Network traffic classification categorizes traffic classes based on protocols (e.g., HTTP or DNS) or applications (e.g., Facebook or Gmail). Its accuracy is a key foundation of some network management tasks like Quality-of-Service (QoS) control, anomaly detection, etc. To further improve the accuracy of traffic classification, recent researches have introduced deep learning based methods. However, most of them utilize the privacy-concerned payload (user data). Besides, they generally do not consider the dependency of bytes in a packet, which we believe can be exploited for the more accurate classification. In this work, we treat the initial bytes of a network packet as a language and propose a novel Self-Attention based Method (SAM) for traffic classification. The average F1-scores of SAM on protocol and application classification are 98.62% and 98.93%. With the higher accuracy of SAM, better QoS and anomaly detection can be met.

Tao Qin,Lei Wang,Zhaoli Liu,Xiaohong Guan

DOI: https://doi.org/10.1016/j.knosys.2015.03.002

IF: 8.139

2015-01-01

Knowledge-Based Systems

Abstract:Application identification plays an essential role in network management such as intrusion detection and security monitoring. But the continuous growth of bandwidth and massive amount of packets pose serious challenges for efficacious and accurate application identification. In this paper, we develop a new method to reduce the number of packets being processed while achieving the goal of accurate P2P and VoIP application identification. Firstly, we employ the Bi-flow model to aggregate traffic packets into Bi-flow, which can capture the exchange behavior characteristics between different terminals. Then we employ the signature of Packet Size Distribution (PSD) to capture flow dynamics, which is defined as the payload length distribution probability of the packets in one Bi-flow. Secondly, we collect PSD of several different P2P and VoIP applications and the analysis results show that PSD of different applications are different with each other, which can be used as features to perform traffic identification. We also find the PSD characteristics of one Bi-flow can be captured by its first few packets, which demonstrate our methods can identify the Bi-flow quickly after its establishment. We employ the Renyi cross entropy to perform identification by calculating the similarity between PSD of the Bi-flow being identified and that of specific application. If the similarity is higher than a selected threshold, the Bi-flow being identified is classified to the specific application. Finally, as the PSD is a type of probability feature which is not sensitive to packet lose, we integrate the Poisson sampling method into our framework to process the massive data in backbone networks. Experimental results using the artificial and actual traces collected from monitoring platform in the Northwest Center of CERNET (China Education and Research Network) verify the accuracy and robustness of our method.

Yun Wu,Liangshun Wu,Hengjin Cai

DOI: https://doi.org/10.1016/j.compeleceng.2022.108542

2022-12-13

Abstract:Vehicle and road side unit communications are crucial to the information network in Intelligent Transportation System (ITS). There are two fundamental problems with the current communication security solutions: (1) encryption technology alone is not sufficient to verify the authenticity of the messages transmitted from vehicles to road side units, (2) existing solutions fail to build a complete framework in the way that they are case-dependent and apply to limited scenarios. This paper first presents a cloud-vehicle-road architecture that explains the precise message contents as well as the message generation and transmission process. A binary classification model is deployed to assess uploaded traffic-related messages to improve traffic efficiency based on cross-sectional data. A novel graph temporal neural network with attention is designed for misbehavior detection of vehicles based on time-sequential data. According to simulation results, the system's overall performance can be effectively improved regarding security and availability.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Jielun Zhang,Feng Ye,Yi Qian

DOI: https://doi.org/10.1109/mnet.001.1900513

IF: 10.294

2020-05-01

IEEE Network

Abstract:Network measurement and management are critical to the future smart network QoS and enhancing user QoE. Accurate prediction of network status can support network measurement and provide extra time for network management. However, it is challenging to achieve high accuracy in real-time due to the complexity of user behavior as well as the diversity of network applications. The future SDN will enable data-driven techniques to provide accurate network traffic prediction from access gateways. To demonstrate the concept, a DL-based encrypted packet classifier is first developed in this work to identify network applications. With the achievement of application awareness, a DL-based network traffic prediction scheme is further proposed and developed to provide accurate network traffic prediction. Datasets of network packets from an open-source as well as traffic flow collected in real life are applied to conduct evaluations and case studies. The evaluation results demonstrate that the proposed network traffic classification and prediction framework can successfully predict network traffic in access networks. The proposed framework will contribute significantly to the transition toward intelligent communication and networking to enhance user QoE.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Jun Li,Shunyi Zhang,Yanqing Lu,Junrong Yan

DOI: https://doi.org/10.1007/s11767-007-0110-4

2009-01-01

Abstract:Accurate and real-time classification of network traffic is significant to network operation and management such as QoS differentiation, traffic shaping and security surveillance. However, with many newly emerged P2P applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, traditional classification approaches turn to be ineffective. In this paper, we present a layered hybrid system to classify current Internet traffic, motivated by variety of network activities and their requirements of traffic classification. The proposed method could achieve fast and accurate traffic classification with low overheads and robustness to accommodate both known and unknown/encrypted applications. Furthermore, it is feasible to be used in the context of real-time traffic classification. Our experimental results show the distinct advantages of the proposed classification system, compared with the one-step Machine Learning (ML) approach.

Zhenlong Yuan,Yibo Xue,Yingfei Dong

DOI: https://doi.org/10.1109/CNS.2013.6682724

2013-01-01

Abstract:Network traffic classification is critical to both network management and security. Identifying application traffic at the flow level with signature matching has been widely used as the most efficient method due to its reliability and robustness. However, due to the increasing number of applications and their frequent updates, we have to constantly regenerate application signatures, which is both resource intensive and time consuming. To address this issue, we propose to explore the unique characteristics in packet sequences and discovered two types of packet sequence signatures. We introduce our design and implementation of an automated packet-sequence signature construction (APSC) system, based on association rule mining and data clustering technologies. This system can not only automatically generate traditional signatures from individual packet payloads but also construct new packet sequence signatures based on payloads or features from packet sequences, even for encrypted flows. To the best of our knowledge, this is the first practical and efficient system that supports automated packet sequence signature construction. Our experimental results show that the proposed system can automatically construct high quality signatures for a variety of application with limited overhead.

Stephan Kleber,Milan Stute,Matthias Hollick,Frank Kargl

DOI: https://doi.org/10.1109/DSN-W54100.2022.00023

2022-11-08

Abstract:Reverse engineering of unknown network protocols based on recorded traffic traces enables security analyses and debugging of undocumented network services. In particular for binary protocols, existing approaches (1) lack comprehensive methods to classify or determine the data type of a discovered segment in a message, e.,g., a number, timestamp, or network address, that would allow for a semantic interpretation and (2) have strong assumptions that prevent analysis of lower-layer protocols often found in IoT or mobile systems. In this paper, we propose the first generic method for analyzing unknown messages from binary protocols to reveal the data types in message fields. To this end, we split messages into segments of bytes and use their vector interpretation to calculate similarities. These can be used to create clusters of segments with the same type and, moreover, to recognize specific data types based on the clusters' characteristics. Our extensive evaluation shows that our method provides precise classification in most cases and a data-type-recognition precision of up to 100% at reasonable recall, improving the state-of-the-art by a factor between 1.3 and 3.7 in realistic scenarios. We open-source our implementation to facilitate follow-up works.

Cryptography and Security,Networking and Internet Architecture

ZHANG Luo-shi,WANG Da-wei,XUE Yi-bo

DOI: https://doi.org/10.11959/j.issn.1000-436x.2015070

2015-01-01

Abstract:Traditional methods of protocol identification, which is mainly based on individual flow, lose their effective-ness as dealing with sophisticated network applications. A novel model of identifying sophisticated network applications, called flow-aware model, is addressed. This proposed model abstracts the characteristics of sophisticated network appli-cations from spatial dimension, time dimension and flow dimension, and provides the detailed analysis and deeply mining in characteristics of behaviors and states. Based on this model, a framework and method of sophisticated network appli-cations identification is proposed. The experimental results demonstrate that the proposed method can achieve the pur-pose of identifying sophisticated network applications effectively.

Tao Qin,Xiaohong Guan,Yi Long,Wei Li

DOI: https://doi.org/10.1109/icis.2009.104

2009-01-01

Abstract:Users' character analysis and control are important for enterprise network management and security. In this paper, we propose a novel method to classify the users' behaviors into different security levels and control their behaviors with corresponding strategies. Firstly, Dflow model and several traffic features, including the number of packets, number of flows, flow durations, etc., are proposed to capture the users' characters. They are obtained from different layers of the OSI communication model, such as the network layer and transport layer. Secondly, we define scores for users' behaviors according to their traffic patterns using a flexible method with adjustable weight factors, and different monitoring aims can be achieved by adjusting the weight factors. Based on the behavior score, the users' behaviors are classified into three security levels: low-dangerous, mid-dangerous and high-dangerous levels. Finally, the mid (high)-dangerous users' behaviors are controlled by a dynamic quarantine method based on the principle of "assume guilty before proven innocent". We quarantine a user whenever its behavior is classified into the mid (high)-dangerous levels by blocking its traffic. Then the quarantine is released after a short time, even if the users have not been inspected by security managers yet. In this way, we can remove the potential threats from the monitoring network without interfering the users' normal activities severely. The experimental results based on actual traffic data show that the methods proposed in this paper are simple, flexible and of high accuracy, which can be used for real-time enterprise network monitoring and management.

Peng Wang,Yining Liu

DOI: https://doi.org/10.1109/jsyst.2021.3051435

IF: 4.802

2021-03-01

IEEE Systems Journal

Abstract:Message authentication and conditional privacy preservation are two critical security issues in vehicular ad hoc networks (VANETs), which have been extensively studied in recent years. To achieve these security issues, many information security technologies have been proposed so far. Among them, pseudonyms-based and group-based messages signing and verifying are two of the main methods adopted in recently published literature. However, analysis points out that both of the two technologies have their downsides. To address these issues, a secure and efficient message authentication protocol (SEMA) is proposed in this article, which aims to achieve mutual authentication among vehicles and road-side units (RSUs) in VANETs by combining the advantages of pseudonyms-based and group-based methods. Security analysis shows that SEMA is robust to various security attacks. Performance evaluation demonstrates that SEMA is computationally lightweight on both vehicles and RSUs. Finally, simulations are performed to prove the feasibility in highway and urban environment.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science

Rong Geng,Xiaojie Wang,Jun Liu

DOI: https://doi.org/10.1109/access.2018.2875104

IF: 3.9

2018-01-01

IEEE Access

Abstract:In the intelligent transportation system (ITS), vehicle networks (VNs) can well solve the network related problems. However, as VNs are expected to have a wide range of applications in future services, security challenges are widely recognized. Consequently, security solutions for VNs are urgently needed. In this paper, we propose a new security strategy for VNs. We first construct the network architecture for VNs through the software defined networking. The security schemes are then embedded in the protocol to defend the common security attacks in the network. Moreover, in order to meet the security requirements of different data and computation overhead, several security schemes are studied for anti-replay, anti-eavesdropping, anti-tamper, anti-wormhole, and anti-forger, through the selection of packets to choose different modules. In particular, we focus on the anti-replay security scheme and use sequence number algorithm and MAC complete sequence number method in master and multi-service modules, respectively. The security schemes are simulated and analyzed by NS-2, which shows that the performance of the proposed security schemes is superior in terms of packet delivery ratio, average end-to-end delay, and control overhead.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zhihan Li,Rui Yuan,Xiaohong Guan

DOI: https://doi.org/10.1109/icc.2007.231

2007-01-01

Abstract:The need to quickly and accurately classify Internet traffic for security and QoS control has been increasing significantly with the growing Internet traffic and applications over the past decade. Pattern recognition by learning the features in the training samples to classify the unknown flows is one of the main methods. However, many methods developed in the previous works are too complicated to be applied in real-time, and the prior probabilities based on the training samples are severely biased. This paper uses the SVM (support vector machine) method to train 7 classes of applications of different characteristics, captured from a campus network backbone. A discriminator selection algorithm is developed to obtain the best combination of the features for classification. Our optimized method yields approximately 96.9% accuracy for un-biased training and testing samples. For regular biased samples, the accuracy is about 99.4%. Furthermore, all the feature parameters are computable in real time from captured packet headers, suggesting real time network traffic classification with high accuracy is achievable.