Fengrui Xiao,Feng Yang,Shuangwu Chen,Jian Yang

DOI: https://doi.org/10.1007/978-3-030-94029-4_1

2022-01-01

Abstract:Nowadays, network traffic detection plays a very important role in protecting cyberspace security, and more and more applications realize data privacy protection through encryption technology. Regular expression matching based methods, such as deep packet inspection that relies on plaintext traffic cannot be applied to detecting encrypted random communication content, and the existing detecting methods based on time-series features often ignore the encryption protocol features. In this work, we design an ensemble learning system based on stack algorithms to identify encrypted malicious traffic, which can detect the interactive behavior and the encryption protocols simultaneously. In detail, we construct a deep learning classifier based on Long Short-Term Memory (LSTM) for time-series features, and a machine learning classifier based on random forests for encryption protocol features. Then, we use the stacking algorithm in ensemble learning to combine them to form a new classifier. Finally, relying on the Datacon2020 dataset, extensive experiments are conducted. The experimental results indicate that the proposed method improves the detection rate of encrypted malicious traffic while keeping a low false positive rate.

HUO Yuehua,ZHAO Faqi,WU Wenhao

DOI: https://doi.org/10.13272/j.issn.1671-251x.17944

2022-01-01

Abstract:The coal mine network is faced with the threat of malicious traffic encrypted by the transport layer security protocol (TLS) generated by malicious software and the high false alarm rate of encrypted traffic during detection. In order to solve the above problems, a multi-feature fusion malicious traffic detection method for coal mine network TLS encryption is proposed. The characteristics of multiple and heterogeneous malicious traffic features of TLS encryption are analyzed. The connection features, metadata and TLS encrypted protocol handshake features of coal mine network TLS encrypted malicious traffic in the transmission process are extracted. A coal mine network TLS encrypted traffic characteristic set is constructed by using a flow fingerprint method. The features in the feature set are standardized, one-hot encoded and normalized, so as to obtain an efficient sample set. Five sub-models of decision tree (DT), K-nearest neighbor (KNN), Gaussian Naive Bayes (GNB), L2 logistic regression (LR) and stochastic gradient descent (SGD) classifiers were used to test the above feature sets. In order to improve the robustness of the detection model, combined with the principle of the voting method, five classifier sub-models are combined to construct a muti-model voting classifier (MVC) detection model. Five classifier sub-models are used as voters. Each classifier sub-model trains the sample set separately, and votes according to the principle of minority obeying majority to get the final prediction value of each sample. The experimental results show that the proposed feature set reduces the dimension of the sample set and improves the detection efficiency of TLS encrypted traffic. DT classifier and KNN classifier perform best on the data set, reaching more than 99% accuracy. But they have the risk of overfitting. Although the LR classifier and SGD classifier sub-models have also achieved recognition accuracy of more than 90%, the false positive rate of these two sub-models is too high. The GNB classifier sub-model performs the worst, with an accuracy of 82%. But it has the advantage of low false-positive rate. The accuracy and recall rate of that MVC detection model on a data set is more than 99%, the false alarm rate is 0.13%. The detection rate of encrypted malicious traffic is improved, and the false alarm rate of encrypted traffic detection is 0. And the comprehensive performance of the MVC detection model is better than that of other classifier sub-models.

Xianchun Zheng,Hui Li

DOI: https://doi.org/10.1109/access.2023.3279120

IF: 3.9

2023-01-01

IEEE Access

Abstract:The popularity of encrypted communication has grown due to increased security awareness and rapid internet development. End-to-end encryption can prevent data attacks but also poses new cybersecurity threats. Thus, identifying malicious encrypted traffic is a focus of research in network behavior analysis and anomaly detection. Recently, deep learning has brought new directions for the development of traffic classification and anomaly detection. Based on deep learning technology, this paper starts from the two directions of data preprocessing and model selection, studies and analyzes multi-dimensional traffic characteristics and multi-granularity carrier characteristics, and proposes corresponding solutions, and finally designs and proposes a malware-oriented Identification scheme for encrypted traffic. This paper first proposes a malicious encrypted traffic identification scheme MET-FMF based on fine-grained multi-feature fusion. Two sets of comparative experiments were designed to compare the multi-dimensional traffic features and the multi-branch network model on the recognition results. The results show that the combination of three-dimensional traffic characteristics and three-branch network model has the best results, with an average accuracy rate of 95.08%.Finally, compared with other schemes, it is found that this scheme has multi-dimensional traffic feature extraction, multi-granularity carrier feature Features such as early session detection and end-to-end transferable learning.

Jinfu Chen,Luo Song,Saihua Cai,Haodi Xie,Shang Yin,Bilal Ahmad

DOI: https://doi.org/10.1145/3613960

IF: 2.717

2023-08-07

ACM Transactions on Privacy and Security

Abstract:In recent years, the use of TLS (Transport Layer Security) protocol to protect communication information has become increasingly popular as users are more aware of network security. However, hackers have also exploited the salient features of the TLS protocol to carry out covert malicious attacks, which threaten the security of network space. Currently, the commonly used traffic detection methods are not always reliable when applied to the problem of encrypted malicious traffic detection due to their limitations. The most significant problem is that these methods do not focus on the key features of encrypted traffic. To address this problem, this study proposes an efficient detection model for encrypted malicious traffic based on transport layer security protocol and a multi-head self-attention mechanism called TLS-MHSA. Firstly, we extract the features of TLS traffic during pre-processing and perform traffic statistics to filter redundant features. Then, we use a multi-head self-attention mechanism to focus on learning key features as well as generate the most important combined features to construct the detection model, thereby detecting the encrypted malicious traffic. Finally, we use a public dataset to verify the effectiveness and efficiency of the TLS-MHSA model, and the experimental results show that the proposed TLS-MHSA model has high precision, recall, F1-measure, AUC-ROC as well as higher stability than seven state-of-the-art detection models.

computer science, information systems

Chuanyu Zhao,Shudong Li,Xiaobo Wu,Weihong Han,Zhihong Tian,Maofei Chen

DOI: https://doi.org/10.1109/dsc53577.2021.00097

2021-01-01

Abstract:The number of malware attacks that use encrypted HTTP traffic to self-propagate or communicate has increased dramatically in recent years. Traditional network traffic detection methods for non-encrypted traffic are difficult to be applied to encrypted traffic detection. While encryption is good for protecting users' privacy, it also comes with a security risk: malicious traffic may hide in encrypted traffic, leading to a series of security problems. Since the encrypted payload cannot be directly observed and it is large, we need to combine domain knowledge and machine learning method to excavate the features hidden in malicious traffic, so as to realize automatic detection of malicious traffic. In this paper, we propose a malicious traffic detection framework based on ensemble learning using the encrypted traffic from real malware, including normal traffic generated by 3000 normal hosts and malicious traffic generated by 3000 malware-infected hosts, provided by DATACON2020 competition. Considering the complexity to decrypt traffic, we use statistical features and sequence features in both flow-level and in host-level perspectives to describe encrypted traffic. Then we build multiple classifiers according to heterogeneous features. Finally we do majority voting to get final result. We achieve 95.0% TPR and 8.4% FPR.

Zhou Zhihong,Bin Hu,Li Jianhua,Yin Ying,Chen Xiuzhen,Ma Jin,Yao Lihong

DOI: https://doi.org/10.1007/s11416-022-00429-y

2022-01-01

Journal of Computer Virology and Hacking Techniques

Abstract:As network traffic is increasingly valued for privacy protection and the encrypted SSL/TLS (Secure Sockets Layer/Transport Layer Security) traffic is surging, more and more malicious behaviors are hidden in it. Current detection methods are less accurate in detecting new and unknown malicious traffic. Although the method based on the supervised machine learning model has excellent accuracy performance, it has low detection strength and poor scalability for new and unknown malicious traffic. Therefore, this paper proposes a malicious SSL/TLS traffic detection method based on feature adaptive learning. The model can automatically learn key classification information from the unmarked malicious SSL/TLS encrypted traffic, and uses the 5-Tuple-Masking technology to optimize the input data, which greatly enhances the model's adaptation ability to new malicious traffic in complex network environments. After experimental verification, its comprehensive accuracy rate reaches 89.25%. Moreover, the supervised convolutional neural network detection method is used to compare and test the feasibility of this model in the field of malicious SSL/TLS traffic detection.

Xiaodong Zang,Tongliang Wang,Xinchang Zhang,Jian Gong,Peng Gao,Guowei Zhang

DOI: https://doi.org/10.1016/j.comnet.2024.110598

IF: 5.493

2024-01-01

Computer Networks

Abstract:The focus on privacy protection has brought much-encrypted network traffic. However, attackers always abuse traffic encryption to conceal malicious behaviors. Although researchers have proposed several enlightening detection methods, they must enhance the generalization ability or improve detection performance. Our inspiration is that the packet header fields, as do the underlying grammatical rules for constructing sentences, have a strict order. We consider the original packet as text and devise a robust approach with natural language processing and a deep learning model to improve the generalization ability and detection performance. We capture the critical keywords as characteristic representations of the traffic and design an adaptive domain generalization algorithm with a new loss function. It is robust against various datasets by generating more malicious samples to augment the minority of malicious samples. Simultaneously, we design an efficient feature selection algorithm, which obtains an optimal feature subset and reduces feature dimensions by 75.3%. To evaluate our work, we conducted extensive experiments with open-source datasets (CICIDS 2017, CICDDoS 2019, and USTC-TFC 2016), the synthetic dataset from IoT-23, and Internet backbone traffic (CERNET). Experimental results demonstrate that our proposal improves detection accuracy by up to 22.8% compared to others not using domain generalization algorithms and achieves an average detection latency of 0.67 s in the backbone. Besides, our work applies to the Industrial Internet of Things (IIoT) environment. It can be deployed at edge nodes to provide network security support for IIoT devices.

Rongfeng Zheng,Jiayong Liu,Kai Li,Shan Liao,Liang Liu

DOI: https://doi.org/10.1109/ICICN51133.2020.9205087

2020-01-01

Abstract:For highly camouflaged Command and Control (C&C) communications, especially those using the Transport Security Layer (TLS) protocol, traditional classifiers which only based on statistical features or TLS handshake features gradually fail to detect such behavior. In this context, exploring features of other dimensions to build a more targeted recognition model is one of the ways to alleviate this problem. This paper proposed a new method of detecting malicious TLS traffic by using the communication channel as the detection unit, and a new set of modeling features for the communication channel was designed, including distribution features, the consistency features and statistical features of TLS communication channel. Experiments show that compared with other two types of features, the consistency features contribute most, and combining these three types of features together can train a better classifier which the precision reaches 92.57%. Comparative experiments show that the proposed method is more advantageous when faced with highly camouflaged TLS flows because the proposed method also achieved highest F1 score, and the accuracy is about 2% higher than the classifier based on the TLS handshake features, and 12% higher than the clustering model based on the statistical features of flow.

Rongfeng Zheng,Jiayong Liu,Liang Liu,Shan Liao,Kai Li,Jihong Wei,Li Li,Zhiyi Tian

DOI: https://doi.org/10.1371/journal.pone.0232696

IF: 3.7

2020-01-01

PLoS ONE

Abstract:The transport layer security (TLS) protocol is widely adopted by apps as well as malware. With the geometric growth of TLS traffic, accurate and efficient detection of malicious TLS flows is becoming an imperative. However, current studies focus on either detection accuracy or detection efficiency, and few studies take into account both indicators. In this paper, we propose a two-layer detection framework composed of a filtering model (FM) and a malware family classification model (MFCM). In the first layer, a new set of TLS handshake features is presented to train the FM, which is devised to filter out a majority of benign TLS flows. For identifying malware families, both TLS handshake features and statistical features are applied to construct the MFCM in the second layer. Comprehensive experiments are conducted to substantiate the high accuracy and efficiency of the proposed two-layer framework. A total of 96.32% of benign TLS flows can be filtered out by the FM with few malicious TLS flows being discarded provided the threshold of the FM is set to 0.01. Moreover, a multi-classifier is selected to construct the MFCM to provide better performance than a set of binary classifiers under the same feature set. In addition, when the ratio of benign and malicious TLS flows is set to 10:1, the detection efficiency of the two-layer framework is 188% faster than that of the single-layer framework, while the average detection accuracy reaches 99.45%.

Rui Dai,Chuan Gao,Bo Lang,Lixia Yang,Hongyu Liu,Shaojie Chen

DOI: https://doi.org/10.1145/3371676.3371697

2019-01-01

Abstract:In recent years, as more and more softwares use SSL encryption protocol to improve the security and integrity of communications, the encrypted traffic is growing, which brings new challenges to cyber attack detection. Since most of the SSL traffic is unreadable ciphertext, traditional pattern recognition and deep packet inspection are not applicable. In addition, the current machine learning methods are not fully applicable to encrypted traffic detection. The detection of encrypted malicious traffic is still an open problem. In this paper, we propose an SSL malicious traffic detection method based on multi-view features. Our method comprehensively extracts features from multiple views, including flow statistics, SSL handshake field, and certificate to retain key original information. We test four machine learning models, i.e., SVM, Decision Tree, Random Forest, and XGBoost on the CTU Malware dataset. The results show that XGBoost performs best reaching an accuracy of 97.71%, which is better than other studies on the CTU dataset.

Tangda Yu,Futai Zou,Linsen Li,Ping Yi

DOI: https://doi.org/10.1109/cyberc.2019.00020

2019-01-01

Abstract:In recent years, with the widespread use of encrypted traffic communication technology, network traffic encryption has been gradually becoming a standard of communication. This phenomenon has a great impact on traditional traffic detection methods, especially on anomaly detection methods, which are highly dependent on the type of network protocol types and traffic data. By surveying the existing encrypted traffic classification and analyzing these methods, we found that there are two main methods for detection: payload-based detection and feature-based detection. On this basis, this paper puts forward an Encrypted Malicious Traffic Detection System which is based on multi-AEs(Autoencoder). We use malicious sandbox for traffic data collection, mark malicious flow and normal flow with labels. After that, we use multilayer networks of AEs for feature extraction and training classifier model. Our system analyzes the feature of cryptographic protocol from handshake phase to Authentication phase on the basis of existing research, and we extract the traffic feature for a better classification by further expanding flow feature vector to the higher dimensions. In addition, we compared the performance of our model with the traditional learning model under the same environment. The experimental results showed that our system had higher detection accuracy and lower loss rate. We also studied the influence of dataset imbalance on results in the detection of encrypted traffic by several experiments. According to the experimental evaluation, dataset imbalance will lead to the decrease of positive rate.

Yuehua Huo,Faqi Zhao,Hangsheng Zhang,Shangyuan Zhuang,Jiyan Sun

DOI: https://doi.org/10.1155/2022/1556768

2022-01-01

Wireless Communications and Mobile Computing

Abstract:The sharp increasing volume of encrypted traffic generated by malware brings a huge challenge to traditional payload-based malicious traffic detection methods. Solutions that based on machine learning and deep learning are becoming mainstream. However, the machine learning-based methods are limited by manual-design features, which have the problem of highly correlated multicollinearity. And both methods rely heavily on a large number of labeled samples, which needs lots of human effort. In this paper, we apply the active learning to the malicious encrypted traffic detection problem and propose AS-DMF framework. AS-DMF is a lightweight detection framework that combine the uncertainty sampling and density-based query strategy to query the informative and representative instances from the sample set and then train them in a detection (DMF) model. Moreover, we propose a feature selection mechanism which can select the meaningful features of traffic efficiently. Our comprehensive experiments on the real-word dataset indicate that AS-DMF achieves lightweighting at both feature and data levels with a high performance of 0.9460 mAcc.

Kunlin Li,Baojiang Cui

DOI: https://doi.org/10.1007/978-3-030-79728-7_20

2021-06-24

Abstract:With the increasing popularity of traffic encryption protocols such as SSL/TLS, attacks based on encrypted traffic are more and more rampant, so does the need to inspect all SSL traffic. At present, the methods based on feature engineering and the methods based on deep learning and representation learning are the research hot-spots. In this paper, a new method of encrypted malicious traffic identification is proposed, which is based on deep learning and four- tuple feature. The unit of traffic identification is flow four-tuple. We extract 3 types of features which are statistical feature, handshake byte stream feature, and application data size sequence feature. We design different deep learning models to deal with various features and work together in traffic identification. We used the CTU Malware dataset to experiment. The results show that the accuracy of our method can reach 98.31%, which is better than that of other methods using four-tuple as the unit of flow identification and experimenting on the CTU Malware dataset.

Zihao Wang,Vrizlynn L. L. Thing

DOI: https://doi.org/10.1016/j.cose.2023.103143

2023-04-07

Abstract:The popularity of encryption mechanisms poses a great challenge to malicious traffic detection. The reason is traditional detection techniques cannot work without the decryption of encrypted traffic. Currently, research on encrypted malicious traffic detection without decryption has focused on feature extraction and the choice of machine learning or deep learning algorithms. In this paper, we first provide an in-depth analysis of traffic features and compare different state-of-the-art traffic feature creation approaches, while proposing a novel concept for encrypted traffic feature which is specifically designed for encrypted malicious traffic analysis. In addition, we propose a framework for encrypted malicious traffic detection. The framework is a two-layer detection framework which consists of both deep learning and traditional machine learning algorithms. Through comparative experiments, it outperforms classical deep learning and traditional machine learning algorithms, such as ResNet and Random Forest. Moreover, to provide sufficient training data for the deep learning model, we also curate a dataset composed entirely of public datasets. The composed dataset is more comprehensive than using any public dataset alone. Lastly, we discuss the future directions of this research.

Cryptography and Security,Artificial Intelligence,Machine Learning

Yueping Hong,Qi Li,Yanqing Yang,Meng Shen

DOI: https://doi.org/10.1016/j.ins.2023.119229

IF: 8.1

2023-06-02

Information Sciences

Abstract:At present, the TLS cryptographic protocol is widely deployed. While protecting the security and integrity of transmitted information, it also makes the detection of malicious behavior more difficult. In recent years, researchers have proposed many encrypted malicious traffic detection methods. However, the existing approaches have some shortcomings. Firstly, although researchers have extracted multi-view features from different aspects, which can be divided into vectorized features based on feature engineering and image features based on original data, existing methods cannot fully integrate the features of different forms of expression. Secondly, most of the existing methods do not fully analyze the correlation between different encrypted traffic. Thirdly, the existing methods based on correlation analysis have low processing efficiency and cannot be applied to real networks. In the paper, we present MalDiscovery , a novel technique to discover encrypted malicious traffic to address all the above issues. For encrypted malicious traffic, MalDiscovery constructs an attribute KNN graph, in which encrypted sessions are used as nodes to construct a KNN graph according to the similarity of image features, and vectorized features are used as attributes of corresponding nodes. After that, the GraphSAGE model is used to collect relevant node information through correlation analysis to enrich the embeddings of each node. Finally, we achieve the accurate binary classification of nodes in the graph based on richer embeddings. We use extensive experiments to evaluate the proposed method, and the experiment results show that MalDiscovery can achieve an accuracy of about 99.9%, significantly outperforming all compared methods.

computer science, information systems

Yu Zhang,Xuecheng Yu,Yan Huang,Xiaohong Yang,Zhenhong Jia,Xizhong Qin

DOI: https://doi.org/10.21203/rs.3.rs-3134884/v1

2023-01-01

Abstract:Abstract Network traffic classification is an important task for ensuring network security and managing resources. The existing solution strategies are based on predefined features extracted by experts, which leads to high uncertainty when applied to network traffic classification. At the same time, it is necessary to continuously update features, making it difficult to achieve model migration and application. In contrast, in this study, a novel deep learning-based method was proposed to accurately determine network traffic characteristics. First, the traffic data were transformed into image data with texture features. Then, based on the characteristics of the input data, we proposed a multitask classification model for malicious and encrypted traffic called the multilevel spatiotemporal feature fusion enhanced network traffic classification model (MLST-FENet). This model automatically learns the nonlinear relationship between input and output and is an end-to-end framework. Experiments showed that MLST-FENet achieves better detection and classification performance for malicious and encrypted traffic on the USTC-TFC2016 and ISCX VPN -NONVPN datasets and has strong generalization ability, so it can be used in many practical application scenarios, providing more valuable information for the field of network security.

Yong Fang,Kai Li,Rongfeng Zheng,Shan Liao,Yue Wang

DOI: https://doi.org/10.1016/j.comnet.2021.108297

IF: 5.493

2021-01-01

Computer Networks

Abstract:We present a novel method for detecting malicious TLS traffic based on communication channels that can detect deeply camouflaged malicious traffic. Moreover, we designed and extracted three types of channel features, namely, distribution features, consistency features of the Transport Layer Security (TLS) handshake field, and statistical features. Simultaneously, an efficacy feature selection method comprising a genetic algorithm is presented to obtain a global optimal feature subset, which reduces feature dimensions by 64% and increases accuracy by 1.5%. Comparison experiment results show that the proposed method possesses a more stable detection efficacy on different datasets with an accuracy of 97.65% and a much higher F1-score compared with other state-of-the-art classification methods.

Yu Zhang,Zhenhong Jia,Hui Zhao,Xiaoyi Lu,Fei Shi,Gang Zhou,Jiajia Wang

DOI: https://doi.org/10.1145/3690407.3690459

2024-01-01

Abstract:Network traffic classification is an important task for ensuring network security and managing resources. in this study, a novel deep learning-based method was proposed to accurately determine network traffic characteristics. First, the traffic data were transformed into image data with texture features. Then, based on the characteristics of the input data, we proposed a multitask classification model for malicious and encrypted traffic called the multilevel spatio-temporal feature fusion enhanced network traffic classification model (MLST-FENet). This model automatically learns the nonlinear relationship between input and output and is an end-to-end framework. Experiments showed that MLST-FENet achieves better detection and classification performance for malicious and encrypted traffic on the USTC-TFC2016 and ISCX VPN-NONVPN datasets and has strong generalization ability, so it can be used in many practical application scenarios, providing more valuable information for the field of network security.

Peng Xiao,Ying Yan,Jian Hu,Zhenhong Zhang

DOI: https://doi.org/10.1155/2024/8725832

IF: 1.968

2024-06-02

Security and Communication Networks

Abstract:Malicious encrypted traffic detection is a critical component of network security management. Previous detection methods can be categorized into two classes as follows: one is to use the feature engineering method to construct traffic features for classification and the other is to use the end-to-end method that directly inputs the original traffic to obtain traffic features for classification. Both of the abovementioned two methods have the problem that the obtained features cannot fully characterize the traffic. To this end, this paper proposes a hierarchical multimodal deep learning model (HMMED) for malicious encrypted traffic detection. This model adopts the abovementioned two feature generation methods to learn the features of payload and header, respectively, then fuses the features to get the final traffic features, and finally inputs the final traffic features into the softmax classifier for classification. In addition, since traditional deep learning is highly dependent on the training set size and data distribution, resulting in a model that is not very generalizable and difficult to adapt to unseen encrypted traffic, the model proposed in this paper uses a large amount of unlabeled encrypted traffic in the pretraining layer to pretrain a submodel used to obtain a generic packet payload representation. The test results on the USTC-TFC2016 dataset show that the proposed model can effectively solve the problem of insufficient feature extraction of traditional detection methods and improve the ACC of malicious encrypted traffic detection.

computer science, information systems,telecommunications

Haitao Zhang,Lei Luo,Yun Li,Lirong Chen,Xiaobo Wu

DOI: https://doi.org/10.1109/dsc55868.2022.00076

2022-01-01

Abstract:More and more data is transferred in encrypted ways, especially over HTTPS. As a result, network attackers often use encryption algorithms to transmit control commands to avoid detection. Malware or unidentified users may use unauthorized encrypted proxy to communicate and access malicious websites. Confirming the details of these behaviors facilitates the analysis of suspicious events, but intercepted encrypted traffic cannot be parsed. Since the payload of encrypted traffic is not observable, machine learning algorithm combined with domain knowledge is the mainstream method to detect malicious encrypted traffic. Considering the complexity of decrypting traffic, we start from host level and flow level, exploit packet length histogram, sequence features and statistical features to describe traffic. In particular, we use Word2Vec algorithm to represent packet length sequence. In experiment, we collect the encrypted traffic generated by malware communicating with multiple websites through encrypted proxy. Experiment result shows the effectiveness of our framework and achieve 96.2% Accuracy.