Ruihai Ge,Yongzheng Zhang,Chengxiang Si,Guoqiao Zhou,Wenchang Zhou

DOI: https://doi.org/10.1109/hpcc-dss-smartcity-dependsys57074.2022.00132

2022-01-01

Abstract:As the number of interconnected mobile devices increases exponentially, mobile malware poses a severe threat to cyberspace security. Existing techniques utilize network traffic analysis effectively to identify and detect mobile malware. The majority of these solutions concentrate on the statistical features of malicious traffic or the information of key fields in the packet, but fail to take advantage of rich communication patterns throughout the entire network. In this paper, we present MateGraph, a traffic behavior graph-based approach to detect and classify mobile malware. The key insight of our research is that the communication patterns of a mobile application can be modeled as several traffic behavior graphs in Non-Euclidean space, and thus we can differentiate between malicious and benign applications by using graph convolution network models to learn graph topologies and representations. In MateGraph, we first construct a traffic behavior graph from a given chunk of network traffic within a time window, where a node of the graph is defined by a tuple of destination IP and port while an edge is established by the static and dynamic correlation between the nodes. Next, we present an enhanced graph convolution network for discovering the diverse pattern representations of benign and malicious traffic behavior graphs and achieving high detection performance and efficiency. We have conducted experiments on a publicly available dataset to evaluate MateGraph against several state-of-the-art methods, and the experimental results show that MateGraph has a better performance, the F1 score of which reached 96.57% and the accuracy increased by more than 7%.

Chuanpu Fu,Qi Li,Ke Xu

DOI: https://doi.org/10.1109/tnet.2024.3370851

2024-01-01

IEEE/ACM Transactions on Networking

Abstract:Nowadays traffic on the Internet has been widely encrypted to protect its confidentiality and privacy. However, traffic encryption is always abused by attackers to conceal their malicious behaviors. Since encrypted malicious traffic is similar to benign flows, it can easily evade traditional detection. In particular, the existing encrypted traffic detection methods are supervised which rely on the prior knowledge of known attacks (e.g., labeled datasets). Detecting unknown encrypted malicious traffic, which does not require prior knowledge, is still an open problem. In this paper, we propose, an unsupervised machine learning (ML) based malicious traffic detection system. Particularly, is able to detect unknown patterns of encrypted malicious traffic by utilizing a graph built upon flow interaction patterns, instead of learning the features of specific known attacks. We develop an unsupervised graph learning method to detect abnormal interaction patterns by analyzing the graph features, which allows to detect unknown attacks without requiring any labeled datasets. Moreover, we establish an information theory model to prove the effectiveness of . We show the performance of by real-world experiments with 140 attacks. The experimental results illustrate that outperforms the state-of-the-art methods by 13.9% accuracy improvement. Moreover, achieves 15.82 Mpps detection throughput with the average detection latency of 0.29s.

telecommunications,computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Yueping Hong,Qi Li,Yanqing Yang,Meng Shen

DOI: https://doi.org/10.1016/j.ins.2023.119229

IF: 8.1

2023-06-02

Information Sciences

Abstract:At present, the TLS cryptographic protocol is widely deployed. While protecting the security and integrity of transmitted information, it also makes the detection of malicious behavior more difficult. In recent years, researchers have proposed many encrypted malicious traffic detection methods. However, the existing approaches have some shortcomings. Firstly, although researchers have extracted multi-view features from different aspects, which can be divided into vectorized features based on feature engineering and image features based on original data, existing methods cannot fully integrate the features of different forms of expression. Secondly, most of the existing methods do not fully analyze the correlation between different encrypted traffic. Thirdly, the existing methods based on correlation analysis have low processing efficiency and cannot be applied to real networks. In the paper, we present MalDiscovery , a novel technique to discover encrypted malicious traffic to address all the above issues. For encrypted malicious traffic, MalDiscovery constructs an attribute KNN graph, in which encrypted sessions are used as nodes to construct a KNN graph according to the similarity of image features, and vectorized features are used as attributes of corresponding nodes. After that, the GraphSAGE model is used to collect relevant node information through correlation analysis to enrich the embeddings of each node. Finally, we achieve the accurate binary classification of nodes in the graph based on richer embeddings. We use extensive experiments to evaluate the proposed method, and the experiment results show that MalDiscovery can achieve an accuracy of about 99.9%, significantly outperforming all compared methods.

computer science, information systems

Chuanyu Zhao,Shudong Li,Xiaobo Wu,Weihong Han,Zhihong Tian,Maofei Chen

DOI: https://doi.org/10.1109/dsc53577.2021.00097

2021-01-01

Abstract:The number of malware attacks that use encrypted HTTP traffic to self-propagate or communicate has increased dramatically in recent years. Traditional network traffic detection methods for non-encrypted traffic are difficult to be applied to encrypted traffic detection. While encryption is good for protecting users' privacy, it also comes with a security risk: malicious traffic may hide in encrypted traffic, leading to a series of security problems. Since the encrypted payload cannot be directly observed and it is large, we need to combine domain knowledge and machine learning method to excavate the features hidden in malicious traffic, so as to realize automatic detection of malicious traffic. In this paper, we propose a malicious traffic detection framework based on ensemble learning using the encrypted traffic from real malware, including normal traffic generated by 3000 normal hosts and malicious traffic generated by 3000 malware-infected hosts, provided by DATACON2020 competition. Considering the complexity to decrypt traffic, we use statistical features and sequence features in both flow-level and in host-level perspectives to describe encrypted traffic. Then we build multiple classifiers according to heterogeneous features. Finally we do majority voting to get final result. We achieve 95.0% TPR and 8.4% FPR.

Li Shanxi,Zhou Qingguo,Zhou Rui,Lv Qingquan

DOI: https://doi.org/10.1007/s11227-021-04020-y

IF: 3.3

2021-01-01

The Journal of Supercomputing

Abstract:Malware has seriously threatened the safety of computer systems for a long time. Due to the rapid development of anti-detection technology, traditional detection methods based on static analysis and dynamic analysis have limited effects. With its better predictive performance, AI-based malware detection has been increasingly used to deal with malware in recent years. However, due to the diversity of malware, it is difficult to extract feature from malware, which make malware detection not conductive to the application of AI technology. To solve the problem, a malware classifier based on graph convolutional network is designed to adapt to the difference of malware characteristics. The specific method is to firstly extract the API call sequence from the malware code and generate a directed cycle graph, then use the Markov chain and principal component analysis method to extract the feature map of the graph, and design a classifier based on graph convolutional network, and finally analyze and compare the performance of the method. The results show that the method has better performance in most detection, and the highest accuracy is 98.32 % , compared with existing methods, our model is superior to other methods in terms of FPR and accuracy. It is also stable to deal with the development and growth of malware.

Chuanpu Fu,Qi Li,Ke Xu

DOI: https://doi.org/10.48550/arXiv.2301.13686

2023-01-31

Abstract:In this paper, we propose HyperVision, a realtime unsupervised machine learning (ML) based malicious traffic detection system. Particularly, HyperVision is able to detect unknown patterns of encrypted malicious traffic by utilizing a compact inmemory graph built upon the traffic patterns. The graph captures flow interaction patterns represented by the graph structural features, instead of the features of specific known attacks. We develop an unsupervised graph learning method to detect abnormal interaction patterns by analyzing the connectivity, sparsity, and statistical features of the graph, which allows HyperVision to detect various encrypted attack traffic without requiring any labeled datasets of known attacks. Moreover, we establish an information theory model to demonstrate that the information preserved by the graph approaches the ideal theoretical bound. We show the performance of HyperVision by real-world experiments with 92 datasets including 48 attacks with encrypted malicious traffic. The experimental results illustrate that HyperVision achieves at least 0.92 AUC and 0.86 F1, which significantly outperform the state-of-the-art methods. In particular, more than 50% attacks in our experiments can evade all these methods. Moreover, HyperVision achieves at least 80.6 Gb/s detection throughput with the average detection latency of 0.83s.

Cryptography and Security

In-Su Jung,Yu-Rae Song,Lelisa Adeba Jilcha,Deuk-Hun Kim,Sun-Young Im,Shin-Woo Shim,Young-Hwan Kim,Jin Kwak

DOI: https://doi.org/10.3390/sym16060733

2024-06-13

Symmetry

Abstract:With the continuously growing requirement for encryption in network environments, web browsers are increasingly employing hypertext transfer protocol security. Despite the increase in encrypted malicious network traffic, the encryption itself limits the data accessible for analyzing such behavior. To mitigate this, several studies have examined encrypted network traffic by analyzing metadata and payload bytes. Recent studies have furthered this approach, utilizing graph neural networks to analyze the structural data patterns within malicious encrypted traffic. This study proposed an enhanced encrypted traffic analysis leveraging graph neural networks which can model the symmetric or asymmetric spatial relations between nodes in the traffic network and optimized feature dimensionality reduction. It classified malicious network traffic by leveraging key features, including the IP address, port, CipherSuite, MessageLen, and JA3 features within the transport-layer-security session data, and then analyzed the correlation between normal and malicious network traffic data. The proposed approach outperformed previous models in terms of efficiency, using fewer features while maintaining a high accuracy rate of 99.5%. This demonstrates its research value as it can classify malicious network traffic with a high accuracy based on fewer features.

multidisciplinary sciences

Xiaodong Zang,Tongliang Wang,Xinchang Zhang,Jian Gong,Peng Gao,Guowei Zhang

DOI: https://doi.org/10.1016/j.comnet.2024.110598

IF: 5.493

2024-01-01

Computer Networks

Abstract:The focus on privacy protection has brought much-encrypted network traffic. However, attackers always abuse traffic encryption to conceal malicious behaviors. Although researchers have proposed several enlightening detection methods, they must enhance the generalization ability or improve detection performance. Our inspiration is that the packet header fields, as do the underlying grammatical rules for constructing sentences, have a strict order. We consider the original packet as text and devise a robust approach with natural language processing and a deep learning model to improve the generalization ability and detection performance. We capture the critical keywords as characteristic representations of the traffic and design an adaptive domain generalization algorithm with a new loss function. It is robust against various datasets by generating more malicious samples to augment the minority of malicious samples. Simultaneously, we design an efficient feature selection algorithm, which obtains an optimal feature subset and reduces feature dimensions by 75.3%. To evaluate our work, we conducted extensive experiments with open-source datasets (CICIDS 2017, CICDDoS 2019, and USTC-TFC 2016), the synthetic dataset from IoT-23, and Internet backbone traffic (CERNET). Experimental results demonstrate that our proposal improves detection accuracy by up to 22.8% compared to others not using domain generalization algorithms and achieves an average detection latency of 0.67 s in the backbone. Besides, our work applies to the Industrial Internet of Things (IIoT) environment. It can be deployed at edge nodes to provide network security support for IIoT devices.

Chenzhong Yin,Hantang Zhang,Mingxi Cheng,Xiongye Xiao,Xinghe Chen,Xin Ren,Paul Bogdan

2023-12-20

Abstract:Malware represents a significant security concern in today's digital landscape, as it can destroy or disable operating systems, steal sensitive user information, and occupy valuable disk space. However, current malware detection methods, such as static-based and dynamic-based approaches, struggle to identify newly developed (``zero-day") malware and are limited by customized virtual machine (VM) environments. To overcome these limitations, we propose a novel malware detection approach that leverages deep learning, mathematical techniques, and network science. Our approach focuses on static and dynamic analysis and utilizes the Low-Level Virtual Machine (LLVM) to profile applications within a complex network. The generated network topologies are input into the GraphSAGE architecture to efficiently distinguish between benign and malicious software applications, with the operation names denoted as node features. Importantly, the GraphSAGE models analyze the network's topological geometry to make predictions, enabling them to detect state-of-the-art malware and prevent potential damage during execution in a VM. To evaluate our approach, we conduct a study on a dataset comprising source code from 24,376 applications, specifically written in C/C++, sourced directly from widely-recognized malware and various types of benign software. The results show a high detection performance with an Area Under the Receiver Operating Characteristic Curve (AUROC) of 99.85%. Our approach marks a substantial improvement in malware detection, providing a notably more accurate and efficient solution when compared to current state-of-the-art malware detection methods.

Cryptography and Security,Artificial Intelligence,Machine Learning

Xiang Ling,Lingfei Wu,Wei Deng,Zhenqing Qu,Jiangyu Zhang,Sheng Zhang,Tengfei Ma,Bin Wang,Chunming Wu,Shouling Ji

DOI: https://doi.org/10.1109/infocom48880.2022.9796786

2022-01-01

Abstract:With the ever-increasing malware threats, malware detection plays an indispensable role in protecting information systems. Although tremendous research efforts have been made, there are still two key challenges hindering them from being applied to accurately and robustly detect malwares. Firstly, most of them represent executables with shallow features, but ignore their semantic and structural information. Secondly, they are primarily based on representations that can be easily modified by attackers and thus cannot provide robustness against adversarial attacks. To tackle the challenges, we present MalGraph, which first represents executables with hierarchical graphs and then uses an end-to-end learning framework based on graph neural networks for malware detection. In particular, a hierarchical graph consists of a function call graph that captures the interaction semantics among different functions at the inter-function level and corresponding control-flow graphs for learning the structural semantics of each function at the intra-function level. We argue the abstraction and hierarchy nature of hierarchical graphs makes them not only easy to capture rich structural information of executables, but also be immune to adversarial attacks. Evaluations show that MalGraph not only outperforms state-of-the-art malware detection, but also exhibits stronger robustness against adversarial attacks by a large margin.

Guoqiang Ren,Guang Cheng,Nan Fu

DOI: https://doi.org/10.3390/app13031483

2023-01-01

Abstract:Featured Application The results of this paper can be used in the related fields of encrypted malicious traffic analysis, especially in identifying different attacks based on the graph. Telecommuting and telelearning have gradually become mainstream lifestyles in the post-epidemic era. The extensive interconnection of massive terminals gives attackers more opportunities, which brings more significant challenges to network traffic security analysis. The existing attacks, often using encryption technology and distributed attack methods, increase the number and complexity of attacks. However, the traditional methods need more analysis of encrypted malicious traffic interaction patterns and cannot explore the potential correlations of interaction patterns in a macroscopic and comprehensive manner. Anyway, the changes in interaction patterns caused by attacks also need further study. Therefore, to achieve accurate and effective identification of attacks, it is essential to comprehensively describe the interaction patterns of malicious traffic and portray the relations of interaction patterns with the appearance of attacks. We propose a method for classifying attacks based on the traffic interaction attribute graph, named G-TIAG. At first, the G-TIAG studies interaction patterns of traffic describes the construction rule of the graphs and selects the attributive features of nodes in each graph. Then, it uses a convolutional graph network with a GRU and self-attention to classify benign data and different attacks. Our approach achieved the best classification results, with 89% accuracy and F1-Score, 88% recall, respectively, on publicly available datasets. The improvement is about 7% compared to traditional machine learning classification results and about 6% compared to deep learning classification results, which finally successfully achieved the classification of attacks.

Jianjin ZHAO,Qi LI,Shengli LIU,Yanqing YANG,Yueping HONG

DOI: https://doi.org/10.1360/ssi-2021-0280

2022-01-01

Abstract:As an important direction for the evolution of next-generation wireless communication technology, 6G will comprehensively promote the wave of economic and social digitization. Services carried by 6G network will rely heavily on the sharing and processing of massive amounts of data between entities, data security is therefore of great importance. Currently, most network applications utilize SSL/TLS protocols to ensure the confidentiality and security of network communications, while encryption mechanism also brings huge challenges to network security supervision. Though encrypted malicious traffic detection in traditional networks has become a research hotspot, existing technologies cannot be directly applied in 6G networks. In a 6G network with massive, instant and unlimited communications between heterogeneous terminals, network communication behavior patterns are much more diversified, which makes the boundary between normal traffic and malicious traffic more blurred in 6G networks than in traditional networks. Existing studies either analyze encrypted traffic in isolation or aggregation, while they all ignore the rich correlations among encrypted traffic. To this end, we propose an encrypted malicious traffic detection framework based on the graph neural network towards the network security problem of future 6G networks, ET-RSGAT. First, considering the characteristics of super high speed and super large connection of 6G network, we design a simple feature extraction method of encrypted traffic: extracting the TLS handshake raw bytes and TLS record length sequence for one single encrypted session. Second, in view of the correlations of large numbers of heterogeneous terminals and the coexistence of multi-source heterogeneous data communication in 6G networks, we analyze the correlations between encrypted sessions from 2 aspects, which are service correlations and communication behavior correlations. Then we construct an encrypted traffic graph, named ETG. On the basis of ETG, we introduce a graph attention network to utilize the correlations between encrypted sessions to enrich the feature representation of nodes. With rich representation, we build the detection model based on a multi-layer perceptron to identify threats. Considering that the simulation environment of 6G networks is immature, we deploy a variety of heterogeneous terminal nodes and run various network services to simulate the 6G communication scenario, and design related experiments for the interconnection of many heterogeneous terminals in 6G networks. The evaluation and experimental results show that our method can obtain satisfactory detection results in both traditional network and simulated environment datasets.

futai zou,siyu zhang,weixiong rao,ping yi

DOI: https://doi.org/10.1155/2015/102687

2015-01-01

Abstract:AbstractMalware remains a major threat to nowadays Internet. In this paper, we propose a DNS graph mining-based malware detection approach. A DNS graph is composed of DNS nodes, which represent server IPs, client IPs, and queried domain names in the process of DNS resolution. After the graph construction, we next transform the problem of malware detection to the graph mining task of inferring graph nodes' reputation scores using the belief propagation algorithm. The nodes with lower reputation scores are inferred as those infected by malwares with higher probability. For demonstration, we evaluate the proposed malware detection approach with real-world dataset. Our real-world dataset is collected from campus DNS servers for three months and we built a DNS graph consisting of 19,340,820 vertices and 24,277,564 edges. On the graph, we achieve a true positive rate 80.63% with a false positive rate 0.023%. With a false positive of 1.20%, the true positive rate was improved to 95.66%. We detected 88,592 hosts infected by malware or C&C servers, accounting for the percentage of 5.47% among all hosts. Meanwhile, 117,971 domains are considered to be related tomalicious activities, accounting for 1.5% among all domains. The results indicate that our method is efficient and effective in detecting malwares.

Huiling Shi,Wei Zhang,Lei Zhang,Kuichao Zhang,Hongyang Sun

DOI: https://doi.org/10.1109/NaNA60121.2023.00051

2023-08-01

Abstract:Detecting malicious attacks in normal network traffic is critical to network security. Traditional traffic identification methods often struggle to capture the complex communication patterns in network traffic, hindering their effectiveness. We introduce GraphMal, a framework utilizing Graph Neural Networks (GNNs) for the identification of malicious traffic. This approach effectively exploits network topology and traffic characteristics to improve performance. We first apply Pearson's correlation coefficient and random forest approaches to effectively reduce the dimensionality of the dataset. Then, the E-GraphSAGE algorithm is used to extract salient features from the traffic topology graph and construct a robust graph classifier. Additionally, the focal loss function is used to solve the data imbalance problem. Experiments conducted on the UNSW-NB15 dataset demonstrate GraphMal's remarkable performance in both binary and multi-class classification tasks, while improving the learning efficiency of GNNs.

Computer Science

Shanxi Li,Qingguo Zhou,Wei

DOI: https://doi.org/10.3837/tiis.2021.09.010

2021-01-01

KSII Transactions on Internet and Information Systems

Abstract:Malware is a severe threat to the computing system and there's a long history of the battle between malware detection and anti-detection. Most traditional detection methods are based on static analysis with signature matching and dynamic analysis methods that are focused on sensitive behaviors. However, the usual detections have only limited effect when meeting the development of malware, so that the manual update for feature sets is essential. Besides, most of these methods match target samples with the usual feature database, which ignored the characteristics of the sample itself. In this paper, we propose a new malware detection method that could combine the features of a single sample and the general features of malware. Firstly, a structure of Directed Cyclic Graph (DCG) is adopted to extract features from samples. Then the sensitivity of each API call is computed with Markov Chain. Afterward, the graph is merged with the chain to get the final features. Finally, the detectors based on machine learning or deep learning are devised for identification. To evaluate the effect and robustness of our approach, several experiments were adopted. The results showed that the proposed method had a good performance in most tests, and the approach also had stability with the development and growth of malware.

Zongqu Zhao,Junfeng Wang,Chonggang Wang

DOI: https://doi.org/10.1002/sec.524

IF: 1.968

2012-02-28

Security and Communication Networks

Abstract:The traditional malware detection schemes based on specific signature give an unsatisfactory performance as disposing the previously unknown malware, so the general features of binary files should be explored to solve this problem. Recently, classification algorithms were employed successfully to choose the features in unknown malicious code, and most of the works use byte or operation code sequence n‐gram representation of the executables. However, these n‐gram representations are heavily dependent on the training data. In this paper, we present a graph‐based method to detect unknown malware. The function call graph of an executable, which includes the functions and the call relations between them, is selected as the representation of the executable in this method. The features are defined according to both the statistical information and the topology of the function call graph. They are extracted and processed through machine learning to classify unknown Portable Executable files. For the sake of fixed sum of the features, the graph‐based method can avoid so many features found in other methods. In our experiments, three types of malware datasets were tested, and as high as 96.8% accuracy can be achieved. Furthermore, it can achieve 92.1% accuracy when only 5% of the dataset is served as training set. Copyright © 2012 John Wiley & Sons, Ltd. To detect the unknown malware, the features of graph‐based method are predefined from function call graph of software, and then the rules are built with these features to classify an executable as the benign or the malware. The quantity and the contents of these features are independent of testing dataset, and this peculiarity enables our experiment results to nearly reflect the situation of unknown malware detection. The design can provide a high malware detection accuracy by using a small set of training set.

computer science, information systems,telecommunications

Juan Zheng,Zhiyong Zeng,Tao Feng

DOI: https://doi.org/10.1155/2022/4274139

IF: 1.968

2022-01-22

Security and Communication Networks

Abstract:Encrypted network traffic is the principal foundation of secure network communication, and it can help ensure the privacy and integrity of confidential information. However, it hides the characteristics of the data, increases the difficulty of detecting malicious traffic, and protects such malicious behavior. Therefore, encryption alone cannot fundamentally guarantee information security. It is also necessary to monitor traffic to detect malicious actions. At present, the more commonly used traffic classification methods are the method based on statistical features and the method based on graphs. However, these two methods are not always reliable when they are applied to the problem of encrypted malicious traffic detection due to their limitations. The former only focuses on the internal information of the network flow itself and ignores the external connections between the network flows. The latter is just the opposite. This paper proposes an encrypted malicious traffic detection method based on a graph convolutional network (GCN) called GCN-ETA, which considers the statistical features (internal information) of network flows and the structural information (external connections) between them. GCN-ETA consists of two parts: a feature extractor that uses an improved GCN and a classifier that uses a decision tree. Improving on the traditional GCN, the effect and speed of encrypted malicious traffic detection can be effectively improved and the deployment of the detection model in the real environment is increased, which provides a reference for the application of GCN in similar scenarios. This method has achieved excellent performance in experiments using real-world encrypted network traffic data for malicious traffic detection, with the accuracy, AUC, and F1-score exceeding 98% and more than 1,300 flows detected per second.

computer science, information systems,telecommunications

Tristan Bilot,Nour El Madhoun,Khaldoun Al Agha,Anis Zouaoui

DOI: https://doi.org/10.48550/arXiv.2303.16004

2023-08-17

Abstract:Malware detection has become a major concern due to the increasing number and complexity of malware. Traditional detection methods based on signatures and heuristics are used for malware detection, but unfortunately, they suffer from poor generalization to unknown attacks and can be easily circumvented using obfuscation techniques. In recent years, Machine Learning (ML) and notably Deep Learning (DL) achieved impressive results in malware detection by learning useful representations from data and have become a solution preferred over traditional methods. More recently, the application of such techniques on graph-structured data has achieved state-of-the-art performance in various domains and demonstrates promising results in learning more robust representations from malware. Yet, no literature review focusing on graph-based deep learning for malware detection exists. In this survey, we provide an in-depth literature review to summarize and unify existing works under the common approaches and architectures. We notably demonstrate that Graph Neural Networks (GNNs) reach competitive results in learning robust embeddings from malware represented as expressive graph structures, leading to an efficient detection by downstream classifiers. This paper also reviews adversarial attacks that are utilized to fool graph-based detection methods. Challenges and future research directions are discussed at the end of the paper.

Cryptography and Security,Machine Learning

Jiangang Hou,Tong Jiang,Yanmiao Li,Hao Guo,Zhen Zhang,Zhi Liu

DOI: https://doi.org/10.1109/CCCI52664.2021.9583191

2021-10-15

Abstract:With more and more encrypted traffic such as HTTPS, encrypted traffic protects not only normal traffic, but also malicious traffic. Identification of encrypted malicious traffic without decryption has become a research hotspot. Combined with deep learning, an important branch of machine learning, encrypted malicious traffic detection has achieved good results. This paper reviews the detection of encrypted malicious traffic in recent years. Firstly, we classify encrypted malicious traffic. Secondly, we sorts out the extraction characteristics of encrypted malicious traffic, the key and difficult problems we are facing at present. Then, with encrypted malicious traffic detection technology as the main line, we summarized the current detection model from the four core aspects of data collection, data processing, model training and evaluation improvement. Finally, we analyze the problems and point out future research directions.

Computer Science

Rui Wang,Jun Zheng,Zhiwei Shi,Yu'an Tan

DOI: https://doi.org/10.1109/icbctis55569.2022.00018

2022-01-01

Abstract:Nowadays, the popularity of intelligent terminals makes malwares more and more serious. Among the many features of application, the call graph can accurately express the behavior of the application. The rapid development of graph neural network in recent years provides a new solution for the malicious analysis of application using call graphs as features. However, there are still problems such as low accuracy. This paper established a large-scale data set containing more than 40,000 samples and selected the class call graph, which was extracted from the application, as the feature and used the graph embedding combined with the deep neural network to detect the malware. The experimental results show that the accuracy of the detection model proposed in this paper is 97.7%; the precision is 96.6%; the recall is 96.8%; the F1-score is 96.4%, which is better than the existing detection model based on Markov chain and graph embedding detection model.