Xiaochun Yun,Jiang Xie,Shuhao Li,Yongzheng Zhang,Peishuai Sun

DOI: https://doi.org/10.1016/j.cose.2022.102834

2023-09-07

Abstract:Malicious communication behavior is the network communication behavior generated by malware (bot-net, spyware, etc.) after victim devices are infected. Experienced adversaries often hide malicious information in HTTP traffic to evade detection. However, related detection methods have inadequate generalization ability because they are usually based on artificial feature engineering and outmoded datasets. In this paper, we propose an HTTP-based Malicious Communication traffic Detection Model (HMCD-Model) based on generated adversarial flows and hierarchical traffic features. HMCD-Model consists of two parts. The first is a generation algorithm based on WGAN-GP to generate HTTP-based malicious communication traffic for data enhancement. The second is a hybrid neural network based on CNN and LSTM to extract hierarchical spatial-temporal features of traffic. In addition, we collect and publish a dataset, HMCT-2020, which consists of large-scale malicious and benign traffic during three years (2018-2020). Taking the data in HMCT-2020(18) as the training set and the data in other datasets as the test set, the experimental results show that the HMCD-Model can effectively detect unknown HTTP-based malicious communication traffic. It can reach F1 = 98.66% in the dataset HMCT-2020(19-20), F1 = 90.69% in the public dataset CIC-IDS-2017, and F1 = 83.66% in the real traffic, which is 20+% higher than other representative methods on average. This validates that HMCD-Model has the ability to discover unknown HTTP-based malicious communication behavior.

Cryptography and Security,Networking and Internet Architecture

LI Jia,YUN Xiaochun,LI Shuhao,ZHANG Yongzheng,XIE Jiang,FANG Fang

DOI: https://doi.org/10.11959/j.issn.1000-436x.2019019

2019-01-01

Abstract:In response to the HTTP malicious traffic detection problem, a preprocessing method based on cutting mechanism and statistical association was proposed to perform statistical information correlation as well as normalization processing of traffic. Then, a hybrid neural network was proposed based on the combination of raw data and empirical feature engineering. It combined convolutional neural network (CNN) and multilayer perceptron (MLP) to process text and statistical information. The effect of the model was significantly improved compared with traditional machine learning algorithms (e.g., SVM). The F1 value reached 99.38％ and had a lower time complexity. At the same time, a data set consisting of more than 450 000 malicious traffic and more than 20 million non-malicious traffic was created. In addition, prototype system based on model was designed with detection precision of 98.1％～99.99％ and recall rate of 97.2％～ 99.5％. The application is excellent in real network environment.

Jiang Xie,Shuhao Li,Yongzheng Zhang,Xiaochun Yun,Jia Li

DOI: https://doi.org/10.48550/arXiv.2309.01174

2023-09-03

Networking and Internet Architecture

Abstract:Trojans are one of the most threatening network attacks currently. HTTP-based Trojan, in particular, accounts for a considerable proportion of them. Moreover, as the network environment becomes more complex, HTTP-based Trojan is more concealed than others. At present, many intrusion detection systems (IDSs) are increasingly difficult to effectively detect such Trojan traffic due to the inherent shortcomings of the methods used and the backwardness of training data. Classical anomaly detection and traditional machine learning-based (TML-based) anomaly detection are highly dependent on expert knowledge to extract features artificially, which is difficult to implement in HTTP-based Trojan traffic detection. Deep learning-based (DL-based) anomaly detection has been locally applied to IDSs, but it cannot be transplanted to HTTP-based Trojan traffic detection directly. To solve this problem, in this paper, we propose a neural network detection model (HSTF-Model) based on hierarchical spatiotemporal features of traffic. Meanwhile, we combine deep learning algorithms with expert knowledge through feature encoders and statistical characteristics to improve the self-learning ability of the model. Experiments indicate that F1 of HSTF-Model can reach 99.4% in real traffic. In addition, we present a dataset BTHT consisting of HTTP-based benign and Trojan traffic to facilitate related research in the field.

Congqi Shen,Geyang Xiao,Shaofeng Yao,Boyang Zhou,Zhongxia Pan,Hong Zhang

DOI: https://doi.org/10.1109/spac53836.2021.9539933

2021-01-01

Abstract:Current Industrial Internet faces serious threats where attackers propagate malicious flows, resulting in communication failures in the Industrial Internet. In this work, we propose a practical and novel method to detect malicious traffic attack in real time with high accuracy. Our primary idea is to capture network flow, extract adequate network flow features, construct a long short-term memory (LSTM) based deep learning model, and identify the property of the corresponding network flow. Whether the network suffers attack or not is then determined according to the detection results. The corresponding prototype is also implemented in the Industrial Internet which is equipped with Software Defined Networking (SDN). Experimental results validate that the proposed method is effective in defending against malicious traffic attack in real-world network.

Xueying Han,Susu Cui,Qinjian,Song Liu,Bo Jiang,Cong Dong,Zhigang Lu,Baoxu Liu

DOI: https://doi.org/10.1145/3589334.3645479

2024-01-01

Abstract:Malicious traffic detection has been a focal point in the field of network security, and deep learning-based approaches are emerging as a new paradigm. However, most of them are supervised methods, which highly depend on well-labeled data, and fail to handle unknown or continuously evolving attacks. Unsupervised methods alleviate the need for labeled data, but existing methods are often limited to detecting anomalies either in vertical perspective through historical comparisons or in horizontal perspective by comparing with concurrent entities. Relying on data from a single perspective is unreliable, and it limits the model's accuracy and generalizability. In this paper, we propose a novel method ContraMTD based on contrastive learning, which comprehensively considers both vertical and horizontal perspectives. ContraMTD extracts local behavior features and global interaction features from normal network traffic by proposed SEC and DE-GAT respectively, then employs contrastive learning to learn the relationship, especially consistency between them, and finally detects malicious traffic through a multi-round scoring approach. We conduct extensive experiments on three datasets, including a self-collected dataset, and the results demonstrate that our method outperforms many state-of-the-art methods in the domain of unsupervised malicious traffic detection.

Jiang Xie,Shuhao Li,Xiaochun Yun,Yongzheng Zhang,Peng Chang

DOI: https://doi.org/10.1016/j.cose.2020.101923

IF: 5.105

2020-01-01

Computers & Security

Abstract:HTTP-based Trojan is extremely threatening, and it is difficult to be effectively detected because of its concealment and confusion. Previous detection methods usually are with poor generalization ability due to outdated datasets and reliance on manual feature extraction, which makes these methods always perform well under their private dataset, but poorly or even fail to work in real network environment. In this paper, we propose an HTTP-based Trojan detection model via the Hierarchical Spatio-Temporal Features of traffics (HSTF-Model) based on the formalized description of traffic spatio-temporal behavior from both packet level and flow level. In this model, we employ Convolutional Neural Network (CNN) to extract spatial information and Long Short-Term Memory (LSTM) to extract temporal information. In addition, we present a dataset consisting of Benign and Trojan HTTP Traffic (BTHT-2018). Experimental results show that our model can guarantee high accuracy (the F1 of 98.62% ~ 99.81% and the FPR of 0.34% ~ 0.02% in BTHT-2018). More importantly, our model has a huge advantage over other related methods in generalization ability. HSTF-Model trained with BTHT-2018 can reach the F1 of 93.51% on the public dataset ISCX-2012, which is 20+% better than the best of related machine learning methods.

Bolun Wu,Futai Zou,Chengwei Zhang,Tangda Yu,Yun Li

DOI: https://doi.org/10.1016/j.jisa.2022.103411

IF: 4.96

2023-01-01

Journal of Information Security and Applications

Abstract:This paper introduces AutoHTTP, a novel end-to-end trainable framework for detecting malicious HTTP traffic. It can automatically analyze plain-text network traffic data without any manual labor and present an interpretable detection report for better human understanding. The purpose of the framework is to detect malicious HTTP traffic by mining multi-field inexplicit semantic characteristics and correlation. To conquer the problems in reality, we first divide the multi-field plain-texts ( e.g. user-agent, URL, method) into two types: R-field and S-field. Then, an elementary feature extraction module is proposed to turn these fields into a compact field representation. Finally, the field interactions and significant parts of different fields are simultaneously extracted by feeding the compact feature vector into a newly proposed attention and cross network, which couples two important components, the attention portion and the cross part. We show that the network offers strong interpretability and reliable results for further analysis. Extensive experiments on CTU-13, CICAndMal, and ISCX-URL datasets demonstrate that our approach outperforms existing methods based on manually-designed features and other auto-designed features.

Jinfu Chen,Luo Song,Saihua Cai,Haodi Xie,Shang Yin,Bilal Ahmad

DOI: https://doi.org/10.1145/3613960

IF: 2.717

2023-08-07

ACM Transactions on Privacy and Security

Abstract:In recent years, the use of TLS (Transport Layer Security) protocol to protect communication information has become increasingly popular as users are more aware of network security. However, hackers have also exploited the salient features of the TLS protocol to carry out covert malicious attacks, which threaten the security of network space. Currently, the commonly used traffic detection methods are not always reliable when applied to the problem of encrypted malicious traffic detection due to their limitations. The most significant problem is that these methods do not focus on the key features of encrypted traffic. To address this problem, this study proposes an efficient detection model for encrypted malicious traffic based on transport layer security protocol and a multi-head self-attention mechanism called TLS-MHSA. Firstly, we extract the features of TLS traffic during pre-processing and perform traffic statistics to filter redundant features. Then, we use a multi-head self-attention mechanism to focus on learning key features as well as generate the most important combined features to construct the detection model, thereby detecting the encrypted malicious traffic. Finally, we use a public dataset to verify the effectiveness and efficiency of the TLS-MHSA model, and the experimental results show that the proposed TLS-MHSA model has high precision, recall, F1-measure, AUC-ROC as well as higher stability than seven state-of-the-art detection models.

computer science, information systems

Yunxin Liu,Yuliang Chen,Hongtao Zhang,Qingguo Zhou,Xiaokang Zhou

DOI: https://doi.org/10.1109/dasc/picom/cbdcom/cy59711.2023.10361291

2023-01-01

Abstract:With the rapid development of society, network technology continues to advance. At the same time, people are also facing threats from malicious traffic. To address this issue, this paper proposes a malicious traffic detection method based on word vectorization algorithm and neural networks. This method combines tasks such as packet parsing, header data grayscale image generation, and message feature extraction to extract effective feature information. By combining convolutional neural networks (CNN), it detects malicious traffic hidden within normal traffic. Experimental results demonstrate that compared to traditional machine learning methods, the proposed approach exhibits higher efficiency and accuracy in identifying malicious traffic attacks, thereby better-protecting network users from malicious attacks.

Ruihai Ge,Yongzheng Zhang,Shuhao Li,GuoQiao Zhou

DOI: https://doi.org/10.1109/ijcnn55064.2022.9892476

2022-01-01

Abstract:The desperate increase of mobile malware has constituted a severe threat to user privacy, economic life, and cyberspace security. Existing anti-malware solutions have notice-able weaknesses due to the adoption of content analysisbased approaches. The main limitation of these approaches is that they rely on careful expert engineering and professional handcrafted input features. Some researchers have tried to solve this limitation by using deep learning models to automatically learn feature representations from raw traffic. In this paper, we explore a deep learning detection framework based on self-attention to discriminate between malicious and benign network traffic. As a major advantage with respect to the state-of-the-art methods, we point out that the attention mechanism can better learn the underlying features of malicious traffic in terms of flows and bytes. We design a dual-branch deep learning method that consists of a flow importance-discrimination branch and a byte importance-discrimination branch. The flow importance-discrimination branch calculates the attentions between flows to obtain the feature contributions of different flows, and the byte importance-discrimination branch builds the feature contributions of diverse bytes by considering the connections among all bytes of network payload. Both flow features and byte features are combined to enhance the representation ability of network traffic behaviors generated by mobile applications (apps). We evaluate proposed method using a publicly available dataset including 55,992 malicious traffic traces and 47,779 benign traffic traces. The experimental results demonstrate that our method is able to identify malicious apps with high accuracy, outperforming the baseline methods and the popular deep-learning models.

Chaopeng Li,Jinlin Wang,Xiaozhou Ye

DOI: https://doi.org/10.14704/nq.2018.16.5.1391

2018-01-01

NeuroQuantology

Abstract:In the studies of intrusion detection/prevention systems (IDS/IPS) and network security situational awareness, malicious traffic detection has been given significantly more attention to prevent malicious traffic. Meanwhile, with the development of machine learning technology, an increasing number of algorithms and models have been employed for attack detection. Previous studies generally used common and typical machine learning models such as SVM, KNN, or a random forest. However, the bottleneck of these types of approaches is two-fold. The input of the model is constructed using the feature engineering method of artificially designed representation, which requires a substantial amounts expertise. Additionally, most detection methods ignore the temporal information between network packets in one micro-flow. In this paper, we regard malicious traffic detection as a classification task and propose a hybrid model that combines a recurrent neural network (RNN) with restricted Boltzmann machines (RBM) which take byte-level raw data as input without feature engineering. Specifically, distributed embedding is utilized to pre-process network data to make it more suitable for deep neural network models. Subsequently, an RBM model is used to extract the feature vectors of the network packets and an RNN model is used to extract the flow feature vector. Finally, the flow vectors are sent to the Softmax layer to obtain the detection result. Experiments based on the ISCX-2012 and DARPA-1998 published datasets show that our proposed RNN-RBM model has a greater detection accuracy, recall rate, and lower false alarm rate than most traditional machine learning models. This proves the effectiveness of the proposed RNN-RBM model in malicious traffic detection.

Haitao Yuan,Shen Wang,Jing Bi,Jia Zhang

DOI: https://doi.org/10.1109/smc53992.2023.10393988

2023-01-01

Abstract:Current interactions of network traffic through cloud data centers have become an important process of network services. Precise and real-time detection and prediction of network traffic can assist system operators in effectively allocating resources, and assessing network performance based on actual service requirements, and analyzing network health. However, sources and distribution of network traffic are different, which makes accurate warnings of network attack traffic become a difficult problem. In recent years, neural networks have been proven to be effective in predicting time series data, particularly long short-term memory networks for capturing temporal features and convolutional methods for capturing spatial features. This work proposes a Deep Hybrid Spatio-Temporal (DHST) network method for abnormal traffic detection in cloud data centers, which combines a cooperative temporal convolutional network, an attention mechanism and a random inactivation method to capture the network traffic data's spatio-temporal features. It improves accuracy of abnormal traffic detection, and realizes classification of normal traffic and abnormal one. It achieves higher accuracy than typical detection methods when applied to a real-life dataset collected from Yahoo Webscope S5.

Jinhui Ning,Yu Wang,Jie Yang,Haris Gacanin,Song Ci

DOI: https://doi.org/10.1109/vtc2021-fall52928.2021.9625438

2021-01-01

Abstract:Malware traffic classification (MTC) is a key technology for solving anomaly detection and intrusion detection problems. And hence it plays an important role in the field of network security. Traditional MTC methods based on port, payload and statistic depend on the manual-designed features, which have low accuracy. Recently, deep learning methods have attracted significant attention due to their high accuracy in terms of classification. However, in practical application scenarios, deep learning methods require a large amount of labeled samples for training, while the available labeled samples for training are very rare. Furthermore, the preparation of a large amount of labeled samples requires a lot of labor costs. To solve these problems, this paper proposes two methods based on semi-supervised learning (SSL) and transfer learning (TL), respectively. Our proposed methods use a large amount of unlabeled data collected in the Internet traffic, which can greatly improve the accuracy classification with few labeled samples. Through experiments, we obtained the best method to improve the accuracy of few labeled samples in different situations. Experiment results show that our proposed methods can satisfy the requirement of MTC in the case of few labeled samples.

Anran Liu,Zhenxiang Chen,Shanshan Wang,Lizhi Peng,Chuan Zhao,Yuliang Shi

DOI: https://doi.org/10.1007/978-3-030-05063-4_10

2018-01-01

Abstract:Android platform has become the most popular smartphone system due to its openness and flexibility. Similarly, it has also become the target of numerous attackers because of these. Various types of malware are thus designed to attack Android devices. All these cases prompted amounts of researchers to start studying malware detection technologies and some of the groups applied network traffic analysis to their detection models. The majority of these models have considered the detection primarily on network traffic statistical features which can distinguish malicious network traffic from normal one. However, when faces a large amount of network traffic on the detection stage, especially some of the network flows are quite huge as a result of containing too many packets, feature extraction can be extremely time consuming. Therefore, we propose a malware detection approach based on TCP traffic, which can quickly and effectively detect malware behavior. We first employ the traffic collection platform to collect network traffic generated by various apps. After preprocessing (filtering and aggregating) the collected network traffic data, we get a large number of TCP flows. Next we extract early packets’ sizes as features from each TCP flow and then send it to detection model to get the detection result. In our method, the time it takes to extract features from 53108 network flows is reduced from 39321 s to 18041 s, which is a reduction of 54%. Meanwhile, our method achieves a detection rate of 97%.

Ning Zhao,Yongli Wang,Na Cao,Xiaoze Gong

DOI: https://doi.org/10.1007/978-3-030-04212-7_56

2018-01-01

Abstract: There will always be malicious intrusion, node downtime and other events caused by network traffic anomalies while Content Delivery Network (CDN) is facing user’s service. These events will lead in a large area of network paralysis and suspension of network services. Therefore, in order to effectively detect and deal with the anomalies in advance, the paper makes a partial improvement on the existing Hierarchical Temporal Memory network (HTM), and proposes a new network model HTMTAD (Hierarchical Temporal Memory – based Traffic Anomalies Detection) to detect intelligently the changes of abnormal traffic from the CDN. In view of the characteristics of CDN traffic data, the paper proposes a hash coding algorithm to improve the reliability of encoder and an anomaly likelihood calculation method to detect the CDN traffic anomalies. Experimental results show that HTMTAD can effectively detect anomalies in CDN network traffic.

Yantian Luo,Xu Chen,Ning Ge,Wei Feng,Jianhua Lu

DOI: https://doi.org/10.1109/ICC45855.2022.9838882

2022-01-01

Abstract:Due to the heterogeneity of Internet of Things (IoT) devices and the diversity of IoT communication protocols, it is challenging to defend against malicious traffic from IoT devices. In this paper, a novel malicious traffic detection method is proposed based on the deep learning method. Specifically, a Transformer-based encoder is designed to automatically select key features of IoT traffic for the detection task, which avoids the cumbersome feature screening process that has been widely used in traditional machine learning methods. To address the complexity of the feature space and improve the efficiency of model training, we exploit the correlation between the characteristics of malicious traffic and the device type of IoT bots to further improve the detection accuracy by introducing a device classification auxiliary loss in the training phase. Experimental results show that our method outperforms the state-of-the-art machine learning-based methods in terms of accuracy, precision, recall and f1-score on real IoT traffic traces. In addition, the benefit of device type information on detection efficiency is verified.

Jiazhong Lu,Xiaosong Zhang,Wang Junfeng,Ying Lingyun

DOI: https://doi.org/10.1109/ICITBS.2016.87

2016-01-01

Abstract:APT(Advanced persist threat) is an emerging attack on the Internet. Attackers may combine phishing emails, malware, social engineering and botnets to create a series of attacks in one APT attack which makes it quite difficult for detection. In this way, attackers can remotely control the infected host, or steal sensitive information. In this paper, we proposed a time transform features approach for distinguishing APT attacks based on the observation that malicious payload must be transferred to the target hosts in an APT attack. By comparing the normal traffic with the traffic containing a malicious payload, we are able to catch the signal of malicious payload and further infer the existence of APT attacks. Then we use machine learning methods to detect APT attacks in big data. To verify this approach, we placed a device on the gateway of our university for catching the real Internet traffic of the university for one month. Then we mixed the APT traffic with these flows, and see whether our approach can identify the malicious payloads. We found our approach is not only accurate but also efficient for catching APT attacks.

Ruihai Ge,Yongzheng Zhang,Shuhao Li,Guoqiao Zhou,Guangze Zhao

DOI: https://doi.org/10.1145/3586102.3586106

2022-01-01

Abstract:The rapid growth of mobile malicious applications (apps) poses a serious threat to cyber security. The vast majority of malicious apps steal user data and launch remote attacks via network communications. Existing traffic-based malware detection methods exhibit unsatisfying resource consumption and user privacy leakage in the malware detection process. In this paper, we propose ZeroTraffic, a lightweight but effective detection approach by taking full advantage of zero-payload packets in the TCP protocol. The key insight of our research is that zero-payload packets can be used to reconstruct the behavior patterns of malicious traffic, which differs significantly from benign traffic in terms of communication periodicity and asymmetry of upstream and downstream data. Hence, we can leverage the statistical characteristics based on zero-payload packets to detect mobile malware. In ZeroTraffic, we first summarize and extract the source-oriented and destination-oriented statistical features to enhance the feature expression ability for lightweight data, and then train supervised learning algorithms to build a detector. Note that our model does not involve any user privacy information during its training and detection process. To evaluate the performance of the proposed model, we conduct experiments on a publicly available Andrubis dataset. Experimental results reveal that our method achieves 94.60% accuracy. Besides, our method is superior to a state-of-the-art method in terms of accuracy, precision, recall, and F1-score.

Shenglong Liu,Yuxiao Xia,Di Wang

DOI: https://doi.org/10.1109/access.2024.3376413

IF: 3.9

2024-03-27

IEEE Access

Abstract:In the era of mobile big data, smart mobile devices have become an integral part of our daily life, which brings many benefits to the digital society. However, their popularity and relatively lax security make them vulnerable to various cyber threats. Traditional network traffic analysis techniques utilizing pattern matching and regular expressions matching algorithms are becoming insufficient for mobile big data. Network traffic anomaly detection is an effective method to replace traditional methods. Network traffic anomaly detection can solve many new challenges brought by future network and protect the security of network. In this article, we propose a streaming network framework for mobile big data, referred to as SNMDF, which provides massive data traffic collection, processing, analysis, and updating functions, to cope with the tremendous amount of data traffic. In particular, by analyzing the specific characteristics of anomaly traffic data from flow and user behavior, our proposed SNMDF demonstrates its capability to offer real data-based advice to address new challenges for future wireless networks from the viewpoints of operators. Tested by real mobile big data, SNMDF has proven its efficiency and reliability. Furthermore, SNMDF is accessed for the digital twin of the space Internet, which validates that it can be generalized to other environments with massive data traffic or big data.

computer science, information systems,telecommunications,engineering, electrical & electronic

Man Li,Huachun Zhou,Yajuan Qin

DOI: https://doi.org/10.3390/s22072532

IF: 3.9

2022-01-01

Sensors

Abstract:5G technologies provide ubiquitous connectivity. However, 5G security is a particularly important issue. Moreover, because public datasets are outdated, we need to create a self-generated dataset on the virtual platform. Therefore, we propose a two-stage intelligent detection model to enable 5G networks to withstand security issues and threats. Finally, we define malicious traffic detection capability metrics. We apply the self-generated dataset and metrics to thoroughly evaluate the proposed mechanism. We compare our proposed method with benchmark statistics and neural network algorithms. The experimental results show that the two-stage intelligent detection model can distinguish between benign and abnormal traffic and classify 21 kinds of DDoS. Our analysis also shows that the proposed approach outperforms all the compared approaches in terms of detection rate, malicious traffic detection capability, and response time.