Kunlin Li,Baojiang Cui

DOI: https://doi.org/10.1007/978-3-030-79728-7_20

2021-06-24

Abstract:With the increasing popularity of traffic encryption protocols such as SSL/TLS, attacks based on encrypted traffic are more and more rampant, so does the need to inspect all SSL traffic. At present, the methods based on feature engineering and the methods based on deep learning and representation learning are the research hot-spots. In this paper, a new method of encrypted malicious traffic identification is proposed, which is based on deep learning and four- tuple feature. The unit of traffic identification is flow four-tuple. We extract 3 types of features which are statistical feature, handshake byte stream feature, and application data size sequence feature. We design different deep learning models to deal with various features and work together in traffic identification. We used the CTU Malware dataset to experiment. The results show that the accuracy of our method can reach 98.31%, which is better than that of other methods using four-tuple as the unit of flow identification and experimenting on the CTU Malware dataset.

Zhou Zhihong,Bin Hu,Li Jianhua,Yin Ying,Chen Xiuzhen,Ma Jin,Yao Lihong

DOI: https://doi.org/10.1007/s11416-022-00429-y

2022-01-01

Journal of Computer Virology and Hacking Techniques

Abstract:As network traffic is increasingly valued for privacy protection and the encrypted SSL/TLS (Secure Sockets Layer/Transport Layer Security) traffic is surging, more and more malicious behaviors are hidden in it. Current detection methods are less accurate in detecting new and unknown malicious traffic. Although the method based on the supervised machine learning model has excellent accuracy performance, it has low detection strength and poor scalability for new and unknown malicious traffic. Therefore, this paper proposes a malicious SSL/TLS traffic detection method based on feature adaptive learning. The model can automatically learn key classification information from the unmarked malicious SSL/TLS encrypted traffic, and uses the 5-Tuple-Masking technology to optimize the input data, which greatly enhances the model's adaptation ability to new malicious traffic in complex network environments. After experimental verification, its comprehensive accuracy rate reaches 89.25%. Moreover, the supervised convolutional neural network detection method is used to compare and test the feasibility of this model in the field of malicious SSL/TLS traffic detection.

Yong Fang,Yijia Xu,Cheng Huang,Liang Liu,Lei Zhang

DOI: https://doi.org/10.1007/978-981-32-9343-4_10

2020-01-01

Abstract:It has become a significant research direction to resist cyberattacks through traffic identification technology. Traditional traffic identification technology is often based on network port or feature matching, which has become inefficient in the increasingly complex network environment. Nowadays, the malicious cyberattacks usually encrypt their traffic to escape the traditional traffic identification, and the most common encryption method is the SSL/TLS encryption. In response to this phenomenon, this paper proposes an encrypted malicious traffic identification method based on the random forest, which uses features based on packet information, time, TCP Flags field, and application layer payload information. We designed the technology and application framework to ensure the success of the experiment and collected a large amount of SSL/TLS encrypted traffic as datasets. Benefit from model optimization by parameter adjusting, the experimental results showed that final model had highly accurate and predictive ability.

Yueping Hong,Qi Li,Yanqing Yang,Meng Shen

DOI: https://doi.org/10.1016/j.ins.2023.119229

IF: 8.1

2023-06-02

Information Sciences

Abstract:At present, the TLS cryptographic protocol is widely deployed. While protecting the security and integrity of transmitted information, it also makes the detection of malicious behavior more difficult. In recent years, researchers have proposed many encrypted malicious traffic detection methods. However, the existing approaches have some shortcomings. Firstly, although researchers have extracted multi-view features from different aspects, which can be divided into vectorized features based on feature engineering and image features based on original data, existing methods cannot fully integrate the features of different forms of expression. Secondly, most of the existing methods do not fully analyze the correlation between different encrypted traffic. Thirdly, the existing methods based on correlation analysis have low processing efficiency and cannot be applied to real networks. In the paper, we present MalDiscovery , a novel technique to discover encrypted malicious traffic to address all the above issues. For encrypted malicious traffic, MalDiscovery constructs an attribute KNN graph, in which encrypted sessions are used as nodes to construct a KNN graph according to the similarity of image features, and vectorized features are used as attributes of corresponding nodes. After that, the GraphSAGE model is used to collect relevant node information through correlation analysis to enrich the embeddings of each node. Finally, we achieve the accurate binary classification of nodes in the graph based on richer embeddings. We use extensive experiments to evaluate the proposed method, and the experiment results show that MalDiscovery can achieve an accuracy of about 99.9%, significantly outperforming all compared methods.

computer science, information systems

Ming Liu,Qichao Yang,Wenqing Wang,Shengli Liu

DOI: https://doi.org/10.3390/s24206507

IF: 3.9

2024-10-11

Sensors

Abstract:The exponential growth of encrypted network traffic poses significant challenges for detecting malicious activities online. The scale of emerging malicious traffic is significantly smaller than that of normal traffic, and the imbalanced data distribution poses challenges for detection. However, most existing methods rely on single-category features for classification, which struggle to detect covert malicious traffic behaviors. In this paper, we introduce a novel semi-supervised approach to identify malicious traffic by leveraging multimodal traffic characteristics. By integrating the sequence and topological information inherent in the traffic, we achieve a multifaceted representation of encrypted traffic. We design two independent neural networks to learn the corresponding sequence and topological features from the traffic. This dual-feature extraction enhances the model's robustness in detecting anomalies within encrypted traffic. The model is trained using a joint strategy that minimizes both the reconstruction error from the autoencoder and the classification loss, allowing it to effectively utilize limited labeled data alongside a large amount of unlabeled data. A confidence-estimation module enhances the classifier's ability to detect unknown attacks. Finally, our method is evaluated on two benchmark datasets, UNSW-NB15 and CICIDS2017, under various scenarios, including different training set label ratios and the presence of unknown attacks. Our model outperforms other models by 3.49% and 5.69% in F1 score at labeling rates of 1% and 0.1%, respectively.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Jiangang Hou,Tong Jiang,Yanmiao Li,Hao Guo,Zhen Zhang,Zhi Liu

DOI: https://doi.org/10.1109/CCCI52664.2021.9583191

2021-10-15

Abstract:With more and more encrypted traffic such as HTTPS, encrypted traffic protects not only normal traffic, but also malicious traffic. Identification of encrypted malicious traffic without decryption has become a research hotspot. Combined with deep learning, an important branch of machine learning, encrypted malicious traffic detection has achieved good results. This paper reviews the detection of encrypted malicious traffic in recent years. Firstly, we classify encrypted malicious traffic. Secondly, we sorts out the extraction characteristics of encrypted malicious traffic, the key and difficult problems we are facing at present. Then, with encrypted malicious traffic detection technology as the main line, we summarized the current detection model from the four core aspects of data collection, data processing, model training and evaluation improvement. Finally, we analyze the problems and point out future research directions.

Computer Science

Jinfu Chen,Luo Song,Saihua Cai,Haodi Xie,Shang Yin,Bilal Ahmad

DOI: https://doi.org/10.1145/3613960

IF: 2.717

2023-08-07

ACM Transactions on Privacy and Security

Abstract:In recent years, the use of TLS (Transport Layer Security) protocol to protect communication information has become increasingly popular as users are more aware of network security. However, hackers have also exploited the salient features of the TLS protocol to carry out covert malicious attacks, which threaten the security of network space. Currently, the commonly used traffic detection methods are not always reliable when applied to the problem of encrypted malicious traffic detection due to their limitations. The most significant problem is that these methods do not focus on the key features of encrypted traffic. To address this problem, this study proposes an efficient detection model for encrypted malicious traffic based on transport layer security protocol and a multi-head self-attention mechanism called TLS-MHSA. Firstly, we extract the features of TLS traffic during pre-processing and perform traffic statistics to filter redundant features. Then, we use a multi-head self-attention mechanism to focus on learning key features as well as generate the most important combined features to construct the detection model, thereby detecting the encrypted malicious traffic. Finally, we use a public dataset to verify the effectiveness and efficiency of the TLS-MHSA model, and the experimental results show that the proposed TLS-MHSA model has high precision, recall, F1-measure, AUC-ROC as well as higher stability than seven state-of-the-art detection models.

computer science, information systems

Xueqin Zhang,Min Zhao,Jiyuan Wang,Shuang Li,Yue Zhou,Shinan Zhu

DOI: https://doi.org/10.3390/electronics11070977

IF: 2.9

2022-03-22

Electronics

Abstract:The SSL/TLS protocol is widely used in data encryption transmission. Aiming at the problem of detecting SSL/TLS-encrypted malicious traffic with small-scale and unbalanced training data, a deep-forest-based detection method called DF-IDS is proposed in this paper. According to the characteristics of SSL/TSL protocol, the network traffic was split into sessions according to the 5-tuple information. Each session was then transformed into a two-dimensional traffic image as the input of a deep-learning classifier. In order to avoid information loss and improve the detection efficiency, the multi-grained cascade forest (gcForest) framework was simplified with only cascade structure, which was named cascade forest (CaForest). By integrating random forest and extra trees in the CaForest framework, an end-to-end high-precision detector for small-scale and unbalanced SSL/TSL encrypted malicious traffic was realized. Compared with other deep-learning-based methods, the experimental results showed that the detection rate of DF-IDS was 6.87% to 29.5% higher than that of other methods on a small-scale and unbalanced dataset. The advantage of DF-IDS was more obvious in the multi-classification case.

engineering, electrical & electronic,computer science, information systems,physics, applied

Rongfeng Zheng,Jiayong Liu,Kai Li,Shan Liao,Liang Liu

DOI: https://doi.org/10.1109/ICICN51133.2020.9205087

2020-01-01

Abstract:For highly camouflaged Command and Control (C&C) communications, especially those using the Transport Security Layer (TLS) protocol, traditional classifiers which only based on statistical features or TLS handshake features gradually fail to detect such behavior. In this context, exploring features of other dimensions to build a more targeted recognition model is one of the ways to alleviate this problem. This paper proposed a new method of detecting malicious TLS traffic by using the communication channel as the detection unit, and a new set of modeling features for the communication channel was designed, including distribution features, the consistency features and statistical features of TLS communication channel. Experiments show that compared with other two types of features, the consistency features contribute most, and combining these three types of features together can train a better classifier which the precision reaches 92.57%. Comparative experiments show that the proposed method is more advantageous when faced with highly camouflaged TLS flows because the proposed method also achieved highest F1 score, and the accuracy is about 2% higher than the classifier based on the TLS handshake features, and 12% higher than the clustering model based on the statistical features of flow.

Xiaodong Zang,Tongliang Wang,Xinchang Zhang,Jian Gong,Peng Gao,Guowei Zhang

DOI: https://doi.org/10.1016/j.comnet.2024.110598

IF: 5.493

2024-01-01

Computer Networks

Abstract:The focus on privacy protection has brought much-encrypted network traffic. However, attackers always abuse traffic encryption to conceal malicious behaviors. Although researchers have proposed several enlightening detection methods, they must enhance the generalization ability or improve detection performance. Our inspiration is that the packet header fields, as do the underlying grammatical rules for constructing sentences, have a strict order. We consider the original packet as text and devise a robust approach with natural language processing and a deep learning model to improve the generalization ability and detection performance. We capture the critical keywords as characteristic representations of the traffic and design an adaptive domain generalization algorithm with a new loss function. It is robust against various datasets by generating more malicious samples to augment the minority of malicious samples. Simultaneously, we design an efficient feature selection algorithm, which obtains an optimal feature subset and reduces feature dimensions by 75.3%. To evaluate our work, we conducted extensive experiments with open-source datasets (CICIDS 2017, CICDDoS 2019, and USTC-TFC 2016), the synthetic dataset from IoT-23, and Internet backbone traffic (CERNET). Experimental results demonstrate that our proposal improves detection accuracy by up to 22.8% compared to others not using domain generalization algorithms and achieves an average detection latency of 0.67 s in the backbone. Besides, our work applies to the Industrial Internet of Things (IIoT) environment. It can be deployed at edge nodes to provide network security support for IIoT devices.

Yong Fang,Kai Li,Rongfeng Zheng,Shan Liao,Yue Wang

DOI: https://doi.org/10.1016/j.comnet.2021.108297

IF: 5.493

2021-01-01

Computer Networks

Abstract:We present a novel method for detecting malicious TLS traffic based on communication channels that can detect deeply camouflaged malicious traffic. Moreover, we designed and extracted three types of channel features, namely, distribution features, consistency features of the Transport Layer Security (TLS) handshake field, and statistical features. Simultaneously, an efficacy feature selection method comprising a genetic algorithm is presented to obtain a global optimal feature subset, which reduces feature dimensions by 64% and increases accuracy by 1.5%. Comparison experiment results show that the proposed method possesses a more stable detection efficacy on different datasets with an accuracy of 97.65% and a much higher F1-score compared with other state-of-the-art classification methods.

Chuanyu Zhao,Shudong Li,Xiaobo Wu,Weihong Han,Zhihong Tian,Maofei Chen

DOI: https://doi.org/10.1109/dsc53577.2021.00097

2021-01-01

Abstract:The number of malware attacks that use encrypted HTTP traffic to self-propagate or communicate has increased dramatically in recent years. Traditional network traffic detection methods for non-encrypted traffic are difficult to be applied to encrypted traffic detection. While encryption is good for protecting users' privacy, it also comes with a security risk: malicious traffic may hide in encrypted traffic, leading to a series of security problems. Since the encrypted payload cannot be directly observed and it is large, we need to combine domain knowledge and machine learning method to excavate the features hidden in malicious traffic, so as to realize automatic detection of malicious traffic. In this paper, we propose a malicious traffic detection framework based on ensemble learning using the encrypted traffic from real malware, including normal traffic generated by 3000 normal hosts and malicious traffic generated by 3000 malware-infected hosts, provided by DATACON2020 competition. Considering the complexity to decrypt traffic, we use statistical features and sequence features in both flow-level and in host-level perspectives to describe encrypted traffic. Then we build multiple classifiers according to heterogeneous features. Finally we do majority voting to get final result. We achieve 95.0% TPR and 8.4% FPR.

Guang-Lu Sun,Yibo Xue,Yingfei Dong,Dongsheng Wang,Chenglong Li

DOI: https://doi.org/10.1109/GLOCOM.2010.5683649

2010-01-01

Abstract:Classifying encrypted traffic is critical to effective network analysis and management. While traditional payload- based methods are powerless to deal with encrypted traffic, machine learning methods have been proposed to address this issue. However, these methods often bring heavy overhead into the system. In this paper, we propose a hybrid method that combines signature-based methods and statistical analysis methods to address this issue. We first identify SSL/TLS traffic with signature matching methods, and then apply statistical analysis to determine concrete application protocols. Our experimental results show that the proposed method is able to recognize over 99% of SSL/TLS traffic and achieve 94.52% in F-score for protocols identification.

Tangda Yu,Futai Zou,Linsen Li,Ping Yi

DOI: https://doi.org/10.1109/cyberc.2019.00020

2019-01-01

Abstract:In recent years, with the widespread use of encrypted traffic communication technology, network traffic encryption has been gradually becoming a standard of communication. This phenomenon has a great impact on traditional traffic detection methods, especially on anomaly detection methods, which are highly dependent on the type of network protocol types and traffic data. By surveying the existing encrypted traffic classification and analyzing these methods, we found that there are two main methods for detection: payload-based detection and feature-based detection. On this basis, this paper puts forward an Encrypted Malicious Traffic Detection System which is based on multi-AEs(Autoencoder). We use malicious sandbox for traffic data collection, mark malicious flow and normal flow with labels. After that, we use multilayer networks of AEs for feature extraction and training classifier model. Our system analyzes the feature of cryptographic protocol from handshake phase to Authentication phase on the basis of existing research, and we extract the traffic feature for a better classification by further expanding flow feature vector to the higher dimensions. In addition, we compared the performance of our model with the traditional learning model under the same environment. The experimental results showed that our system had higher detection accuracy and lower loss rate. We also studied the influence of dataset imbalance on results in the detection of encrypted traffic by several experiments. According to the experimental evaluation, dataset imbalance will lead to the decrease of positive rate.

Xingwen Zhao,Han Zhang,Hui Li,Xuangui Chen

DOI: https://doi.org/10.1016/j.comnet.2024.110824

2024-01-01

Abstract:In the current network environment, an increasing amount of malicious traffic is transmitted through encrypted channels, carrying control commands and data. With the continuous development of communication protocols and applications, new types of malicious encrypted traffic are emerging, posing significant challenges for network management (e.g., traffic engineering). Therefore, accurately identifying malicious traffic in complex open network spaces has become a hot research topic in network security. In this study, we draw inspiration from channel theory in image science and innovatively convert traffic data into Red-Green-Blue (RGB) image format to achieve the fusion of multiple features. Inspired by image recognition technologies, we have designed a multi-granularity network model that integrates both global and local features, serving as our core network architecture. At the top of the model, we have equipped each known category with a unique autoencoder, using its generated manifold to replace traditional prototypes for model construction. Classification is accomplished through a scoring mechanism that evaluates category membership and by setting thresholds to achieve open set recognition of unknown categories. Relying on our self-created dataset,Malicious and Encrypted Traffic 2024 (MNET2024), we conduct a series of extensive experiments. The results demonstrate that our proposed method exhibits outstanding performance in both closed-set and open-set recognition tasks.

Hong Huang,Xingxing Zhang,Ye Lu,Ze Li,Shaohua Zhou

DOI: https://doi.org/10.32604/cmc.2024.047918

2024-01-01

Abstract:While encryption technology safeguards the security of network communications, malicious traffic also uses encryption protocols to obscure its malicious behavior. To address the issues of traditional machine learning methods relying on expert experience and the insufficient representation capabilities of existing deep learning methods for encrypted malicious traffic, we propose an encrypted malicious traffic classification method that integrates global semantic features with local spatiotemporal features, called BERT-based Spatio-Temporal Features Network (BSTFNet). At the packet-level granularity, the model captures the global semantic features of packets through the attention mechanism of the Bidirectional Encoder Representations from Transformers (BERT) model. At the byte-level granularity, we initially employ the Bidirectional Gated Recurrent Unit (BiGRU) model to extract temporal features from bytes, followed by the utilization of the Text Convolutional Neural Network (TextCNN) model with multi-sized convolution kernels to extract local multi-receptive field spatial features. The fusion of features from both granularities serves as the ultimate multidimensional representation of malicious traffic. Our approach achieves accuracy and F1-score of 99.39% and 99.40%, respectively, on the publicly available USTC-TFC2016 dataset, and effectively reduces sample confusion within the Neris and Virut categories. The experimental results demonstrate that our method has outstanding representation and classification capabilities for encrypted malicious traffic.

computer science, information systems,materials science, multidisciplinary

Sankalp Bagaria,R. Balaji,B. S. Bindhumadhava

DOI: https://doi.org/10.48550/arXiv.1705.09044

2017-05-25

Cryptography and Security

Abstract:TLS uses X.509 certificates for server authentication. A X.509 certificate is a complex document and various innocent errors may occur while creating/ using it. Also, many certificates belong to malicious websites and should be rejected by the client and those web servers should not be visited. Usually, when a client finds a certificate that is doubtful using the traditional tests, it asks for human intervention. But, looking at certificates, most people can't differentiate between malicious and non-malicious websites. Thus, once traditional certificate validation has failed, instead of asking for human intervention, we use machine learning techniques to enable a web browser to decide whether the server to which the certificate belongs to is malignant or not ie, whether the website should be visited or not. Once a certificate has been accepted in the above phase, we observe that the website may still turn out to be malicious. So, in the second phase, we download a part of the website in a sandbox without decrypting it and observe the TLS encrypted traffic (encrypted malicious data captured in a sandbox cannot harm the system). As the traffic is encrypted after Handshake is completed, traditional pattern-matching techniques cannot be employed. Thus we use flow features of the traffic along with the features used in the above first phase. We couple these features with the unencrypted TLS header information obtained during TLS Handshake and use these in a machine learning classifier to identify whether the traffic is malicious or not.

Fengrui Xiao,Feng Yang,Shuangwu Chen,Jian Yang

DOI: https://doi.org/10.1007/978-3-030-94029-4_1

2022-01-01

Abstract:Nowadays, network traffic detection plays a very important role in protecting cyberspace security, and more and more applications realize data privacy protection through encryption technology. Regular expression matching based methods, such as deep packet inspection that relies on plaintext traffic cannot be applied to detecting encrypted random communication content, and the existing detecting methods based on time-series features often ignore the encryption protocol features. In this work, we design an ensemble learning system based on stack algorithms to identify encrypted malicious traffic, which can detect the interactive behavior and the encryption protocols simultaneously. In detail, we construct a deep learning classifier based on Long Short-Term Memory (LSTM) for time-series features, and a machine learning classifier based on random forests for encryption protocol features. Then, we use the stacking algorithm in ensemble learning to combine them to form a new classifier. Finally, relying on the Datacon2020 dataset, extensive experiments are conducted. The experimental results indicate that the proposed method improves the detection rate of encrypted malicious traffic while keeping a low false positive rate.

Mao Tian,Peng Chang,Yafei Sang,Yongzheng Zhang,Shuhao Li

DOI: https://doi.org/10.1109/ict.2019.8798799

2019-04-01

Abstract:The expanding volume of HTTPS traffic (both legitimate and malicious) creates even more challenges for mobile network security and management. In this work, we propose AIBMF(Application Identification Based on Multi-view Features), a fine-grained approach to classify HTTPS traffic by their application type. The key idea of AIBMF is to combine three kinds of features—payload convolution features, packet size sequence and packet content type sequence. Based on these different view features, a deep learning model (using CNN, embedding and RNN) is constructed for HTTPS traffic identification task. To evaluate the effectiveness of AIBMF, we run a comprehensive set of experiments on a real-world dataset (about 100,000+ flows), which shows that our approach achieves 96.06% accuracy and outperforms the state-of-the-art method (3.6% on F1 score).