Jinhui Ning,Guan Gui,Yu Wang,Jie Yang,Bamidele Adebisi,Song Ci,Haris Gacanin,Fumiyuki Adachi

DOI: https://doi.org/10.1109/jiot.2021.3131981

IF: 10.6

2021-01-01

IEEE Internet of Things Journal

Abstract:Malware traffic classification (MTC) is a key technology for anomaly and intrusion detection in secure Industrial Internet of Things (IIoT). Traditional MTC methods based on port, payload, and statistic depend on the manual-designed features, which have low accuracy. Recently, deep-learning methods have attracted a significant attention due to their high accuracy in terms of classification. However, in practical application scenarios, deep-learning methods require a large amount of labeled samples for training, while the available labeled samples for training are very rare. Furthermore, the preparation of a large amount of labeled samples requires a lot of labor costs. To solve these problems, this article proposes three methods based on semisupervised learning (SSL), transfer learning (TL), and domain adaptive (DA), respectively. Our proposed methods use a large amount of unlabeled data collected in the Internet traffic, which can greatly improve the classification accuracy with few labeled samples. Then, we use the DA method to solve the mismatch problem between the source domain and the target domain in the TL process. The proposed method is not only applicable to the shallow network but also to the deep neural network structure, and can achieve better classification results. Experimental results show that our proposed methods can satisfy the requirement of MTC in the case of few labeled samples in IIoT. The source code for all the experiments is available at GitHub.The code of this article can be downloaded from GitHub link: https://github.com/yzjh/Keras-MTC-DA-Ladder.

Ke Xu,Xixi Zhang,Yu Wang,Tomoaki Ohtsuki,Bamidele Adebisi,Hikmet Sari,Guan Gui

DOI: https://doi.org/10.1109/jiot.2024.3357072

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Malware traffic classification (MTC) is one of the important techniques to ensure the security of cyberspace, which aims to detect anomalies and classify different types of network traffic. Recently, MTC methods based on deep learning (DL) have shown their excellent performance. However, these DL-based methods rely on datasets with manually labeled samples for training, which are costly and hard to obtain. To address this problem, this paper proposes a novel self-supervised MTC method based on the framework of masked auto-encoder (MAE). Specifically, MAE first constructs a reasonable unsupervised pretext task with a random masking strategy, which reduces the redundant information in samples and speeds up the pre-training process. The transformer-based backbone network then efficiently extracts features from the non-redundant traffic data efficiently. The proposed MTC-MAE method employs self-supervised learning on a large-scale unlabeled dataset to acquire unbiased features, and fine-tunes on specific datasets to adapt to diverse traffic classification scenarios. Simulation experiments show that our proposed MTC-MAE method is able to learn universal features with high quality and has excellent classification performance on various downstream datasets. The datasets we used, code implementation, and pre-trained models are available on GitHub.

computer science, information systems,telecommunications,engineering, electrical & electronic

Akbar Telikani,Amir H. Gandomi,Kim-Kwang Raymond Choo,Jun Shen

DOI: https://doi.org/10.1109/tnsm.2021.3112283

2022-03-01

IEEE Transactions on Network and Service Management

Abstract:Network traffic classification (NTC) plays an important role in cyber security and network performance, for example in intrusion detection and facilitating a higher quality of service. However, due to the unbalanced nature of traffic datasets, NTC can be extremely challenging and poor management can degrade classification performance. While existing NTC methods seek to re-balance data distribution through resampling strategies, such approaches are known to suffer from information loss, overfitting, and increased model complexity. To address these challenges, we propose a new cost-sensitive deep learning approach to increase the robustness of deep learning classifiers against the imbalanced class problem in NTC. First, the dataset is divided into different partitions, and a cost matrix is created for each partition by considering the data distribution. Then, the costs are applied to the cost function layer to penalize classification errors. In our approach, costs are diverse in each type of misclassification because the cost matrix is specifically generated for each partition. To determine its utility, we implement the proposed cost-sensitive learning method in two deep learning classifiers, namely: stacked autoencoder and convolution neural networks. Our experiments on the ISCX VPN-nonVPN dataset show that the proposed approach can obtain higher classification performance on low-frequency classes, in comparison to three other NTC methods.

Xixi Zhang,Qin Wang,Maoyang Qin,Yu Wang,Tomoaki Ohtsuki,Bamidele Adebisi,Hikmet Sari,Guan Gui

DOI: https://doi.org/10.1109/tifs.2024.3396624

IF: 7.231

2024-05-14

IEEE Transactions on Information Forensics and Security

Abstract:Malware traffic classification (MTC) is one of the important research topics in the field of cyber security. Existing MTC methods based on deep learning have been developed based on the assumption of enough high-quality samples and powerful computing resources. However, both are hard to obtain in real applications especially in availability of IoT. In this paper, we propose a few-shot MTC (FS-MTC) method combining knowledge transfer and neural architecture search (i.e. NAS-based FS-MTC) with limited training samples as well as acceptable computational resources, in order to mitigate the identified challenges. Specifically, our proposed method first converts the raw network traffic into traffic images through data pre-processing to serve as input data for the neural network. Second, we use neural architecture search to adaptively search for the effective feature extraction model on the source domain (including Edge-IIoTset, Bot-IoT, and benign USTC-TFC2016). Third, the searched model is pre-trained on source task to achieve the generic feature representation of malware traffic. Finally, we only use few-shot malware traffic samples to fine-tune the pre-trained model to quickly adapt to new types of MTC tasks in realistic network environments. The experimental results show that the proposed NAS-based FS-MTC method has great scalability and classification performance in different FS-MTC tasks, including 5-way K-shot USTC-TFC2016 dataset and 10-way K-shot CIC-IoT dataset. Compared with state-of-the-art methods in the field of malware classification, the proposed NAS-based FS-MTC has higher classification accuracy. Especially in the 1-shot case of the USTC-TFC2016 dataset, its average accuracy is as high as 86.91%.

computer science, theory & methods,engineering, electrical & electronic

Ming Liu,Qichao Yang,Wenqing Wang,Shengli Liu

DOI: https://doi.org/10.3390/s24206507

IF: 3.9

2024-10-11

Sensors

Abstract:The exponential growth of encrypted network traffic poses significant challenges for detecting malicious activities online. The scale of emerging malicious traffic is significantly smaller than that of normal traffic, and the imbalanced data distribution poses challenges for detection. However, most existing methods rely on single-category features for classification, which struggle to detect covert malicious traffic behaviors. In this paper, we introduce a novel semi-supervised approach to identify malicious traffic by leveraging multimodal traffic characteristics. By integrating the sequence and topological information inherent in the traffic, we achieve a multifaceted representation of encrypted traffic. We design two independent neural networks to learn the corresponding sequence and topological features from the traffic. This dual-feature extraction enhances the model's robustness in detecting anomalies within encrypted traffic. The model is trained using a joint strategy that minimizes both the reconstruction error from the autoencoder and the classification loss, allowing it to effectively utilize limited labeled data alongside a large amount of unlabeled data. A confidence-estimation module enhances the classifier's ability to detect unknown attacks. Finally, our method is evaluated on two benchmark datasets, UNSW-NB15 and CICIDS2017, under various scenarios, including different training set label ratios and the presence of unknown attacks. Our model outperforms other models by 3.49% and 5.69% in F1 score at labeling rates of 1% and 0.1%, respectively.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

R. E. Davis,Jingsheng Xu,Kaushik Roy

DOI: https://doi.org/10.1109/access.2024.3391022

IF: 3.9

2024-04-30

IEEE Access

Abstract:Network traffic classification plays a crucial role in detecting malware threats. However, most existing research focuses on extracting statistical features from the network traffic, ignoring the rich information contained within raw packet capture (pcap) files. To achieve higher accuracy in malware traffic classification, a novel approach is proposed that fully utilizes the information contained in the pcap files by representing them with images and then training deep Convolutional Neural Networks (CNN) to learn the features automatically and classify them with higher accuracy. Selected fields of the IP headers in network sessions are transformed into RGB images. These images serve as input to CNN, and malware samples are grouped by class or malware name. The model is initially trained and validated on the MCFP dataset with more than 140 malware classes and subsequently tested on separate datasets, namely USTC-TFC2016, Taltech.ee MedBIoT, and IEEE-Mirai. The macro F1 scores and accuracy of this method are significantly higher than the baseline statistical-feature based approach both in the validation dataset and in the test datasets from different sources. The results of this research have the potential to be extended beyond malware classification to enable the classification of various types of network traffic data.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yantian Luo,Hancun Sun,Xu Chen,Ning Ge,Wei Feng,Jianhua Lu

DOI: https://doi.org/10.23919/jcc.fa.2022-0783.202304

2023-01-01

China Communications

Abstract:In the upcoming large-scale Internet of Things (IoT), it is increasingly challenging to defend against malicious traffic, due to the heterogeneity of IoT devices and the diversity of IoT communication protocols. In this paper, we propose a semi-supervised learning-based approach to detect malicious traffic at the access side. It overcomes the resource-bottleneck problem of traditional malicious traffic defenders which are deployed at the victim side, and also is free of labeled traffic data in model training. Specifically, we design a coarse-grained behavior model of IoT devices by self-supervised learning with unlabeled traffic data. Then, we fine-tune this model to improve its accuracy in malicious traffic detection by adopting a transfer learning method using a small amount of labeled data. Experimental results show that our method can achieve the accuracy of 99.52% and the F1-score of 99.52% with only 1% of the labeled training data based on the CICDDoS2019 dataset. Moreover, our method outperforms the state-of-the-art supervised learning-based methods in terms of accuracy, precision, recall and F1-score with 1% of the training data.

Kamal Upreti,Varatharaj Myilsamy,Dinesh Rajassekharan,Chhote Lal Prasad Gupta,Dilip Kumar Sharma,Mohanraj Elangovan

DOI: https://doi.org/10.1109/ICCSAI59793.2023.10421081

2023-11-23

Abstract:Classifying malicious traffic in Wireless Sensor Networks (WSNs) is crucial for maintaining the network's security and dependability. Traditional security techniques are challenging to deploy in WSNs because they comprise tiny, resourceconstrained components with limited processing and energy capabilities. On the other hand, machine learning-based techniques, such as Deep Learning (DL) models like LSTMs, may be used to detect and categorize fraudulent traffic accurately. The classification of malicious traffic in WSNs is crucial because of security. To protect the network's integrity, data, and performance and ensure the system functions properly and securely for its intended use, hostile traffic categorization in WSNs is essential. Classifying malicious communication in a WSN using a Long Short-Term Memory (LSTM) is efficient. WSNs are susceptible to several security risks, such as malicious nodes or traffic that can impair network performance or endanger data integrity. In sequential data processing, LSTM is a Recurrent Neural Network (RNN) appropriate for identifying patterns in network traffic data.

Engineering,Computer Science

Rajvardhan Patil,Wei Deng

DOI: https://doi.org/10.1109/southeastcon44009.2020.9368268

2020-01-01

Abstract:In this era, where the volume and diversity of malware is rising exponentially, new techniques need to be employed for faster and accurate identification of the malwares. Manual heuristic inspection of malware analysis are neither effective in detecting new malware, nor efficient as they fail to keep up with the high spreading rate of malware. Machine learning approaches have therefore gained momentum. They have been used to automate static and dynamic analysis investigation where malware having similar behavior are clustered together, and based on the proximity unknown malwares get classified to their respective families. Although many such research efforts have been conducted where data-mining and machine-learning techniques have been applied, in this paper we show how the accuracy can further be improved using deep learning networks. As deep learning offers superior classification by constructing neural networks with a higher number of potentially diverse layers it leads to improvement in automatic detection and classification of the malware variants.In this research, we present a framework which extracts various feature-sets such as system calls, operational codes, sections, and byte codes from the malware files. In the experimental and result section, we compare the accuracy obtained from each of these features and demonstrate that feature vector for system calls yields the highest accuracy. The paper concludes by showing how deep learning approach performs better than the traditional shallow machine learning approaches.

Gueltoum Bendiab,Stavros Shiaeles,Abdulrahman Alruban,Nicholas Kolokotronis

DOI: https://doi.org/10.1109/NetSoft48620.2020.9165381

2020-10-05

Abstract:With the increase of IoT devices and technologies coming into service, Malware has risen as a challenging threat with increased infection rates and levels of sophistication. Without strong security mechanisms, a huge amount of sensitive data is exposed to vulnerabilities, and therefore, easily abused by cybercriminals to perform several illegal activities. Thus, advanced network security mechanisms that are able of performing a real-time traffic analysis and mitigation of malicious traffic are required. To address this challenge, we are proposing a novel IoT malware traffic analysis approach using deep learning and visual representation for faster detection and classification of new malware (zero-day malware). The detection of malicious network traffic in the proposed approach works at the package level, significantly reducing the time of detection with promising results due to the deep learning technologies used. To evaluate our proposed method performance, a dataset is constructed which consists of 1000 pcap files of normal and malware traffic that are collected from different network traffic sources. The experimental results of Residual Neural Network (ResNet50) are very promising, providing a 94.50% accuracy rate for detection of malware traffic.

Cryptography and Security,Machine Learning

Guang-Lu Sun,Yibo Xue,Yingfei Dong,Dongsheng Wang,Chenglong Li

DOI: https://doi.org/10.1109/GLOCOM.2010.5683649

2010-01-01

Abstract:Classifying encrypted traffic is critical to effective network analysis and management. While traditional payload- based methods are powerless to deal with encrypted traffic, machine learning methods have been proposed to address this issue. However, these methods often bring heavy overhead into the system. In this paper, we propose a hybrid method that combines signature-based methods and statistical analysis methods to address this issue. We first identify SSL/TLS traffic with signature matching methods, and then apply statistical analysis to determine concrete application protocols. Our experimental results show that the proposed method is able to recognize over 99% of SSL/TLS traffic and achieve 94.52% in F-score for protocols identification.

Zhaolei Shi,Nurbol Luktarhan,Yangyang Song,Huixin Yin

DOI: https://doi.org/10.3390/e25050821

IF: 2.738

2023-05-20

Entropy

Abstract:Traffic classification is the first step in network anomaly detection and is essential to network security. However, existing malicious traffic classification methods have several limitations; for example, statistical-based methods are vulnerable to hand-designed features, and deep learning-based methods are vulnerable to the balance and adequacy of data sets. In addition, the existing BERT-based malicious traffic classification methods only focus on the global features of traffic and ignore the time-series features of traffic. To address these problems, we propose a BERT-based Time-Series Feature Network (TSFN) model in this paper. The first is a Packet encoder module built by the BERT model, which completes the capture of global features of the traffic using the attention mechanism. The second is a temporal feature extraction module built by the LSTM model, which captures the time-series features of the traffic. Then, the global and time-series features of the malicious traffic are incorporated together as the final feature representation, which can better represent the malicious traffic. The experimental results show that the proposed approach can effectively improve the accuracy of malicious traffic classification on the publicly available USTC-TFC dataset, reaching an F1 value of 99.50%. This shows that the time-series features in malicious traffic can help improve the accuracy of malicious traffic classification.

physics, multidisciplinary

Jinghong Lan,Xudong Liu,Bo Li,Yanan Li,Tongtong Geng

DOI: https://doi.org/10.1016/j.cose.2022.102663

2022-05-01

Abstract:Darknet traffic classification is crucial for identifying anonymous network applications and defensing cyber crimes. Although notable research efforts have been dedicated to classifying darknet traffic by combining machine learning algorithms and elaborately designed features, current methods either heavily depend on hand-crafted features or overlook the global intrinsic relationships among the local features automatically extracted from different data positions, leading to limited classification performance. To tackle this issue, we propose DarknetSec, a novel self-attentive deep learning method for darknet traffic classification and application identification. Concretely, DarknetSec utilizes a cascaded model with a 1-dimensional Convolutional Neural Network (1D CNN) and a bidirectional Long Short-Term Memory (Bi-LSTM) network to capture local spatial-temporal features from the payload content of packets, while the self-attention mechanism is integrated into the abovementioned feature extraction network to mine the intrinsic relationships and hidden connections among the previously extracted content features. In addition, DarknetSec extracts side-channel features from payload statistics to enhance its classification performance. We evaluate DarknetSec on the CICDarknet2020 dataset, which is a representative of darknet traffic covering both Virtual Private Network (VPN) and The Onion Router (Tor) applications. Thorough experiments show that DarknetSec is superior to other state-of-the-art methods, achieving a multiclass accuracy of 92.22% and a macro-F1-score of 92.10%. Additionally, DarknetSec maintains its high accuracy when applied to other encrypted traffic classification tasks.

computer science, information systems

Chuanyu Zhao,Shudong Li,Xiaobo Wu,Weihong Han,Zhihong Tian,Maofei Chen

DOI: https://doi.org/10.1109/dsc53577.2021.00097

2021-01-01

Abstract:The number of malware attacks that use encrypted HTTP traffic to self-propagate or communicate has increased dramatically in recent years. Traditional network traffic detection methods for non-encrypted traffic are difficult to be applied to encrypted traffic detection. While encryption is good for protecting users' privacy, it also comes with a security risk: malicious traffic may hide in encrypted traffic, leading to a series of security problems. Since the encrypted payload cannot be directly observed and it is large, we need to combine domain knowledge and machine learning method to excavate the features hidden in malicious traffic, so as to realize automatic detection of malicious traffic. In this paper, we propose a malicious traffic detection framework based on ensemble learning using the encrypted traffic from real malware, including normal traffic generated by 3000 normal hosts and malicious traffic generated by 3000 malware-infected hosts, provided by DATACON2020 competition. Considering the complexity to decrypt traffic, we use statistical features and sequence features in both flow-level and in host-level perspectives to describe encrypted traffic. Then we build multiple classifiers according to heterogeneous features. Finally we do majority voting to get final result. We achieve 95.0% TPR and 8.4% FPR.

Cynthia J,

DOI: https://doi.org/10.55041/ijsrem24715

2023-07-07

INTERANTIONAL JOURNAL OF SCIENTIFIC RESEARCH IN ENGINEERING AND MANAGEMENT

Abstract:Encrypted data that is sent over Tor or a VPN is referred to as "darknet traffic." In order to identify network activity brought on by a cyberattack, it is crucial to be able to recognise, find, and explain darknet activities. Cyberattacks that pose a serious danger to network security and management can be effectively observed through darknet monitoring and classification. Despite the fact that many surveys were conducted on network traffic classification using machine learning techniques, only a small number of researchers have the means to review their work on classifying network traffic using deep learning techniques. In this article, we introduce a novel idea for research on the classification of malware used in darknet traffic that uses Deep Learning techniques, which will aid researchers in improving their surveys. First, based on the survey, we chose a few techniques, including Deep Neural Network (DNN), Convolution Neural Network (CNN), Recurrent Neural Network (RNN), and AutoEncoder (AE) that have proven to be more effective in recent study. Second, the dataset CIC-DarkNet-2020, which contains a variety of darknet activities including VPN and TOR traffic, is used to develop the models. Finally, after analysing the information, we discovered the best Deep Learning Model for classifying Darknet traffic, which has the potential to enhance the efficiency of malware variant detection using constrained system and network resources. Index Terms – Darknet, DNN, CNN, RNN, AE, Deep Learning, Classifying Darknet.

Liting Deng,Chengli Yu,Hui Wen,Mingfeng Xin,Yue Sun,Limin Sun,Hongsong Zhu

DOI: https://doi.org/10.1007/s11036-024-02383-z

2024-08-31

Mobile Networks and Applications

Abstract:Malware has now grown into one of the most important threats on the Internet. To meet this challenge, researchers regard malware classification as an effective method in malware analysis, which can classify the malicious samples with similar features into the same family. Although machine learning based malware classification models have great performance, they rely heavily on large-scale labeled datasets. In the real world, many malware families only have a small number of samples, which makes the traditional data-driven models perform poor results. In this paper, we propose an attention-based transductive learning network to solve the problem. In order to extract features, our approach first converts malware binaries into gray-scale images, and encodes them into feature maps using an embedding function. Then, we build a Gaussian similarity graph based on attention mechanism to transfer information from labeled instances to unknown instances. Through the end-to-end training, we demonstrate the effectiveness of the proposed approach on a malware dataset containing 11,236 samples with 30 different malware families. Comparing with state-of-the-art approaches, the experimental results show that our approach achieves a better performance.

computer science, information systems,telecommunications, hardware & architecture

Didier Frank Isingizwe,Meng Wang,Wenmao Liu,Dongsheng Wang,Tiejun Wu,Jun Li

DOI: https://doi.org/10.1109/icct52962.2021.9658106

2021-01-01

Abstract:Malware traffic classification is an essential pillar of network intrusion detection systems. The explosive growth of traffic encryption makes it infeasible to classify malware traffic with port-based or signature-based approaches. Nowadays, researchers and industrial developers turn to learning-based approaches for encrypted malware traffic classification, mining the statistical patterns of traffic behaviors. However, different machine learning models with different hyper-parameters can be used, and one can hardly explain why a learning approach works or not. To alleviate this problem, this paper conducts encrypted malware traffic classification with the automated machine learning (AutoML) approach which contains 7 representative models in the pipeline and realizes automated hyper-parameter tuning and model assembling. Experimenting on real-world encrypted malware traffic, this paper analyzes the performance of the ensemble model of AutoML and how each model performs in detail to understand its contribution. Moreover, the analysis of AutoML feature selection shows discriminant features on encrypted malware traffic especially TLS metadata related. The concrete experiments and analysis give insight to the following studies on encrypted malware traffic classification.

Jianying Zhou,Xiapu Luo,Qingni Shen,Zhen Xu

DOI: https://doi.org/10.1007/978-3-030-41579-2

2020-01-01

Abstract:Automated malware classification using deep learning techniques has been widely researched in recent years. However, existing studies addressing this problem are always based on the assumption of closed world, where all the categories are known and fixed. Thus, they lack robustness and do not have the ability to recognize novel malware instances. In this paper, we propose a prototype-based approach to perform robust malware traffic classification with novel class detection. We design a new objective function where a distance based cross entropy (DCE) loss term and a metric regularization (MR) term are included. The DCE term ensures the discrimination of different classes, and the MR term improves the within-class compactness and expands the betweenclass separateness in the deeply learned feature space, which enables the robustness of novel class detection. Extensive experiments have been conducted on datasets with real malware traffic. The experimental results demonstrate that our proposed approach outperforms the existing methods and achieves state-of-the-art results.

Jiaqi Yan,Guanhua Yan,Dong Jin

DOI: https://doi.org/10.1109/dsn.2019.00020

2019-01-01

Abstract:Malware have been one of the biggest cyber threats in the digital world for a long time. Existing machine learning based malware classification methods rely on handcrafted features extracted from raw binary files or disassembled code. The diversity of such features created has made it hard to build generic malware classification systems that work effectively across different operational environments. To strike a balance between generality and performance, we explore new machine learning techniques to classify malware programs represented as their control flow graphs (CFGs). To overcome the drawbacks of existing malware analysis methods using inefficient and nonadaptive graph matching techniques, in this work, we build a new system that uses deep graph convolutional neural network to embed structural information inherent in CFGs for effective yet efficient malware classification. We use two large independent datasets that contain more than 20K malware samples to evaluate our proposed system and the experimental results show that it can classify CFG-represented malware programs with performance comparable to those of the state-of-the-art methods applied on handcrafted malware features.

Jiayin Feng,Limin Shen,Zhen Chen,Yuying Wang,Hui Li

DOI: https://doi.org/10.1109/access.2020.3008081

IF: 3.9

2020-01-01

IEEE Access

Abstract:Because of the characteristic of openness and flexibility, Android has become the most popular mobile platform. However, it has also become the most targeted system by mobile malware. It is necessary for the users to have a fast and reliable detection method. In this paper, a two-layer method is proposed to detect malware in Android APPs. The first layer is permission, intent and component information based static malware detection model. It combines the static features with fully connected neural network to detect the malware and test its effectiveness through experiment, the detection rate of the first layer is 95.22%. Then the result (benign APPs from the first layer) is input into the second layer. In the second layer, a new method CACNN which cascades CNN and AutoEncoder, is used to detect malware through network traffic features of APPs. The detection rate of the second layer is 99.3% in binary classification (2-classifier). Moreover, the new two-layer model can also detect malware by its category (4-classifier) and malicious family (40-classifier). The detection rates are 98.2% and 71.48% respectively. The experimental results show that our two-layer method not only can achieve semi-supervise learning, but also can effectively improve the detection rate of malicious Android APPs.