Jinfu Chen,Luo Song,Saihua Cai,Haodi Xie,Shang Yin,Bilal Ahmad

DOI: https://doi.org/10.1145/3613960

IF: 2.717

2023-08-07

ACM Transactions on Privacy and Security

Abstract:In recent years, the use of TLS (Transport Layer Security) protocol to protect communication information has become increasingly popular as users are more aware of network security. However, hackers have also exploited the salient features of the TLS protocol to carry out covert malicious attacks, which threaten the security of network space. Currently, the commonly used traffic detection methods are not always reliable when applied to the problem of encrypted malicious traffic detection due to their limitations. The most significant problem is that these methods do not focus on the key features of encrypted traffic. To address this problem, this study proposes an efficient detection model for encrypted malicious traffic based on transport layer security protocol and a multi-head self-attention mechanism called TLS-MHSA. Firstly, we extract the features of TLS traffic during pre-processing and perform traffic statistics to filter redundant features. Then, we use a multi-head self-attention mechanism to focus on learning key features as well as generate the most important combined features to construct the detection model, thereby detecting the encrypted malicious traffic. Finally, we use a public dataset to verify the effectiveness and efficiency of the TLS-MHSA model, and the experimental results show that the proposed TLS-MHSA model has high precision, recall, F1-measure, AUC-ROC as well as higher stability than seven state-of-the-art detection models.

computer science, information systems

Jiangang Hou,Tong Jiang,Yanmiao Li,Hao Guo,Zhen Zhang,Zhi Liu

DOI: https://doi.org/10.1109/CCCI52664.2021.9583191

2021-10-15

Abstract:With more and more encrypted traffic such as HTTPS, encrypted traffic protects not only normal traffic, but also malicious traffic. Identification of encrypted malicious traffic without decryption has become a research hotspot. Combined with deep learning, an important branch of machine learning, encrypted malicious traffic detection has achieved good results. This paper reviews the detection of encrypted malicious traffic in recent years. Firstly, we classify encrypted malicious traffic. Secondly, we sorts out the extraction characteristics of encrypted malicious traffic, the key and difficult problems we are facing at present. Then, with encrypted malicious traffic detection technology as the main line, we summarized the current detection model from the four core aspects of data collection, data processing, model training and evaluation improvement. Finally, we analyze the problems and point out future research directions.

Computer Science

HUO Yuehua,ZHAO Faqi,WU Wenhao

DOI: https://doi.org/10.13272/j.issn.1671-251x.17944

2022-01-01

Abstract:The coal mine network is faced with the threat of malicious traffic encrypted by the transport layer security protocol (TLS) generated by malicious software and the high false alarm rate of encrypted traffic during detection. In order to solve the above problems, a multi-feature fusion malicious traffic detection method for coal mine network TLS encryption is proposed. The characteristics of multiple and heterogeneous malicious traffic features of TLS encryption are analyzed. The connection features, metadata and TLS encrypted protocol handshake features of coal mine network TLS encrypted malicious traffic in the transmission process are extracted. A coal mine network TLS encrypted traffic characteristic set is constructed by using a flow fingerprint method. The features in the feature set are standardized, one-hot encoded and normalized, so as to obtain an efficient sample set. Five sub-models of decision tree (DT), K-nearest neighbor (KNN), Gaussian Naive Bayes (GNB), L2 logistic regression (LR) and stochastic gradient descent (SGD) classifiers were used to test the above feature sets. In order to improve the robustness of the detection model, combined with the principle of the voting method, five classifier sub-models are combined to construct a muti-model voting classifier (MVC) detection model. Five classifier sub-models are used as voters. Each classifier sub-model trains the sample set separately, and votes according to the principle of minority obeying majority to get the final prediction value of each sample. The experimental results show that the proposed feature set reduces the dimension of the sample set and improves the detection efficiency of TLS encrypted traffic. DT classifier and KNN classifier perform best on the data set, reaching more than 99% accuracy. But they have the risk of overfitting. Although the LR classifier and SGD classifier sub-models have also achieved recognition accuracy of more than 90%, the false positive rate of these two sub-models is too high. The GNB classifier sub-model performs the worst, with an accuracy of 82%. But it has the advantage of low false-positive rate. The accuracy and recall rate of that MVC detection model on a data set is more than 99%, the false alarm rate is 0.13%. The detection rate of encrypted malicious traffic is improved, and the false alarm rate of encrypted traffic detection is 0. And the comprehensive performance of the MVC detection model is better than that of other classifier sub-models.

Tangda Yu,Futai Zou,Linsen Li,Ping Yi

DOI: https://doi.org/10.1109/cyberc.2019.00020

2019-01-01

Abstract:In recent years, with the widespread use of encrypted traffic communication technology, network traffic encryption has been gradually becoming a standard of communication. This phenomenon has a great impact on traditional traffic detection methods, especially on anomaly detection methods, which are highly dependent on the type of network protocol types and traffic data. By surveying the existing encrypted traffic classification and analyzing these methods, we found that there are two main methods for detection: payload-based detection and feature-based detection. On this basis, this paper puts forward an Encrypted Malicious Traffic Detection System which is based on multi-AEs(Autoencoder). We use malicious sandbox for traffic data collection, mark malicious flow and normal flow with labels. After that, we use multilayer networks of AEs for feature extraction and training classifier model. Our system analyzes the feature of cryptographic protocol from handshake phase to Authentication phase on the basis of existing research, and we extract the traffic feature for a better classification by further expanding flow feature vector to the higher dimensions. In addition, we compared the performance of our model with the traditional learning model under the same environment. The experimental results showed that our system had higher detection accuracy and lower loss rate. We also studied the influence of dataset imbalance on results in the detection of encrypted traffic by several experiments. According to the experimental evaluation, dataset imbalance will lead to the decrease of positive rate.

Rui Dai,Chuan Gao,Bo Lang,Lixia Yang,Hongyu Liu,Shaojie Chen

DOI: https://doi.org/10.1145/3371676.3371697

2019-01-01

Abstract:In recent years, as more and more softwares use SSL encryption protocol to improve the security and integrity of communications, the encrypted traffic is growing, which brings new challenges to cyber attack detection. Since most of the SSL traffic is unreadable ciphertext, traditional pattern recognition and deep packet inspection are not applicable. In addition, the current machine learning methods are not fully applicable to encrypted traffic detection. The detection of encrypted malicious traffic is still an open problem. In this paper, we propose an SSL malicious traffic detection method based on multi-view features. Our method comprehensively extracts features from multiple views, including flow statistics, SSL handshake field, and certificate to retain key original information. We test four machine learning models, i.e., SVM, Decision Tree, Random Forest, and XGBoost on the CTU Malware dataset. The results show that XGBoost performs best reaching an accuracy of 97.71%, which is better than other studies on the CTU dataset.

Jin Yang,Gang Liang,Beibei Li,Guozhu Wen,Tianyu Gao

DOI: https://doi.org/10.1049/ell2.12125

2021-01-01

Electronics Letters

Abstract:Traditional network intrusion detection methods lack the ability of automatic feature extraction for encrypted network malicious traffic, and thus, the detection rates are low. Moreover, the means of this malicious traffic are concealed, and the key malicious features are usually hidden in many normal data packets, so fewer encrypted malicious traffic samples can be captured. This easily leads to insufficient system training, low detection rate, and high false alarm rate. This letter proposes an encrypted network malicious traffic detection model based on deep learning, in which automatic feature extraction is performed against encrypted network malicious traffic. The proposed model has self-learning and self-adaption abilities. Furthermore, a sample generation method of encrypted traffic based on deep Q-networks and deep convolution generative adversarial networks is proposed, in which new samples are learned from the training samples of encrypted traffic and solves problems, such as insufficient original training samples and unbalanced samples. In a validation experiment, the proposed model could distinguish between normal and abnormal encrypted network traffic, and the accuracy rate reached 99.94%. Experimental results show that the proposed model in this letter can provide a new and better solution for an encrypted network malicious traffic detection system.

Ming Liu,Qichao Yang,Wenqing Wang,Shengli Liu

DOI: https://doi.org/10.3390/s24206507

IF: 3.9

2024-10-11

Sensors

Abstract:The exponential growth of encrypted network traffic poses significant challenges for detecting malicious activities online. The scale of emerging malicious traffic is significantly smaller than that of normal traffic, and the imbalanced data distribution poses challenges for detection. However, most existing methods rely on single-category features for classification, which struggle to detect covert malicious traffic behaviors. In this paper, we introduce a novel semi-supervised approach to identify malicious traffic by leveraging multimodal traffic characteristics. By integrating the sequence and topological information inherent in the traffic, we achieve a multifaceted representation of encrypted traffic. We design two independent neural networks to learn the corresponding sequence and topological features from the traffic. This dual-feature extraction enhances the model's robustness in detecting anomalies within encrypted traffic. The model is trained using a joint strategy that minimizes both the reconstruction error from the autoencoder and the classification loss, allowing it to effectively utilize limited labeled data alongside a large amount of unlabeled data. A confidence-estimation module enhances the classifier's ability to detect unknown attacks. Finally, our method is evaluated on two benchmark datasets, UNSW-NB15 and CICIDS2017, under various scenarios, including different training set label ratios and the presence of unknown attacks. Our model outperforms other models by 3.49% and 5.69% in F1 score at labeling rates of 1% and 0.1%, respectively.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Qihao Cheng,Yangsen Zhang,Ziyuan He,Xiang Chen

DOI: https://doi.org/10.1117/12.2640703

2022-01-01

Abstract:With the development of social science and technology, the communication process is often accompanied by a variety of encrypted malicious traffic intrusion into the network system. Therefore, it is necessary to build a malicious traffic detection system to solve this problem. This paper proposes a construction scheme of malicious traffic detection system based on machine learning. The malicious traffic data selects the public cic-ids-2017 dataset, and carries out feature engineering processing on the traffic data, which is transformed into a data feature set that is easy to be trained by machine learning model. The performance of various machine learning models are tested and compared. Finally, the optimal random forest model is selected as the malicious traffic detection model. Experiment shows that the model can effectively detect encrypted malicious traffic.

Zihao Wang,Vrizlynn L. L. Thing

DOI: https://doi.org/10.1016/j.cose.2023.103143

2023-04-07

Abstract:The popularity of encryption mechanisms poses a great challenge to malicious traffic detection. The reason is traditional detection techniques cannot work without the decryption of encrypted traffic. Currently, research on encrypted malicious traffic detection without decryption has focused on feature extraction and the choice of machine learning or deep learning algorithms. In this paper, we first provide an in-depth analysis of traffic features and compare different state-of-the-art traffic feature creation approaches, while proposing a novel concept for encrypted traffic feature which is specifically designed for encrypted malicious traffic analysis. In addition, we propose a framework for encrypted malicious traffic detection. The framework is a two-layer detection framework which consists of both deep learning and traditional machine learning algorithms. Through comparative experiments, it outperforms classical deep learning and traditional machine learning algorithms, such as ResNet and Random Forest. Moreover, to provide sufficient training data for the deep learning model, we also curate a dataset composed entirely of public datasets. The composed dataset is more comprehensive than using any public dataset alone. Lastly, we discuss the future directions of this research.

Cryptography and Security,Artificial Intelligence,Machine Learning

Jin Yang,Xinyun Jiang,Gang Liang,Siyu Li,Zicheng Ma

DOI: https://doi.org/10.3390/s23167215

IF: 3.9

2023-08-18

Sensors

Abstract:As the demand for Internet access increases, malicious traffic on the Internet has soared also. In view of the fact that the existing malicious-traffic-identification methods suffer from low accuracy, this paper proposes a malicious-traffic-identification method based on contrastive learning. The proposed method is able to overcome the shortcomings of traditional methods that rely on labeled samples and is able to learn data feature representations carrying semantic information from unlabeled data, thus improving the model accuracy. In this paper, a new malicious traffic feature extraction model based on a Transformer is proposed. Employing a self-attention mechanism, the proposed feature extraction model can extract the bytes features of malicious traffic by performing calculations on the malicious traffic, thereby realizing the efficient identification of malicious traffic. In addition, a bidirectional GLSTM is introduced to extract the timing features of malicious traffic. The experimental results show that the proposed method is superior to the latest published methods in terms of accuracy and F1 score.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Ke Xu,Xixi Zhang,Yu Wang,Tomoaki Ohtsuki,Bamidele Adebisi,Hikmet Sari,Guan Gui

DOI: https://doi.org/10.1109/jiot.2024.3357072

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Malware traffic classification (MTC) is one of the important techniques to ensure the security of cyberspace, which aims to detect anomalies and classify different types of network traffic. Recently, MTC methods based on deep learning (DL) have shown their excellent performance. However, these DL-based methods rely on datasets with manually labeled samples for training, which are costly and hard to obtain. To address this problem, this paper proposes a novel self-supervised MTC method based on the framework of masked auto-encoder (MAE). Specifically, MAE first constructs a reasonable unsupervised pretext task with a random masking strategy, which reduces the redundant information in samples and speeds up the pre-training process. The transformer-based backbone network then efficiently extracts features from the non-redundant traffic data efficiently. The proposed MTC-MAE method employs self-supervised learning on a large-scale unlabeled dataset to acquire unbiased features, and fine-tunes on specific datasets to adapt to diverse traffic classification scenarios. Simulation experiments show that our proposed MTC-MAE method is able to learn universal features with high quality and has excellent classification performance on various downstream datasets. The datasets we used, code implementation, and pre-trained models are available on GitHub.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xiaodong Zang,Tongliang Wang,Xinchang Zhang,Jian Gong,Peng Gao,Guowei Zhang

DOI: https://doi.org/10.1016/j.comnet.2024.110598

IF: 5.493

2024-01-01

Computer Networks

Abstract:The focus on privacy protection has brought much-encrypted network traffic. However, attackers always abuse traffic encryption to conceal malicious behaviors. Although researchers have proposed several enlightening detection methods, they must enhance the generalization ability or improve detection performance. Our inspiration is that the packet header fields, as do the underlying grammatical rules for constructing sentences, have a strict order. We consider the original packet as text and devise a robust approach with natural language processing and a deep learning model to improve the generalization ability and detection performance. We capture the critical keywords as characteristic representations of the traffic and design an adaptive domain generalization algorithm with a new loss function. It is robust against various datasets by generating more malicious samples to augment the minority of malicious samples. Simultaneously, we design an efficient feature selection algorithm, which obtains an optimal feature subset and reduces feature dimensions by 75.3%. To evaluate our work, we conducted extensive experiments with open-source datasets (CICIDS 2017, CICDDoS 2019, and USTC-TFC 2016), the synthetic dataset from IoT-23, and Internet backbone traffic (CERNET). Experimental results demonstrate that our proposal improves detection accuracy by up to 22.8% compared to others not using domain generalization algorithms and achieves an average detection latency of 0.67 s in the backbone. Besides, our work applies to the Industrial Internet of Things (IIoT) environment. It can be deployed at edge nodes to provide network security support for IIoT devices.

HUO Yuehua,ZHAO Faqi

DOI: https://doi.org/10.19678/j.issn.1000-3428.0064805

2023-01-01

Abstract:Although encryption technology protects network communications,plenty malware uses encryption protocols to hide malicious behavior. For the existing Transport Layer Security（TLS） encrypted malicious traffic detection techniques based on machine learning,a single model detection algorithm is available for multi-granularity features,poor applicability,and a high false alarm rate of mixed traffic detection problems. A non-decryption TLS-encrypted malicious traffic detection method based on Stacking strategy and multi-feature fusion is proposed. The multigranularity of encrypted malicious traffic features is analyzed to extract the flow features,connection features,and TLS handshake features of the traffic.The extracted features are statutorily processed using feature engineering to reduce computational overhead. The Random Forest（RF）,XGBoost,and Gaussian Naive Bayesian（GNB） classifier models are built for the three classes of features after statute processing to learn the hidden patterns inside them. Using the multidimensional features processed via stream fingerprint fusion,three classifier models are combined using a Stacking strategy to form DMMFC detection model to identify TLSencrypted malicious traffic in the network. The performance of the constructed model is evaluated on the CTU-13 public dataset. The experimental results show that the identification recall of the proposed method is dimensionality of 99.93% in binary classification experiments and a False Alarm Rate（FAR） is less than 0.10% in malicious traffic detection. In can effectively detect non-decrypted TLS encrypted malicious traffic.

Yueping Hong,Qi Li,Yanqing Yang,Meng Shen

DOI: https://doi.org/10.1016/j.ins.2023.119229

IF: 8.1

2023-06-02

Information Sciences

Abstract:At present, the TLS cryptographic protocol is widely deployed. While protecting the security and integrity of transmitted information, it also makes the detection of malicious behavior more difficult. In recent years, researchers have proposed many encrypted malicious traffic detection methods. However, the existing approaches have some shortcomings. Firstly, although researchers have extracted multi-view features from different aspects, which can be divided into vectorized features based on feature engineering and image features based on original data, existing methods cannot fully integrate the features of different forms of expression. Secondly, most of the existing methods do not fully analyze the correlation between different encrypted traffic. Thirdly, the existing methods based on correlation analysis have low processing efficiency and cannot be applied to real networks. In the paper, we present MalDiscovery , a novel technique to discover encrypted malicious traffic to address all the above issues. For encrypted malicious traffic, MalDiscovery constructs an attribute KNN graph, in which encrypted sessions are used as nodes to construct a KNN graph according to the similarity of image features, and vectorized features are used as attributes of corresponding nodes. After that, the GraphSAGE model is used to collect relevant node information through correlation analysis to enrich the embeddings of each node. Finally, we achieve the accurate binary classification of nodes in the graph based on richer embeddings. We use extensive experiments to evaluate the proposed method, and the experiment results show that MalDiscovery can achieve an accuracy of about 99.9%, significantly outperforming all compared methods.

computer science, information systems

Yong Fang,Yijia Xu,Cheng Huang,Liang Liu,Lei Zhang

DOI: https://doi.org/10.1007/978-981-32-9343-4_10

2020-01-01

Abstract:It has become a significant research direction to resist cyberattacks through traffic identification technology. Traditional traffic identification technology is often based on network port or feature matching, which has become inefficient in the increasingly complex network environment. Nowadays, the malicious cyberattacks usually encrypt their traffic to escape the traditional traffic identification, and the most common encryption method is the SSL/TLS encryption. In response to this phenomenon, this paper proposes an encrypted malicious traffic identification method based on the random forest, which uses features based on packet information, time, TCP Flags field, and application layer payload information. We designed the technology and application framework to ensure the success of the experiment and collected a large amount of SSL/TLS encrypted traffic as datasets. Benefit from model optimization by parameter adjusting, the experimental results showed that final model had highly accurate and predictive ability.

Linxiao Yu,Jun Tao,Yifan Xu,Weice Sun,Zuyan Wang

DOI: https://doi.org/10.1016/j.comnet.2024.110475

IF: 5.493

2024-05-08

Computer Networks

Abstract:Recently, more and more applications have adopted security protocols like Transport Layer Security (TLS) for data encryption. However, these privacy-enhancing approaches have also been abused by the attackers to deliver malicious payloads. Many existing encrypted network classification methods suffer from the imbalanced volume of normal and malicious traffic, which leads to bad model robustness. In this paper, we propose a novel TLS fingerprinting approach to capture the characteristics of encrypted network traffic. The fingerprints are attributed graphs obtained from TLS sessions, which can simultaneously take into consideration the sequential and statistical features of these sessions. As the communication patterns of different applications differ considerably, the graphs representing TLS connections could be used to characterize the network with the help of the graph kernel method, which results in a model with high accuracy in malicious TLS session detection and application discrimination. Moreover, we adopt Locality-Sensitive Hashing (LSH) and filtering techniques to reduce the time cost of our model. Model evaluation on real-world datasets shows that our model is more robust than existing methods presented in this work when the malicious traffic takes up an extremely small portion of the whole traffic.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Xianchun Zheng,Hui Li

DOI: https://doi.org/10.1109/access.2023.3279120

IF: 3.9

2023-01-01

IEEE Access

Abstract:The popularity of encrypted communication has grown due to increased security awareness and rapid internet development. End-to-end encryption can prevent data attacks but also poses new cybersecurity threats. Thus, identifying malicious encrypted traffic is a focus of research in network behavior analysis and anomaly detection. Recently, deep learning has brought new directions for the development of traffic classification and anomaly detection. Based on deep learning technology, this paper starts from the two directions of data preprocessing and model selection, studies and analyzes multi-dimensional traffic characteristics and multi-granularity carrier characteristics, and proposes corresponding solutions, and finally designs and proposes a malware-oriented Identification scheme for encrypted traffic. This paper first proposes a malicious encrypted traffic identification scheme MET-FMF based on fine-grained multi-feature fusion. Two sets of comparative experiments were designed to compare the multi-dimensional traffic features and the multi-branch network model on the recognition results. The results show that the combination of three-dimensional traffic characteristics and three-branch network model has the best results, with an average accuracy rate of 95.08%.Finally, compared with other schemes, it is found that this scheme has multi-dimensional traffic feature extraction, multi-granularity carrier feature Features such as early session detection and end-to-end transferable learning.

Chuanyu Zhao,Shudong Li,Xiaobo Wu,Weihong Han,Zhihong Tian,Maofei Chen

DOI: https://doi.org/10.1109/dsc53577.2021.00097

2021-01-01

Abstract:The number of malware attacks that use encrypted HTTP traffic to self-propagate or communicate has increased dramatically in recent years. Traditional network traffic detection methods for non-encrypted traffic are difficult to be applied to encrypted traffic detection. While encryption is good for protecting users' privacy, it also comes with a security risk: malicious traffic may hide in encrypted traffic, leading to a series of security problems. Since the encrypted payload cannot be directly observed and it is large, we need to combine domain knowledge and machine learning method to excavate the features hidden in malicious traffic, so as to realize automatic detection of malicious traffic. In this paper, we propose a malicious traffic detection framework based on ensemble learning using the encrypted traffic from real malware, including normal traffic generated by 3000 normal hosts and malicious traffic generated by 3000 malware-infected hosts, provided by DATACON2020 competition. Considering the complexity to decrypt traffic, we use statistical features and sequence features in both flow-level and in host-level perspectives to describe encrypted traffic. Then we build multiple classifiers according to heterogeneous features. Finally we do majority voting to get final result. We achieve 95.0% TPR and 8.4% FPR.

Lanting Wang,Jie Cheng,Ru Zhang,Gang Chen,Chan Wang,Jin Pang

DOI: https://doi.org/10.1109/icicn56848.2022.10006571

2022-01-01

Abstract:The traditional encrypted malicious traffic detection algorithm via rules and manually extracted features faced the dilemma of low detection accuracy and excessive dependence on experience for extracting features. It made difficult to detect encrypted malicious traffic. Based on this, this paper proposes a 2-layer attention mechanism encrypted malicious traffic detection algorithm via the combination of spatiotemporal features. Specifically, first we use 1D-CNN and BiGRU to extract spatial features in encrypted traffic packets and temporal features between encrypted streams, respectively, which enriches the features of different dimensions. And then, the soft attention mechanism is focus on the encrypted data packets to extract feature. Ultimately, the second layer of soft attention mechanism is used for aggregating malicious features to experiments. The extraction and comparison experiments demonstrate that the encrypted malicious traffic detection model proposed in this paper is better than the existing methods in fine-grained encrypted malicious traffic detection performance.Meanwhile, the effectiveness of each module is proved by its own comparison experiments.

Kunlin Li,Baojiang Cui

DOI: https://doi.org/10.1007/978-3-030-79728-7_20

2021-06-24

Abstract:With the increasing popularity of traffic encryption protocols such as SSL/TLS, attacks based on encrypted traffic are more and more rampant, so does the need to inspect all SSL traffic. At present, the methods based on feature engineering and the methods based on deep learning and representation learning are the research hot-spots. In this paper, a new method of encrypted malicious traffic identification is proposed, which is based on deep learning and four- tuple feature. The unit of traffic identification is flow four-tuple. We extract 3 types of features which are statistical feature, handshake byte stream feature, and application data size sequence feature. We design different deep learning models to deal with various features and work together in traffic identification. We used the CTU Malware dataset to experiment. The results show that the accuracy of our method can reach 98.31%, which is better than that of other methods using four-tuple as the unit of flow identification and experimenting on the CTU Malware dataset.