Liya Ding,Jilin Liu,Qubo Zhou,Rengrong Wang

DOI: https://doi.org/10.1117/12.473955

2003-01-01

Abstract:Automatic traffic analysis is very important in the modern world with heavy traffic. It can be achieved in numerous ways, among them, detection and analysis through video system, being able to provide affluent information and having little disturbance to the traffic, is an ideal choice. The proposed traffic vision analysis system uses Image Acquisition Card to capture real time images of the traffic scene through video camera, and then exploits the sequence of traffic scene and the image processing and analysis technique to detect the presence and movement of vehicles. First getting rid of the complex traffic background, which is always changing, the system segment each vehicle in the region the user interested. The system extracts features from each vehicle and tracks them through the image sequence. Combined with calibration, the system calculates information of the traffic, such as the speed of the vehicles, their types, the volume of flow, the traffic density, the waiting length of the lanes, the turning information of the vehicles, and so on. Traffic congestion and vehicles’ shadows are disturbing problems of the vehicle detection, segmentation and tracking. So we make great effort to investigate on methods to dealing with them.

Xin Wang,Shuhui Chen,Jinshu Su

DOI: https://doi.org/10.1155/2020/4707909

2020-02-19

Wireless Communications and Mobile Computing

Abstract:The proliferation of mobile devices over recent years has led to a dramatic increase in mobile traffic. Demand for enabling accurate mobile app identification is coming as it is an essential step to improve a multitude of network services: accounting, security monitoring, traffic forecasting, and quality-of-service. However, traditional traffic classification techniques do not work well for mobile traffic. Besides, multiple machine learning solutions developed in this field are severely restricted by their handcrafted features as well as unreliable datasets. In this paper, we propose a framework for real network traffic collection and labeling in a scalable way. A dedicated Android traffic capture tool is developed to build datasets with perfect ground truth. Using our established dataset, we make an empirical exploration on deep learning methods for the task of mobile app identification, which can automate the feature engineering process in an end-to-end fashion. We introduce three of the most representative deep learning models and design and evaluate our dedicated classifiers, namely, a SDAE, a 1D CNN, and a bidirectional LSTM network, respectively. In comparison with two other baseline solutions, our CNN and RNN models with raw traffic inputs are capable of achieving state-of-the-art results regardless of TLS encryption. Specifically, the 1D CNN classifier obtains the best performance with an accuracy of 91.8% and macroaverage F -measure of 90.1%. To further understand the trained model, sample-specific interpretations are performed, showing how it can automatically learn important and advanced features from the uppermost bytes of an app’s raw flows.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yiming Zhang,Baojun Liu,Chaoyi Lu,Zhou Li,Haixin Duan,Shuang Hao,Mingxuan Liu,Ying Liu,Dong Wang,Qiang Li

DOI: https://doi.org/10.1145/3372297.3417257

2020-01-01

Abstract:Fake base station (FBS) has been exploited by criminals to attack mobile users by spamming fraudulent messages for over a decade. Despite that prior work has proposed several techniques to mitigate this issue, FBS spam is still a long-standing challenging issue in some countries, such as China, and causes billions of dollars of financial loss every year. Therefore, understanding and exploring the thematic strategies in the FBS spam ecosystem at a large scale would improve the defense mechanisms. In this paper, we present the first large-scale characterization of FBS spam ecosystem by collecting three-month real-world FBS detection results. First, at "macro-level'', we uncover the characteristics of FBS spammers, including their business categories, temporal patterns and spatial patterns. Second, at "micro-level'', we investigate how FBS ecosystem is organized and how fraudulent messages are constructed by campaigns to trap users and evade detection. Collectively, the results expand our understanding of the FBS spam ecosystem and provide new insights into improved mitigation mechanisms for the security community.

Tiru Wu,Xi Xiao,Qing Li,Qixu Liu,Guangwu Hu,Xiapu Luo,Yong Jiang

DOI: https://doi.org/10.1109/secon58729.2023.10287511

2023-01-01

Abstract:With the increasing popularity of encryption pro-tocols in application and the rapid development of network applications, traffic classification has become a major challenge for mobile service providers. The failure of traditional classification methods and low classification accuracy are the problems that need to be solved urgently in traffic classification research. Therefore, we propose the scheme of BehavSniffer to sniff user behaviors from the encrypted traffic. The core idea is to propose Traffic Burst Graph (TBG) for extracting multidimensional features from bidirectional interactive data flows, and do feature fusion based on Kernel Principal Component Analysis (KPCA) and Deep Neural Network (DNN). In this way, BehavSniffer can learn both high and low-order combined structural features from traffic patterns of user behavior. Meanwhile, we propose the user behavior dataset, named WWT, from three widely used social media applications (WeChat, WhatsApp, Telegram). Experimental results show that BehavSniffer outperforms stateof-the-art methods, with AUC of 0.987 and accuracy of 99.8%, respectively.

Mao Tian,Peng Chang,Yafei Sang,Yongzheng Zhang,Shuhao Li

DOI: https://doi.org/10.1109/ict.2019.8798799

2019-04-01

Abstract:The expanding volume of HTTPS traffic (both legitimate and malicious) creates even more challenges for mobile network security and management. In this work, we propose AIBMF(Application Identification Based on Multi-view Features), a fine-grained approach to classify HTTPS traffic by their application type. The key idea of AIBMF is to combine three kinds of features—payload convolution features, packet size sequence and packet content type sequence. Based on these different view features, a deep learning model (using CNN, embedding and RNN) is constructed for HTTPS traffic identification task. To evaluate the effectiveness of AIBMF, we run a comprehensive set of experiments on a real-world dataset (about 100,000+ flows), which shows that our approach achieves 96.06% accuracy and outperforms the state-of-the-art method (3.6% on F1 score).

Lu Xing,Duan Haixin,Li Xing

DOI: https://doi.org/10.1109/ISCIT.2007.4392088

2007-01-01

Abstract:Identification of P2P traffic is very useful for many network management tasks such as application-specific traffic engineering, network planning and monitoring. However, this is a challenging issue because many P2P applications use dynamic port numbers, and deriving signatures that can he used for reliable detection manually is time consuming and difficult. In this paper, we propose a novel approach to detect P2P traffic without any application-specific signatures. It is based on the content redistribution characteristic of P2P protocol: every peer acts both as a server and a client, so it will redistribute the content received to other peers. To evaluate our approach, we use traces collected in our campus network and a signature-based classifier is also implemented. Experiment results show that the approach can be used to identify known and unknown P2P traffic with very low false positive rate, and achieves high accuracy when detecting P2P streaming traffic.

Rui Li,Xi Xiao,Shiguang Ni,Hai-Tao Zheng,Shu‐Tao Xia

DOI: https://doi.org/10.1109/iwqos.2018.8624128

2018-01-01

Abstract:Network traffic classification, which can map network traffic to protocols in the application layer, is a fundamental technique for network management and security issues such as Quality of Service, network measurement, and network monitoring. Recent researchers focus on extracting features for traditional machine learning methods from flows or datagrams of the specific protocol. However, as the rapid growth of network applications, previous works cannot handle complex novel protocols well. In this paper, we introduce the recurrent neural network to network traffic classification and design a novel neural network, the Byte Segment Neural Network (BSNN). BSNN treats network datagrams as input and gives the classification results directly. In BSNN, a datagram is firstly broken into serval byte segments. Then, these segments are fed to encoders which are based on the recurrent neural network. The information extracted by encoders is combined to a representation vector of the whole datagram. Finally, we apply the softmax function to use this vector for predicting the application protocol of this datagram. There are several key advantages of BSNN: 1) no need for prior knowledge of target applications; 2) can handle both connection-oriented protocols and connection-less protocols; 3) supports multi-classification for protocols; 4) shows outstanding accuracy in both traditional protocols and complex novel protocols. Our thorough experiments on real-world data with different protocols indicate that BSNN gains average F1-measure about 95.82% in multi-classification for five protocols including QQ, PPLive, DNS, 360 and BitTorrent. And it also shows excellent performance for detection of novel protocols. Furthermore, compared with two recent state-of-the-art works, BSNN has superiority over the traditional machine learning-based method and the packet inspection method.

Ping He,Xuhong Zhang,Changting Lin,Ting Wang,Shouling Ji

DOI: https://doi.org/10.1631/fitee.2300068

IF: 2.526

2024-03-24

Frontiers of Information Technology & Electronic Engineering

Abstract:Critical functionality and huge influence of the hot trend/topic page (HTP) in microblogging sites have driven the creation of a new kind of underground service called the bogus traffic service (BTS). BTS provides a kind of illegal service which hijacks the HTP by pushing the controlled topics into it for malicious customers with the goal of guiding public opinions. To hijack HTP, the agents of BTS maintain an army of black-market accounts called bogus traffic accounts (BTAs) and control BTAs to generate a burst of fake traffic by massively retweeting the tweets containing the customer desired topic (hashtag). Although this service has been extensively exploited by malicious customers, little has been done to understand it. In this paper, we conduct a systematic measurement study of the BTS. We first investigate and collect 125 BTS agents from a variety of sources and set up a honey pot account to capture BTAs from these agents. We then build a BTA detector that detects 162 218 BTAs from Weibo, the largest Chinese microblogging site, with a precision of 94.5%. We further use them as a bridge to uncover 296 916 topics that might be involved in bogus traffic. Finally, we uncover the operating mechanism from the perspectives of the attack cycle and the attack entity. The highlights of our findings include the temporal attack patterns and intelligent evasion tactics of the BTAs. These findings bring BTS into the spotlight. Our work will help in understanding and ultimately eliminating this threat.

engineering, electrical & electronic,computer science, information systems, software engineering

Hong Huang,Xingxing Zhang,Ye Lu,Ze Li,Shaohua Zhou

DOI: https://doi.org/10.32604/cmc.2024.047918

2024-01-01

Abstract:While encryption technology safeguards the security of network communications, malicious traffic also uses encryption protocols to obscure its malicious behavior. To address the issues of traditional machine learning methods relying on expert experience and the insufficient representation capabilities of existing deep learning methods for encrypted malicious traffic, we propose an encrypted malicious traffic classification method that integrates global semantic features with local spatiotemporal features, called BERT-based Spatio-Temporal Features Network (BSTFNet). At the packet-level granularity, the model captures the global semantic features of packets through the attention mechanism of the Bidirectional Encoder Representations from Transformers (BERT) model. At the byte-level granularity, we initially employ the Bidirectional Gated Recurrent Unit (BiGRU) model to extract temporal features from bytes, followed by the utilization of the Text Convolutional Neural Network (TextCNN) model with multi-sized convolution kernels to extract local multi-receptive field spatial features. The fusion of features from both granularities serves as the ultimate multidimensional representation of malicious traffic. Our approach achieves accuracy and F1-score of 99.39% and 99.40%, respectively, on the publicly available USTC-TFC2016 dataset, and effectively reduces sample confusion within the Neris and Virut categories. The experimental results demonstrate that our method has outstanding representation and classification capabilities for encrypted malicious traffic.

computer science, information systems,materials science, multidisciplinary

Qiuping Zhu,Dong Li,Yi Xin,Xiangzhan Yu,Guocai Mu

DOI: https://doi.org/10.1007/978-3-030-24268-8_9

2019-01-01

Abstract:With the rapid development of the Internet, the scale of Internet users has been expanding. At the same time, various mobile phone applications have emerged in an endless stream. While providing users with a variety of services, it also leads to the difficulty of user identification. All those things bring new challenges to traffic identification. Based on the importance of Internet traffic identification for Internet management and security, this paper describes the classification methods and problems faced by Internet traffic identification. Moreover, current work about user-related and application-related traffic identification methods is summarized and analyzed. At the end of this article, we will discuss the future research prospects of traffic identification and summarize the content of the article.

Jun Li,Shunyi Zhang,Yanqing Lu,Junrong Yan

DOI: https://doi.org/10.1109/glocom.2008.ecp.475

2008-01-01

Abstract:Accurate and fast identification of network traffic is an important element of many network management tasks such as QoS provisioning and security monitoring. However, as many newly-emerged Peer-to-Peer (P2P) applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, the classical approaches based on port mapping and payload analysis are ineffective. An alternative approach is to classify traffic by distinguishing the behavior of an application within the first few packets of TCP connection. We pursue this approach and demonstrate that information of few packets is enough to effectively identify P2P traffic. In our work, C4.5 decision tree and REPTree are evaluated and compared with the previously used clustering method K-Means. Experimental results show that our approaches outperform K- Means algorithm in accuracy. In addition, the proposed approaches can accommodate known and unknown P2P traffic and even encrypted traffic in fast and accurate way, which ensures the real-time applications on the Internet traffic surveillance and QoS provisioning.

Zhu Li,Ruixi Yuan,Xiaohong Guan

DOI: https://doi.org/10.1007/978-3-540-73111-5_8

2007-01-01

Abstract:Timely traffic identification is critical in network security monitoring and traffic engineering. Traditional methods using well-known ports, protocols and precise signature matching are no longer accurate with the proliferation of new applications. Recently, applying pattern recognition methods to classify network application traffic based on the flow parameters (e.g. port, flow duration, etc.) has become increasing popular. However, many methods developed in the previous works are either too complex to be applied in real-time, or suffer from lower accuracy due to the insufficient knowledge of the application. In this paper, we first give an overview on the developments of pattern recognition methods as traffic classification tools. We then develop two separate pattern recognition methods: one with supervised learning, and one with un-supervised learning, and apply them to classify traffic captured from a campus backbone network. The supervised learning method (an optimized SVM method) yields approximately 99.41 % accuracy for the collected traffic. The un-supervised learning method (an entropy based clustering method) gets the average accuracy of 92.41% for the top 20 traffic generating hosts during the same time period. Performance test on a single PC with 3GHz Pentium 4 processors and 1 GB of memory show that both methods can handle more than 10000 network flows per second, close to real time requirements for many situations.

Zhen Li,Yahui Yang,Guangxing Zhang,Guangcheng Qin

DOI: https://doi.org/10.1109/ICACTE.2010.5579256

2010-01-01

Abstract:Identifying heavy hitters is essential for network monitoring, management, charging and etc. Existing methods in the literature have some limitations. How to reduce the memory consumption effectively without compromising identification accuracy is still challenging. In this paper, an adaptive method combining sampling and data streaming counting is proposed, called FSPLC(feedback sampling probabilistic lossy counting). Based on the history information in the flow counter table, FSPLC can adjust the sampling frequency dynamically, and also adapt to the real-time traffic changes. Comparison with state-of-the-art algorithms based on real Internet traces suggests that FSPLC is remarkably efficient and accurate. Experiment results show that FSPLC has 1) 60% lower memory consumption, 2) 15% smaller false-positive ratio.

Kun Wang,Guohai Xu,Chengyu Wang,Xiaofeng He

DOI: https://doi.org/10.1109/icbk.2017.50

2017-01-01

Abstract:Abnormal traffic is pervasive in the online advertising market. There are various cheating approaches while traditional anti-fraud methods are only effective for specific patterns. Combining the rule-based methods with supervised classification methods, we propose an abnormal traffic detection framework on both user layer and traffic layer. On the user layer, rule-based filters are designed to detect malicious users with duplicate clicks. We extract hybrid features under multi-granular time windows and train a user classifier to filter cheaters and complex spams indirectly. On traffic layer, we apply traffic filters to detect explicit fraudulent clicks and use a prediction model to detect malicious traffic with a higher precision. Extensive experiments on ground-truth data demonstrate the effectiveness of our detection method.

Shuang Zhao,Shuhui Chen,Fei Wang,Ziling Wei,Jincheng Zhong,Jianbing Liang

DOI: https://doi.org/10.1093/comjnl/bxad076

2023-08-02

The Computer Journal

Abstract:Abstract With Internet access shifting from desktop-driven to mobile-driven, application-level mobile traffic identification has become a research hotspot. Although considerable progress has been made in this research field, two obstacles are hindering its further development. Firstly, there is a lack of sharable labeled mobile traffic datasets. Although it is easy to capture mobile traffic, labeling traffic at the application level is non-trivial. Besides, researchers usually hold a conservative attitude toward publishing their datasets for privacy concerns. Secondly, most of the datasets used by existing studies are inadequate to evaluate the proposed methods, since they usually have the problems of inaccurate labels, small scale and simple collection configurations. To tackle these two obstacles, a mobile traffic collection is carried out in this paper. The collected traffic has the advantages of large-scale data size, accurate application-level labels and diverse collection configurations. Then, the collected traffic is anonymized carefully to make it public. Several mobile traffic identification methods are compared based on our anonymized dataset, which proves the applicability of our dataset.

computer science, information systems, theory & methods, software engineering, hardware & architecture

Jian Zhang,Yan Tong,Tao Qin

DOI: https://doi.org/10.1145/3028842.3028867

2016-01-01

Abstract:With the increasing of the network bandwidth, users generate massive traffic data, how to extract the effective traffic features and achieve the goal of abnormal behavior detection is a hot and difficult problem in the area of network security monitoring. In this paper, several traffic features are proposed to capture the traffic characteristics, and then we employ the DBSCAN methods to realize abnormal traffic mining based on those features. We extract four traffic features to capture the traffic characteristics, including the ratio between number of source and destination IP addresses, ration between number of source port and destination port, ration between number of TCP packet and the total number of packets and that of number of small packets between the total number of package in a specific time window. Based on the feature extracted, we employ the DBSCAN method to cluster the network traffic in different clusters. Traffic packet in different clusters has different statistical characteristics, and the isolated points are employed to perform abnormal traffic detection. The implementation results based on traffic collect from our Lab show that proposed statistics features can capture traffic characteristics, and clustering method can classify the abnormal traffic packets into a special cluster.

Yu-gang Liu,Shuai Zheng,Xu-dong Xu,Tian-bi Wang,Jin-song Ye

DOI: https://doi.org/10.1061/jhtrcq.0000775

2021-01-01

Journal of Highway and Transportation Research and Development (English Edition)

Abstract:At present, the green channel policy is fully implemented. However, the detection is relatively lagging, and truck drivers are susceptible to fake the toll-free logistics vehicles (TFLVs), causing huge losses to the operation. In order to improve the accuracy and efficiency of TFLVs inspection, this paper establishes a toll evasion prediction model for fake TFLVs based on the historical TFLVs traffic dataset derived from the highway network toll collection system. First, according to the importance and reliability, we used the data mining technology to differentiate and extract the data attributes. And the spatiotemporal characteristics and other characteristics of fake TFLVs through-traffic entering and exiting toll booths are studied and analyzed based on the preprocessed data. This study then used the Borderline-SMOTE oversampling method to balance the pass data set and the ChiMerge algorithm to discretize continuous attributes. In order to ensure the effective matching and the correlation between the large contribution attributes and the results, correlation item test and collinearity test are used for discrete related attributes. Finally, adopting the processed discrete TFLVs data which passed correlation item test and collinearity test, and using the decision tree to establish the prediction model, the classification results of the escape behavior prediction model and other models are compared by using the historical TFLVs data set. The results show that the accuracy of the escape behavior prediction model proposed in this paper is 83.4%, which is higher than that of the Logistic regression model (61.8%) and the Random forest model (81%). This research model can effectively warn of fake TFLVs, and on the basis of simplifying the inspection process of TFLVs, can reduce the probability of the occurrence of fake TFLVs evasion, which has practical application significance.

Hui Liu,Wenfeng Feng,Yongfeng Huang,Xing Li

DOI: https://doi.org/10.1109/nas.2007.6

2007-01-01

Abstract:The use of peer-to-peer (P2P) applications is growing dramatically, which results in several serious problems such as the network congestion and traffic hindrance. In this paper, a method is', proposed to identify the P2P traffic based on the machine learning. The novelty of the proposed method is that it utilizes only the size of packets exchanged between IPs within seconds. By investigating the ratio between the upload and download traffic volume of several P2P applications, a characteristic library is constructed. Then the unknown network traffic can be recognized online using this library. The distinguished features of the proposed method lie in that fast computation, high identification accuracy, and resource-saving capability. Finally, experiment results show the satisfactory performance of the proposed method.