Chuanyu Zhao,Shudong Li,Xiaobo Wu,Weihong Han,Zhihong Tian,Maofei Chen

DOI: https://doi.org/10.1109/dsc53577.2021.00097

2021-01-01

Abstract:The number of malware attacks that use encrypted HTTP traffic to self-propagate or communicate has increased dramatically in recent years. Traditional network traffic detection methods for non-encrypted traffic are difficult to be applied to encrypted traffic detection. While encryption is good for protecting users' privacy, it also comes with a security risk: malicious traffic may hide in encrypted traffic, leading to a series of security problems. Since the encrypted payload cannot be directly observed and it is large, we need to combine domain knowledge and machine learning method to excavate the features hidden in malicious traffic, so as to realize automatic detection of malicious traffic. In this paper, we propose a malicious traffic detection framework based on ensemble learning using the encrypted traffic from real malware, including normal traffic generated by 3000 normal hosts and malicious traffic generated by 3000 malware-infected hosts, provided by DATACON2020 competition. Considering the complexity to decrypt traffic, we use statistical features and sequence features in both flow-level and in host-level perspectives to describe encrypted traffic. Then we build multiple classifiers according to heterogeneous features. Finally we do majority voting to get final result. We achieve 95.0% TPR and 8.4% FPR.

Tangda Yu,Futai Zou,Linsen Li,Ping Yi

DOI: https://doi.org/10.1109/cyberc.2019.00020

2019-01-01

Abstract:In recent years, with the widespread use of encrypted traffic communication technology, network traffic encryption has been gradually becoming a standard of communication. This phenomenon has a great impact on traditional traffic detection methods, especially on anomaly detection methods, which are highly dependent on the type of network protocol types and traffic data. By surveying the existing encrypted traffic classification and analyzing these methods, we found that there are two main methods for detection: payload-based detection and feature-based detection. On this basis, this paper puts forward an Encrypted Malicious Traffic Detection System which is based on multi-AEs(Autoencoder). We use malicious sandbox for traffic data collection, mark malicious flow and normal flow with labels. After that, we use multilayer networks of AEs for feature extraction and training classifier model. Our system analyzes the feature of cryptographic protocol from handshake phase to Authentication phase on the basis of existing research, and we extract the traffic feature for a better classification by further expanding flow feature vector to the higher dimensions. In addition, we compared the performance of our model with the traditional learning model under the same environment. The experimental results showed that our system had higher detection accuracy and lower loss rate. We also studied the influence of dataset imbalance on results in the detection of encrypted traffic by several experiments. According to the experimental evaluation, dataset imbalance will lead to the decrease of positive rate.

Guang-Lu Sun,Yibo Xue,Yingfei Dong,Dongsheng Wang,Chenglong Li

DOI: https://doi.org/10.1109/GLOCOM.2010.5683649

2010-01-01

Abstract:Classifying encrypted traffic is critical to effective network analysis and management. While traditional payload- based methods are powerless to deal with encrypted traffic, machine learning methods have been proposed to address this issue. However, these methods often bring heavy overhead into the system. In this paper, we propose a hybrid method that combines signature-based methods and statistical analysis methods to address this issue. We first identify SSL/TLS traffic with signature matching methods, and then apply statistical analysis to determine concrete application protocols. Our experimental results show that the proposed method is able to recognize over 99% of SSL/TLS traffic and achieve 94.52% in F-score for protocols identification.

Jiayong Liu,Zhiyi Tian,RongFeng Zheng,Liang Liu

DOI: https://doi.org/10.1109/access.2019.2930717

IF: 3.9

2019-01-01

IEEE Access

Abstract:The popularity of encryption method brings a great challenge to malware traffic identification. Traditional classes defined by expert experience are usually classified based on the host behaviors of malware, such as banking malware or ransomware, which are often irrelevant to its communication traffic behaviors. It leads to the fact that the boundaries of traffic feature dataset of different malware classes are fuzzy and make these traditional classes unhelpful for classification based on traffic features. Meanwhile, traditional machine learning-based encrypted malware traffic identification methods, such as using the multi-classification supervised learning model, are inefficient both in model training and detection, and its detection accuracy cannot meet the demand. In this paper, we propose a distance-based method, which utilizes unsupervised learning algorithm Gaussian mixture model (GMM) and ordering points to identify the clustering structure (OPTICS) to calculate the Distance between malwares and make use of the Distance to define the new malware class called FClass. Then, a set of models are trained by XGBoost algorithm to build an identification framework based on the FClass. The performance of the proposed method has been evaluated by comparing it with the other four methods. The results show that the proposed distance-based method is more efficient and accurate.

Zhongkai Zhang,Lei Liu,Xudong Lu,Zhongmin Yan,Hui Li

DOI: https://doi.org/10.1109/ispa-bdcloud-socialcom-sustaincom51426.2020.00114

2020-01-01

Abstract:With the growing number of the network based applications, the quality and usability of various applications require distinguished requirements in light of network performance. The Internet is a vast network of independently-managed networks. The traffic is heterogeneous and consists of flows from multiple applications. For the sake of Internet governance, identifying who is who has become an impressing demand. The purpose of Internet governance is to properly distinguish the demands across the limited recourse. Traffic classification is the very beginning that helps identify who and how much the application requires. Hence, the classification and identification of encrypted traffic has drawn much research attention. Compare to the traditional methods such as port-based methods and payload-based methods, this study establishes a two-stage traffic classification framework based on convolutional neural network. Experimental results suggest that the developed method has a good degree of traffic classification subject to fewer bytes in the packet.

Xiaodong Zang,Tongliang Wang,Xinchang Zhang,Jian Gong,Peng Gao,Guowei Zhang

DOI: https://doi.org/10.1016/j.comnet.2024.110598

IF: 5.493

2024-01-01

Computer Networks

Abstract:The focus on privacy protection has brought much-encrypted network traffic. However, attackers always abuse traffic encryption to conceal malicious behaviors. Although researchers have proposed several enlightening detection methods, they must enhance the generalization ability or improve detection performance. Our inspiration is that the packet header fields, as do the underlying grammatical rules for constructing sentences, have a strict order. We consider the original packet as text and devise a robust approach with natural language processing and a deep learning model to improve the generalization ability and detection performance. We capture the critical keywords as characteristic representations of the traffic and design an adaptive domain generalization algorithm with a new loss function. It is robust against various datasets by generating more malicious samples to augment the minority of malicious samples. Simultaneously, we design an efficient feature selection algorithm, which obtains an optimal feature subset and reduces feature dimensions by 75.3%. To evaluate our work, we conducted extensive experiments with open-source datasets (CICIDS 2017, CICDDoS 2019, and USTC-TFC 2016), the synthetic dataset from IoT-23, and Internet backbone traffic (CERNET). Experimental results demonstrate that our proposal improves detection accuracy by up to 22.8% compared to others not using domain generalization algorithms and achieves an average detection latency of 0.67 s in the backbone. Besides, our work applies to the Industrial Internet of Things (IIoT) environment. It can be deployed at edge nodes to provide network security support for IIoT devices.

Jie Zhou,Weina Niu,Xiaosong Zhang,Yujie Peng,Hao Wu,Teng Hu

DOI: https://doi.org/10.1109/iccwamtip51612.2020.9317429

2020-01-01

Abstract:With the development of mobile terminals, smartphones have attracted a very huge number of users with their powerful functions. Among them, Android system is famous for its open-source and convenience, which occupies a large market share. But this also leads many attackers to use their malware to gain benefits quickly, which make it necessary to design a practical android malware detection approach. At present, there are not many pieces of research on detecting malware by analyzing Android malicious traffic. This paper examines the characteristics of malicious traffic on the host computer to construct a traffic fingerprint. It combines machine learning algorithms to build a practical detection approach which is also suitable for encrypted traffic. To distinguish similar fuzzy traffic, an additional layer named confusion classifier is added to help further malware classification. This paper uses a realworld dataset called CICAndMal2017 and simulates two classification scenarios: malware binary detection and malware category classification. The experimental results show that the accuracy of the malware binary detection reached 98.8% while the accuracy rate of malware category classification is 95.2%.

Xianchun Zheng,Hui Li

DOI: https://doi.org/10.1109/access.2023.3279120

IF: 3.9

2023-01-01

IEEE Access

Abstract:The popularity of encrypted communication has grown due to increased security awareness and rapid internet development. End-to-end encryption can prevent data attacks but also poses new cybersecurity threats. Thus, identifying malicious encrypted traffic is a focus of research in network behavior analysis and anomaly detection. Recently, deep learning has brought new directions for the development of traffic classification and anomaly detection. Based on deep learning technology, this paper starts from the two directions of data preprocessing and model selection, studies and analyzes multi-dimensional traffic characteristics and multi-granularity carrier characteristics, and proposes corresponding solutions, and finally designs and proposes a malware-oriented Identification scheme for encrypted traffic. This paper first proposes a malicious encrypted traffic identification scheme MET-FMF based on fine-grained multi-feature fusion. Two sets of comparative experiments were designed to compare the multi-dimensional traffic features and the multi-branch network model on the recognition results. The results show that the combination of three-dimensional traffic characteristics and three-branch network model has the best results, with an average accuracy rate of 95.08%.Finally, compared with other schemes, it is found that this scheme has multi-dimensional traffic feature extraction, multi-granularity carrier feature Features such as early session detection and end-to-end transferable learning.

Didier Frank Isingizwe,Meng Wang,Wenmao Liu,Dongsheng Wang,Tiejun Wu,Jun Li

DOI: https://doi.org/10.1109/icct52962.2021.9658106

2021-01-01

Abstract:Malware traffic classification is an essential pillar of network intrusion detection systems. The explosive growth of traffic encryption makes it infeasible to classify malware traffic with port-based or signature-based approaches. Nowadays, researchers and industrial developers turn to learning-based approaches for encrypted malware traffic classification, mining the statistical patterns of traffic behaviors. However, different machine learning models with different hyper-parameters can be used, and one can hardly explain why a learning approach works or not. To alleviate this problem, this paper conducts encrypted malware traffic classification with the automated machine learning (AutoML) approach which contains 7 representative models in the pipeline and realizes automated hyper-parameter tuning and model assembling. Experimenting on real-world encrypted malware traffic, this paper analyzes the performance of the ensemble model of AutoML and how each model performs in detail to understand its contribution. Moreover, the analysis of AutoML feature selection shows discriminant features on encrypted malware traffic especially TLS metadata related. The concrete experiments and analysis give insight to the following studies on encrypted malware traffic classification.

Jiangang Hou,Tong Jiang,Yanmiao Li,Hao Guo,Zhen Zhang,Zhi Liu

DOI: https://doi.org/10.1109/CCCI52664.2021.9583191

2021-10-15

Abstract:With more and more encrypted traffic such as HTTPS, encrypted traffic protects not only normal traffic, but also malicious traffic. Identification of encrypted malicious traffic without decryption has become a research hotspot. Combined with deep learning, an important branch of machine learning, encrypted malicious traffic detection has achieved good results. This paper reviews the detection of encrypted malicious traffic in recent years. Firstly, we classify encrypted malicious traffic. Secondly, we sorts out the extraction characteristics of encrypted malicious traffic, the key and difficult problems we are facing at present. Then, with encrypted malicious traffic detection technology as the main line, we summarized the current detection model from the four core aspects of data collection, data processing, model training and evaluation improvement. Finally, we analyze the problems and point out future research directions.

Computer Science

In-Su Jung,Yu-Rae Song,Lelisa Adeba Jilcha,Deuk-Hun Kim,Sun-Young Im,Shin-Woo Shim,Young-Hwan Kim,Jin Kwak

DOI: https://doi.org/10.3390/sym16060733

2024-06-13

Symmetry

Abstract:With the continuously growing requirement for encryption in network environments, web browsers are increasingly employing hypertext transfer protocol security. Despite the increase in encrypted malicious network traffic, the encryption itself limits the data accessible for analyzing such behavior. To mitigate this, several studies have examined encrypted network traffic by analyzing metadata and payload bytes. Recent studies have furthered this approach, utilizing graph neural networks to analyze the structural data patterns within malicious encrypted traffic. This study proposed an enhanced encrypted traffic analysis leveraging graph neural networks which can model the symmetric or asymmetric spatial relations between nodes in the traffic network and optimized feature dimensionality reduction. It classified malicious network traffic by leveraging key features, including the IP address, port, CipherSuite, MessageLen, and JA3 features within the transport-layer-security session data, and then analyzed the correlation between normal and malicious network traffic data. The proposed approach outperformed previous models in terms of efficiency, using fewer features while maintaining a high accuracy rate of 99.5%. This demonstrates its research value as it can classify malicious network traffic with a high accuracy based on fewer features.

multidisciplinary sciences

Yong Fang,Yijia Xu,Cheng Huang,Liang Liu,Lei Zhang

DOI: https://doi.org/10.1007/978-981-32-9343-4_10

2020-01-01

Abstract:It has become a significant research direction to resist cyberattacks through traffic identification technology. Traditional traffic identification technology is often based on network port or feature matching, which has become inefficient in the increasingly complex network environment. Nowadays, the malicious cyberattacks usually encrypt their traffic to escape the traditional traffic identification, and the most common encryption method is the SSL/TLS encryption. In response to this phenomenon, this paper proposes an encrypted malicious traffic identification method based on the random forest, which uses features based on packet information, time, TCP Flags field, and application layer payload information. We designed the technology and application framework to ensure the success of the experiment and collected a large amount of SSL/TLS encrypted traffic as datasets. Benefit from model optimization by parameter adjusting, the experimental results showed that final model had highly accurate and predictive ability.

Anish Singh Shekhawat,Fabio Di Troia,Mark Stamp

DOI: https://doi.org/10.48550/arXiv.2312.04596

2023-12-06

Abstract:In recent years there has been a dramatic increase in the number of malware attacks that use encrypted HTTP traffic for self-propagation or communication. Antivirus software and firewalls typically will not have access to encryption keys, and therefore direct detection of malicious encrypted data is unlikely to succeed. However, previous work has shown that traffic analysis can provide indications of malicious intent, even in cases where the underlying data remains encrypted. In this paper, we apply three machine learning techniques to the problem of distinguishing malicious encrypted HTTP traffic from benign encrypted traffic and obtain results comparable to previous work. We then consider the problem of feature analysis in some detail. Previous work has often relied on human expertise to determine the most useful and informative features in this problem domain. We demonstrate that such feature-related information can be obtained directly from machine learning models themselves. We argue that such a machine learning based approach to feature analysis is preferable, as it is more reliable, and we can, for example, uncover relatively unintuitive interactions between features.

Cryptography and Security,Machine Learning

Pitpimon Choorod,George Weir,Anil Fernando

DOI: https://doi.org/10.1109/access.2024.3356073

IF: 3.9

2024-02-13

IEEE Access

Abstract:Tor, a network offering Internet anonymity, presented both positive and potentially malicious applications, leading to the need for efficient Tor traffic monitoring. While most current traffic classification methods rely on flow-based features, these can be unreliable due to factors like asymmetric routing, and the use of multiple packets for feature computation can lead to processing delays. Recognising the multi-layered encryption of Tor compared to nonTor encrypted payloads, our study explored distinct patterns in their encrypted data. We introduced a novel method using Deep Packet Inspection and machine learning to differentiate between Tor and nonTor traffic based solely on encrypted payload. In the first strand of our research, we investigated hex character analysis of the Tor and nonTor encrypted payloads through statistical testing across 8 groups of application types. Remarkably, our investigation revealed a significant differentiation rate of 94.53% between Tor and nonTor traffic. In the second strand of our research, we aimed to distinguish Tor and nonTor traffic using machine learning, based on encrypted payload features. This proposed feature-based approach proved effective, as evidenced by our classification performance, which attained an average accuracy rate of 95.65% across these 8 groups of applications. Thereby, this study contributes to the efficient classification of Tor and nonTor traffic through features derived solely from a single encrypted payload packet, independent of its position in the traffic flow.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jian Hou,Fangai Liu,Hui Lu,Zhiyuan Tan,Xuqiang Zhuang,Zhihong Tian

DOI: https://doi.org/10.1016/j.jpdc.2022.06.004

IF: 4.542

2022-01-01

Journal of Parallel and Distributed Computing

Abstract:Malicious traffic detection is one of the most important parts of cyber security. The approaches of using the flow as the detection object are recognized as effective. Benefiting from the development of deep learning techniques, raw traffic can be directly used as a feature to detect malicious traffic. Most existing work usually converts raw traffic into images or long sequences to express a flow and then uses deep learning technology to extract features and classify them, but the generated features contain much redundant or even useless information, especially for encrypted traffic. The packet header field contains most of the packet characteristics except the payload content, and it is also an important element of the flow. In this paper, we only use the fields of the packet header in the raw traffic to construct the characteristic representation of the traffic and propose a novel flow-vector generation approach for malicious traffic detection. The preprocessed header fields are embedded as field vectors, and then a two-layer attention network is used to progressively generate the packet vectors and the flow vector containing context information. The flow vector is regarded as the abstraction of the raw traffic and is used to classify. The experiment results illustrate that the accuracy rate can reach up to 99.48% in the binary classification task and the average of AUC-ROC can reach 0.9988 in the multi-classification task. (C) 2022 Elsevier Inc. All rights reserved.

Hong Huang,Xingxing Zhang,Ye Lu,Ze Li,Shaohua Zhou

DOI: https://doi.org/10.32604/cmc.2024.047918

2024-01-01

Abstract:While encryption technology safeguards the security of network communications, malicious traffic also uses encryption protocols to obscure its malicious behavior. To address the issues of traditional machine learning methods relying on expert experience and the insufficient representation capabilities of existing deep learning methods for encrypted malicious traffic, we propose an encrypted malicious traffic classification method that integrates global semantic features with local spatiotemporal features, called BERT-based Spatio-Temporal Features Network (BSTFNet). At the packet-level granularity, the model captures the global semantic features of packets through the attention mechanism of the Bidirectional Encoder Representations from Transformers (BERT) model. At the byte-level granularity, we initially employ the Bidirectional Gated Recurrent Unit (BiGRU) model to extract temporal features from bytes, followed by the utilization of the Text Convolutional Neural Network (TextCNN) model with multi-sized convolution kernels to extract local multi-receptive field spatial features. The fusion of features from both granularities serves as the ultimate multidimensional representation of malicious traffic. Our approach achieves accuracy and F1-score of 99.39% and 99.40%, respectively, on the publicly available USTC-TFC2016 dataset, and effectively reduces sample confusion within the Neris and Virut categories. The experimental results demonstrate that our method has outstanding representation and classification capabilities for encrypted malicious traffic.

computer science, information systems,materials science, multidisciplinary

Meng Shen,Mingwei Wei,Liehuang Zhu,Mingzhong Wang,Fuliang Li

DOI: https://doi.org/10.1109/iwqos.2016.7590451

2016-01-01

Abstract:With the prosperity of network applications, traffic classification serves as a crucial role in network management and malicious attack detection. The widely used encryption transmission protocols, such as the Secure Socket Layer/Transport Layer Security (SSL/TLS) protocols, leads to the failure of traditional payload-based classification methods. Existing methods for encrypted traffic classification suffer from low accuracy. In this paper, we propose a certificate-aware encrypted traffic classification method based on the Second-Order Markov Chain. We start by exploring reasons why existing methods not perform well, and make a novel observation that certificate packet length in SSL/TLS sessions contributes to application discrimination. To increase the diversity of application fingerprints, we develop a new model by incorporating the certificate packet length clustering into the Second-Order homogeneous Markov chains. Extensive evaluation results show that the proposed method lead to a 30% improvement on average compared with the state-of-the-art method, in terms of classification accuracy.

Fengrui Xiao,Feng Yang,Shuangwu Chen,Jian Yang

DOI: https://doi.org/10.1007/978-3-030-94029-4_1

2022-01-01

Abstract:Nowadays, network traffic detection plays a very important role in protecting cyberspace security, and more and more applications realize data privacy protection through encryption technology. Regular expression matching based methods, such as deep packet inspection that relies on plaintext traffic cannot be applied to detecting encrypted random communication content, and the existing detecting methods based on time-series features often ignore the encryption protocol features. In this work, we design an ensemble learning system based on stack algorithms to identify encrypted malicious traffic, which can detect the interactive behavior and the encryption protocols simultaneously. In detail, we construct a deep learning classifier based on Long Short-Term Memory (LSTM) for time-series features, and a machine learning classifier based on random forests for encryption protocol features. Then, we use the stacking algorithm in ensemble learning to combine them to form a new classifier. Finally, relying on the Datacon2020 dataset, extensive experiments are conducted. The experimental results indicate that the proposed method improves the detection rate of encrypted malicious traffic while keeping a low false positive rate.

Yang Liu,Jinfu Chen,Peng Chang,Xiaochun Yun

DOI: https://doi.org/10.1109/ciapp.2017.8167261

2017-01-01

Abstract:Network applications are getting more and more prevalent along with the development and the widespread use of encrypted network applications. However, traffic classification methods may need to be improved to realize more stable classification in a more sufficient way. Here, we proposed a novel Sliding Window First N Packets algorithm for the encrypted network traffic classification. With this method, one could evidently reduce the flow characteristics feature dimension, as well as the number of packets in each traffic flow. The experimental results show that under a reduced dimension of encrypted traffic flow characteristics and also a reduced number of each flow data packets, average classification accuracy using the Sliding Window First N Packets algorithm we proposed is more than 95%. By using our approach, one can achieve a general increase of the traffic classification accuracy by about 3% compared with the existing methods.

Yige Chen,Tianning Zang,Yongzheng Zhang,Yuan Zhouz,Yipeng Wang,Yuan Zhou

DOI: https://doi.org/10.1109/icnp.2019.8888043

2019-10-01

Abstract:With the unprecedented prevalence of mobile network applications, cryptographic protocols, such as the Secure Socket Layer/Transport Layer Security (SSL/TLS), are widely used in mobile network applications for communication security. The proven methods for encrypted video stream classification or encrypted protocol detection are unsuitable for the SSL/TLS traffic. Consequently, application-level traffic classification based networking and security services are facing severe challenges in effectiveness. Existing encrypted traffic classification methods exhibit unsatisfying accuracy for applications with similar state characteristics. In this paper, we propose a multiple-attribute-based encrypted traffic classification system named Multi-Attribute Associated Fingerprints (MAAF). We develop MAAF based on the two key insights that the DNS traces generated during the application runtime contain classification guidance information and that the handshake certificates in the encrypted flows can provide classification clues. Apart from the exploitation of key insights, MAAF employs the context of the encrypted traffic to overcome the attribute-lacking problem during the classification. Our experimental results demonstrate that MAAF achieves 98.69% accuracy on the real-world traceset that consists of 16 applications, supports the early prediction, and is robust to the scale of the training traceset. Besides, MAAF is superior to the state-of-the-art methods in terms of both accuracy and robustness.