Xingwen Zhao,Han Zhang,Hui Li,Xuangui Chen

DOI: https://doi.org/10.1016/j.comnet.2024.110824

2024-01-01

Abstract:In the current network environment, an increasing amount of malicious traffic is transmitted through encrypted channels, carrying control commands and data. With the continuous development of communication protocols and applications, new types of malicious encrypted traffic are emerging, posing significant challenges for network management (e.g., traffic engineering). Therefore, accurately identifying malicious traffic in complex open network spaces has become a hot research topic in network security. In this study, we draw inspiration from channel theory in image science and innovatively convert traffic data into Red-Green-Blue (RGB) image format to achieve the fusion of multiple features. Inspired by image recognition technologies, we have designed a multi-granularity network model that integrates both global and local features, serving as our core network architecture. At the top of the model, we have equipped each known category with a unique autoencoder, using its generated manifold to replace traditional prototypes for model construction. Classification is accomplished through a scoring mechanism that evaluates category membership and by setting thresholds to achieve open set recognition of unknown categories. Relying on our self-created dataset,Malicious and Encrypted Traffic 2024 (MNET2024), we conduct a series of extensive experiments. The results demonstrate that our proposed method exhibits outstanding performance in both closed-set and open-set recognition tasks.

Yu Zhang,Zhenhong Jia,Hui Zhao,Xiaoyi Lu,Fei Shi,Gang Zhou,Jiajia Wang

DOI: https://doi.org/10.1145/3690407.3690459

2024-01-01

Abstract:Network traffic classification is an important task for ensuring network security and managing resources. in this study, a novel deep learning-based method was proposed to accurately determine network traffic characteristics. First, the traffic data were transformed into image data with texture features. Then, based on the characteristics of the input data, we proposed a multitask classification model for malicious and encrypted traffic called the multilevel spatio-temporal feature fusion enhanced network traffic classification model (MLST-FENet). This model automatically learns the nonlinear relationship between input and output and is an end-to-end framework. Experiments showed that MLST-FENet achieves better detection and classification performance for malicious and encrypted traffic on the USTC-TFC2016 and ISCX VPN-NONVPN datasets and has strong generalization ability, so it can be used in many practical application scenarios, providing more valuable information for the field of network security.

Yu Zhang,Xuecheng Yu,Yan Huang,Xiaohong Yang,Zhenhong Jia,Xizhong Qin

DOI: https://doi.org/10.21203/rs.3.rs-3134884/v1

2023-01-01

Abstract:Abstract Network traffic classification is an important task for ensuring network security and managing resources. The existing solution strategies are based on predefined features extracted by experts, which leads to high uncertainty when applied to network traffic classification. At the same time, it is necessary to continuously update features, making it difficult to achieve model migration and application. In contrast, in this study, a novel deep learning-based method was proposed to accurately determine network traffic characteristics. First, the traffic data were transformed into image data with texture features. Then, based on the characteristics of the input data, we proposed a multitask classification model for malicious and encrypted traffic called the multilevel spatiotemporal feature fusion enhanced network traffic classification model (MLST-FENet). This model automatically learns the nonlinear relationship between input and output and is an end-to-end framework. Experiments showed that MLST-FENet achieves better detection and classification performance for malicious and encrypted traffic on the USTC-TFC2016 and ISCX VPN -NONVPN datasets and has strong generalization ability, so it can be used in many practical application scenarios, providing more valuable information for the field of network security.

Hui Zhang,Gaopeng Gou,Gang Xiong,Chang Liu,Yuewen Tan,Ke Ye

DOI: https://doi.org/10.1007/978-3-030-89137-4_11

2021-01-01

Abstract:The prosperity and development of mobile network makes mobile applications inseparable from people’s life. Although the encryption of mobile communication traffic protects the privacy of users to a certain extent, it also brings great challenges to network management and supervision. At present, many researches use machine learning or deep learning to classify encrypted traffic, but most of them only focus on single granularity classification task. Moreover, the method of multi granularity classification is more artificial, which cannot fully mine the effective information of multi granularity encrypted traffic classification. In this paper, we propose fusion feature based model, an end-to-end framework, which can automatically generate distinguishing fingerprints at three different granularities: app, in-app activity, and app-activity. Specifically, we use 1D-CNN to extract the spatial characteristics of the first packet payloads, and bidirectional LSTM to learn the timing characteristics of the packet length sequences and the packet direction sequences. Extensive experiments based on real-world encrypted mobile traffic show that, the proposed model achieves the best results in the multi-granularity classification task of mobile encrypted traffic, compared with the four state-of-the-art methods. Our work can provide an effective solution for the hierarchical and refined management of mobile networks.

HUO Yuehua,ZHAO Faqi

DOI: https://doi.org/10.19678/j.issn.1000-3428.0064805

2023-01-01

Abstract:Although encryption technology protects network communications,plenty malware uses encryption protocols to hide malicious behavior. For the existing Transport Layer Security（TLS） encrypted malicious traffic detection techniques based on machine learning,a single model detection algorithm is available for multi-granularity features,poor applicability,and a high false alarm rate of mixed traffic detection problems. A non-decryption TLS-encrypted malicious traffic detection method based on Stacking strategy and multi-feature fusion is proposed. The multigranularity of encrypted malicious traffic features is analyzed to extract the flow features,connection features,and TLS handshake features of the traffic.The extracted features are statutorily processed using feature engineering to reduce computational overhead. The Random Forest（RF）,XGBoost,and Gaussian Naive Bayesian（GNB） classifier models are built for the three classes of features after statute processing to learn the hidden patterns inside them. Using the multidimensional features processed via stream fingerprint fusion,three classifier models are combined using a Stacking strategy to form DMMFC detection model to identify TLSencrypted malicious traffic in the network. The performance of the constructed model is evaluated on the CTU-13 public dataset. The experimental results show that the identification recall of the proposed method is dimensionality of 99.93% in binary classification experiments and a False Alarm Rate（FAR） is less than 0.10% in malicious traffic detection. In can effectively detect non-decrypted TLS encrypted malicious traffic.

Junhao Liu,Guolin Shao,Hong Rao,Xiangjun Li,Xuan Huang

DOI: https://doi.org/10.3390/app142210366

2024-01-01

Applied Sciences

Abstract:While encryption enhances data security, it also presents significant challenges for network traffic analysis, especially in detecting malicious activities. To tackle this challenge, this paper introduces combined Attention-aware Feature Fusion and Communication Graph Embedding Learning (AFF_CGE), an advanced representation learning framework designed for detecting encrypted malicious traffic. By leveraging an attention mechanism and graph neural networks, AFF_CGE extracts rich semantic information from encrypted traffic and captures complex relations between communicating nodes. Experimental results reveal that AFF_CGE substantially outperforms traditional methods, improving F1-scores by 5.3% through 22.8%. The framework achieves F1-scores ranging from 0.903 to 0.929 across various classifiers, exceeding the performance of state-of-the-art techniques. These results underscore the effectiveness and robustness of AFF_CGE in detecting encrypted malicious traffic, demonstrating its superior performance.

Ming Liu,Qichao Yang,Wenqing Wang,Shengli Liu

DOI: https://doi.org/10.3390/s24206507

IF: 3.9

2024-10-11

Sensors

Abstract:The exponential growth of encrypted network traffic poses significant challenges for detecting malicious activities online. The scale of emerging malicious traffic is significantly smaller than that of normal traffic, and the imbalanced data distribution poses challenges for detection. However, most existing methods rely on single-category features for classification, which struggle to detect covert malicious traffic behaviors. In this paper, we introduce a novel semi-supervised approach to identify malicious traffic by leveraging multimodal traffic characteristics. By integrating the sequence and topological information inherent in the traffic, we achieve a multifaceted representation of encrypted traffic. We design two independent neural networks to learn the corresponding sequence and topological features from the traffic. This dual-feature extraction enhances the model's robustness in detecting anomalies within encrypted traffic. The model is trained using a joint strategy that minimizes both the reconstruction error from the autoencoder and the classification loss, allowing it to effectively utilize limited labeled data alongside a large amount of unlabeled data. A confidence-estimation module enhances the classifier's ability to detect unknown attacks. Finally, our method is evaluated on two benchmark datasets, UNSW-NB15 and CICIDS2017, under various scenarios, including different training set label ratios and the presence of unknown attacks. Our model outperforms other models by 3.49% and 5.69% in F1 score at labeling rates of 1% and 0.1%, respectively.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Hong Huang,Xingxing Zhang,Ye Lu,Ze Li,Shaohua Zhou

DOI: https://doi.org/10.32604/cmc.2024.047918

2024-01-01

Abstract:While encryption technology safeguards the security of network communications, malicious traffic also uses encryption protocols to obscure its malicious behavior. To address the issues of traditional machine learning methods relying on expert experience and the insufficient representation capabilities of existing deep learning methods for encrypted malicious traffic, we propose an encrypted malicious traffic classification method that integrates global semantic features with local spatiotemporal features, called BERT-based Spatio-Temporal Features Network (BSTFNet). At the packet-level granularity, the model captures the global semantic features of packets through the attention mechanism of the Bidirectional Encoder Representations from Transformers (BERT) model. At the byte-level granularity, we initially employ the Bidirectional Gated Recurrent Unit (BiGRU) model to extract temporal features from bytes, followed by the utilization of the Text Convolutional Neural Network (TextCNN) model with multi-sized convolution kernels to extract local multi-receptive field spatial features. The fusion of features from both granularities serves as the ultimate multidimensional representation of malicious traffic. Our approach achieves accuracy and F1-score of 99.39% and 99.40%, respectively, on the publicly available USTC-TFC2016 dataset, and effectively reduces sample confusion within the Neris and Virut categories. The experimental results demonstrate that our method has outstanding representation and classification capabilities for encrypted malicious traffic.

computer science, information systems,materials science, multidisciplinary

Tangda Yu,Futai Zou,Linsen Li,Ping Yi

DOI: https://doi.org/10.1109/cyberc.2019.00020

2019-01-01

Abstract:In recent years, with the widespread use of encrypted traffic communication technology, network traffic encryption has been gradually becoming a standard of communication. This phenomenon has a great impact on traditional traffic detection methods, especially on anomaly detection methods, which are highly dependent on the type of network protocol types and traffic data. By surveying the existing encrypted traffic classification and analyzing these methods, we found that there are two main methods for detection: payload-based detection and feature-based detection. On this basis, this paper puts forward an Encrypted Malicious Traffic Detection System which is based on multi-AEs(Autoencoder). We use malicious sandbox for traffic data collection, mark malicious flow and normal flow with labels. After that, we use multilayer networks of AEs for feature extraction and training classifier model. Our system analyzes the feature of cryptographic protocol from handshake phase to Authentication phase on the basis of existing research, and we extract the traffic feature for a better classification by further expanding flow feature vector to the higher dimensions. In addition, we compared the performance of our model with the traditional learning model under the same environment. The experimental results showed that our system had higher detection accuracy and lower loss rate. We also studied the influence of dataset imbalance on results in the detection of encrypted traffic by several experiments. According to the experimental evaluation, dataset imbalance will lead to the decrease of positive rate.

Zihao Wang,Vrizlynn L. L. Thing

DOI: https://doi.org/10.1016/j.cose.2023.103143

2023-04-07

Abstract:The popularity of encryption mechanisms poses a great challenge to malicious traffic detection. The reason is traditional detection techniques cannot work without the decryption of encrypted traffic. Currently, research on encrypted malicious traffic detection without decryption has focused on feature extraction and the choice of machine learning or deep learning algorithms. In this paper, we first provide an in-depth analysis of traffic features and compare different state-of-the-art traffic feature creation approaches, while proposing a novel concept for encrypted traffic feature which is specifically designed for encrypted malicious traffic analysis. In addition, we propose a framework for encrypted malicious traffic detection. The framework is a two-layer detection framework which consists of both deep learning and traditional machine learning algorithms. Through comparative experiments, it outperforms classical deep learning and traditional machine learning algorithms, such as ResNet and Random Forest. Moreover, to provide sufficient training data for the deep learning model, we also curate a dataset composed entirely of public datasets. The composed dataset is more comprehensive than using any public dataset alone. Lastly, we discuss the future directions of this research.

Cryptography and Security,Artificial Intelligence,Machine Learning

Candong Rong,Gaopeng Gou,Mingxin Cui,Gang Xiong,Zhen Li,Li Guo

DOI: https://doi.org/10.1109/ISCC50000.2020.9219609

2020-01-01

Abstract:Malicious events pose a significant threat to the current increasingly interconnected Internet community. Detection based on features of network traffic and machine learning algorithms is a common approach to identify malicious events. The performance of approaches is associated with the used features and algorithms. In this paper, we propose MalFinder, an ensemble learning-based framework for malicious traffic detection. Considering the trend of network traffic encryption and the complexity of decrypting traffic, we utilize statistical features and sequence features to describe network traffic. We extend the dimensions of these two types of features to enhance their capability for representing traffic data. Feature importance analysis and contrast experiments illustrate the effectiveness of our new features. Among our selected classifiers suitable for malicious traffic detection, boosting-based classifiers XGBoost and LightGBM can reduce bias, and bagging-based classifier Random Forest can reduce variance. Stacking, which is the integration method of the classification results used in our framework, can improve the generalization ability of the method. MalFinder can achieve 96.58% F-measure and 95.44% accuracy in the malicious traffic detection task on a real-world dataset, whose results are better than those of comparison methods. In terms of unseen malicious traffic discovery, MalFinder still provides good performance with 93.46% F-measure and 91.04% accuracy, which even surpasses the results in the task of known malicious traffic detection of other comparative methods. With consideration of the scarcity of public data sets used for malicious traffic detection, we have exposed our self-built dataset for more extensive researches.

Yao Liu,Xiaoyu Bai,Qiao Liu,Tian Lan,Le Zhou,Tinghao Zhou

DOI: https://doi.org/10.1007/978-981-99-9331-4_43

2024-01-01

Abstract:With the proliferation of malware, malware detection techniques have become more critical to protect the security and privacy of users. While existing malware detection techniques have achieved superior accuracy and detection rates, most of these techniques require a large number of labeled samples for training. In general, assembling a large amount of reliable data is still expensive, time-consuming, and even impossible. These malware detection techniques do not achieve good results on a small number of labeled samples and do not have the capability to detect new or variant malware. Therefore, it is necessary to investigate solutions for detecting malware in the few-shot scenario. This paper proposes a hierarchical feature fusion malware detection framework based on multi-task meta-learning, namely Meta-HFMD. The proposed framework first adopts a hierarchical feature fusion approach to learn hierarchical spatial traffic features from packet-level and flow-level. Then, it constructs an efficient multi-task malware detection model based on model-agnostic meta-learning (MAML), which can detect malware with tiny labeled samples. Experimental results demonstrate that Meta-HFMD achieves satisfactory results in the few-shot malware detection task, both in single-platform and cross-platform environments, and its performance metrics outperform other baseline models.

Chuanyu Zhao,Shudong Li,Xiaobo Wu,Weihong Han,Zhihong Tian,Maofei Chen

DOI: https://doi.org/10.1109/dsc53577.2021.00097

2021-01-01

Abstract:The number of malware attacks that use encrypted HTTP traffic to self-propagate or communicate has increased dramatically in recent years. Traditional network traffic detection methods for non-encrypted traffic are difficult to be applied to encrypted traffic detection. While encryption is good for protecting users' privacy, it also comes with a security risk: malicious traffic may hide in encrypted traffic, leading to a series of security problems. Since the encrypted payload cannot be directly observed and it is large, we need to combine domain knowledge and machine learning method to excavate the features hidden in malicious traffic, so as to realize automatic detection of malicious traffic. In this paper, we propose a malicious traffic detection framework based on ensemble learning using the encrypted traffic from real malware, including normal traffic generated by 3000 normal hosts and malicious traffic generated by 3000 malware-infected hosts, provided by DATACON2020 competition. Considering the complexity to decrypt traffic, we use statistical features and sequence features in both flow-level and in host-level perspectives to describe encrypted traffic. Then we build multiple classifiers according to heterogeneous features. Finally we do majority voting to get final result. We achieve 95.0% TPR and 8.4% FPR.

Shengbao Li,Yuchuan Huang,Tianye Gao,Lanqi Yang,Yige Chen,Quanbo Pan,Tianning Zang,Fei Chen

DOI: https://doi.org/10.1155/2023/9118153

2023-04-30

Wireless Communications and Mobile Computing

Abstract:In recent years, an increasing number of mobile platforms and applications have adopted traffic encryption protocol technology to ensure privacy and security. Existing researches on encrypted traffic identification approaches often rely on a single-modal feature pattern (such as packet sequence and statistical features), which cannot fully represent the detail information of complex traffic features, and so their predictions are susceptible to anomalies. In order to improve the effect of classification on encrypted app traffic, we propose FusionTC, a novel app traffic classification framework based on feature fusion of flow sequence. FusionTC consists of two-level subclassifiers, which are used to perform decision-level fusion of multimodal features by an upgraded stacking method. The comprehensive capture and fusion of multimodal traffic details, coupled with the refined processing and segmentation of traffic, enables FusionTC to significantly promote classification accuracy and enhance robustness in challenging situations. Based on our self-built app traffic dataset, FusionTC improves the accuracy by at least 3.2% over the state-of-the-art approaches.

computer science, information systems,telecommunications,engineering, electrical & electronic

Mingxing Li,Xuyan Song,Jingling Zhao,Baojiang Cui

DOI: https://doi.org/10.1109/iccc56324.2022.10065869

2022-01-01

Abstract:Encryption protocols can protect personal privacy, but attackers can also use it to evade detection by intrusion detection systems. If an intrusion detection system can identify the malware family class to which the encrypted malicious traffic belongs, it can take targeted measures to mitigate the damage. Traditional payload-based methods are no longer effective for encrypted malicious traffic classification, while deep learning-based methods have made some progress. In this paper, we propose a hybrid deep learning model TCMal, which consists of two sub-networks: T-net and C-net. T-net can be unsupervised pre-trained through transformer for representation learning of raw packets, while C-net for flow-level feature extraction through convolutional neural network. The experimental results show that TCMal outperforms the other four models and a control group model on all three datasets(the average F1-Score is 91.71%, 95.56%, and 91.92% on the three datasets, 2.8%, 3.51%, and 5.66% higher than the second place model, respectively). TCMal also proves the feasibility of transformer in encrypted malicious traffic classification.

Haitao Zhang,Lei Luo,Yun Li,Lirong Chen,Xiaobo Wu

DOI: https://doi.org/10.1109/dsc55868.2022.00076

2022-01-01

Abstract:More and more data is transferred in encrypted ways, especially over HTTPS. As a result, network attackers often use encryption algorithms to transmit control commands to avoid detection. Malware or unidentified users may use unauthorized encrypted proxy to communicate and access malicious websites. Confirming the details of these behaviors facilitates the analysis of suspicious events, but intercepted encrypted traffic cannot be parsed. Since the payload of encrypted traffic is not observable, machine learning algorithm combined with domain knowledge is the mainstream method to detect malicious encrypted traffic. Considering the complexity of decrypting traffic, we start from host level and flow level, exploit packet length histogram, sequence features and statistical features to describe traffic. In particular, we use Word2Vec algorithm to represent packet length sequence. In experiment, we collect the encrypted traffic generated by malware communicating with multiple websites through encrypted proxy. Experiment result shows the effectiveness of our framework and achieve 96.2% Accuracy.

Kunlin Li,Baojiang Cui

DOI: https://doi.org/10.1007/978-3-030-79728-7_20

2021-06-24

Abstract:With the increasing popularity of traffic encryption protocols such as SSL/TLS, attacks based on encrypted traffic are more and more rampant, so does the need to inspect all SSL traffic. At present, the methods based on feature engineering and the methods based on deep learning and representation learning are the research hot-spots. In this paper, a new method of encrypted malicious traffic identification is proposed, which is based on deep learning and four- tuple feature. The unit of traffic identification is flow four-tuple. We extract 3 types of features which are statistical feature, handshake byte stream feature, and application data size sequence feature. We design different deep learning models to deal with various features and work together in traffic identification. We used the CTU Malware dataset to experiment. The results show that the accuracy of our method can reach 98.31%, which is better than that of other methods using four-tuple as the unit of flow identification and experimenting on the CTU Malware dataset.

Jiayong Liu,Zhiyi Tian,RongFeng Zheng,Liang Liu

DOI: https://doi.org/10.1109/access.2019.2930717

IF: 3.9

2019-01-01

IEEE Access

Abstract:The popularity of encryption method brings a great challenge to malware traffic identification. Traditional classes defined by expert experience are usually classified based on the host behaviors of malware, such as banking malware or ransomware, which are often irrelevant to its communication traffic behaviors. It leads to the fact that the boundaries of traffic feature dataset of different malware classes are fuzzy and make these traditional classes unhelpful for classification based on traffic features. Meanwhile, traditional machine learning-based encrypted malware traffic identification methods, such as using the multi-classification supervised learning model, are inefficient both in model training and detection, and its detection accuracy cannot meet the demand. In this paper, we propose a distance-based method, which utilizes unsupervised learning algorithm Gaussian mixture model (GMM) and ordering points to identify the clustering structure (OPTICS) to calculate the Distance between malwares and make use of the Distance to define the new malware class called FClass. Then, a set of models are trained by XGBoost algorithm to build an identification framework based on the FClass. The performance of the proposed method has been evaluated by comparing it with the other four methods. The results show that the proposed distance-based method is more efficient and accurate.

Yuehua Huo,Faqi Zhao,Hangsheng Zhang,Shangyuan Zhuang,Jiyan Sun

DOI: https://doi.org/10.1155/2022/1556768

2022-01-01

Wireless Communications and Mobile Computing

Abstract:The sharp increasing volume of encrypted traffic generated by malware brings a huge challenge to traditional payload-based malicious traffic detection methods. Solutions that based on machine learning and deep learning are becoming mainstream. However, the machine learning-based methods are limited by manual-design features, which have the problem of highly correlated multicollinearity. And both methods rely heavily on a large number of labeled samples, which needs lots of human effort. In this paper, we apply the active learning to the malicious encrypted traffic detection problem and propose AS-DMF framework. AS-DMF is a lightweight detection framework that combine the uncertainty sampling and density-based query strategy to query the informative and representative instances from the sample set and then train them in a detection (DMF) model. Moreover, we propose a feature selection mechanism which can select the meaningful features of traffic efficiently. Our comprehensive experiments on the real-word dataset indicate that AS-DMF achieves lightweighting at both feature and data levels with a high performance of 0.9460 mAcc.

Anish Singh Shekhawat,Fabio Di Troia,Mark Stamp

DOI: https://doi.org/10.48550/arXiv.2312.04596

2023-12-06

Abstract:In recent years there has been a dramatic increase in the number of malware attacks that use encrypted HTTP traffic for self-propagation or communication. Antivirus software and firewalls typically will not have access to encryption keys, and therefore direct detection of malicious encrypted data is unlikely to succeed. However, previous work has shown that traffic analysis can provide indications of malicious intent, even in cases where the underlying data remains encrypted. In this paper, we apply three machine learning techniques to the problem of distinguishing malicious encrypted HTTP traffic from benign encrypted traffic and obtain results comparable to previous work. We then consider the problem of feature analysis in some detail. Previous work has often relied on human expertise to determine the most useful and informative features in this problem domain. We demonstrate that such feature-related information can be obtained directly from machine learning models themselves. We argue that such a machine learning based approach to feature analysis is preferable, as it is more reliable, and we can, for example, uncover relatively unintuitive interactions between features.

Cryptography and Security,Machine Learning