Guolou Ping,Shuo Feng,Yehao Li,Xiaojun Ye

DOI: https://doi.org/10.1109/iccc56324.2022.10065635

2022-01-01

Abstract:To address the challenge of lacking labeling information in network traffic anomaly detection, we propose an unsupervised anomaly detection algorithm based on cascading representation and multiple-clustering. First, this paper designs a cascading representation method to obtain discriminative traffic features. We create a residual auto-encoder that employs generative learning to capture generic statistical expressions. We augment the time-series features in various ways and leverage contrastive learning to capture discriminative representations. We develop a host identification task based on triplet loss, enhancing feature discrimination in addition to cascading two feature representations. Second, we design a multiple-clustering-based algorithm for anomalous traffic detection. By performing KMeans on the cascading feature representations, we obtained clustering centers to replace each cluster and avoid the problem of unbalanced abnormal traffic. By applying DBSACAN clustering with a tree structure to these clustering centers and using the height of the anomalies to calculate the traffic anomaly score, we can detect abnormal network traffic flexibly. Finally, we conducted experimental validation on several commonly used intrusion detection datasets. The experimental results show that the method proposed in this paper generally outperforms the comparison methods.

Lei Shi,Qi Liao,Xiaohua Sun,Yarui Chen,Chuang Lin

DOI: https://doi.org/10.1109/bigdata.2013.6691629

2013-01-01

Abstract:The visualization of complex network traffic involving a large number of communication devices is a common yet challenging task. Traditional layout methods create the network graph with overwhelming visual clutter, which hinders the network understanding and traffic analysis tasks. The existing graph simplification algorithms (e.g. community-based clustering) can effectively reduce the visual complexity, but lead to less meaningful traffic representations. In this paper, we introduce a new method to the traffic monitoring and anomaly analysis of large networks, namely Structural Equivalence Grouping (SEG). Based on the intrinsic nature of the computer network traffic, SEG condenses the graph by more than 20 times while preserving the critical connectivity information. Computationally, SEG has a linear time complexity and supports undirected, directed and weighted traffic graphs up to a million nodes. We have built a Network Security and Anomaly Visualization (NSAV) tool based on SEG and conducted case studies in several real-world scenarios to show the effectiveness of our technique.

Wei Wang,Ming Zhu,Xuewen Zeng,Xiaozhou Ye,Yiqiang Sheng

DOI: https://doi.org/10.1109/ICOIN.2017.7899588

2017-01-01

Abstract:Traffic classification is the first step for network anomaly detection or network based intrusion detection system and plays an important role in network security domain. In this paper we first presented a new taxonomy of traffic classification from an artificial intelligence perspective, and then proposed a malware traffic classification method using convolutional neural network by taking traffic data as images. This method needed no hand-designed features but directly took raw traffic as input data of classifier. To the best of our knowledge this interesting attempt is the first time of applying representation learning approach to malware traffic classification using raw traffic data. We determined that the best type of traffic representation is session with all layers through eight experiments. The method is validated in two scenarios including three types of classifiers and the experiment results show that our proposed method can satisfy the accuracy requirement of practical application.

Yu Wang,Yang Xiang,Jun Zhang,Shun-Zheng Yu

DOI: https://doi.org/10.1109/icnss.2011.6059997

2011-01-01

Abstract:Network traffic classification is an essential component for network management and security systems. To address the limitations of traditional port-based and payload-based methods, recent studies have been focusing on alternative approaches. One promising direction is applying machine learning techniques to classify traffic flows based on packet and flow level statistics. In particular, previous papers have illustrated that clustering can achieve high accuracy and discover unknown application classes. In this work, we present a novel semi-supervised learning method using constrained clustering algorithms. The motivation is that in network domain a lot of background information is available in addition to the data instances themselves. For example, we might know that flow f1 and f2 are using the same application protocol because they are visiting the same host address at the same port simultaneously. In this case, f1 and f2 shall be grouped into the same cluster ideally. Therefore, we describe these correlations in the form of pair-wise must-link constraints and incorporate them in the process of clustering. We have applied three constrained variants of the K-Means algorithm, which perform hard or soft constraint satisfaction and metric learning from constraints. A number of real-world traffic traces have been used to show the availability of constraints and to test the proposed approach. The experimental results indicate that by incorporating constraints in the course of clustering, the overall accuracy and cluster purity can be significantly improved.

Yu Wang,Shun-Zheng Yu

DOI: https://doi.org/10.4304/jnw.4.7.622-629

2009-01-01

Journal of Networks

Abstract:Network traffic classification plays an important role in various network activities. Due to the ineffectiveness of traditional port-based and payload-based methods, recent works proposed using machine learning methods to classify flows based on statistical characteristics. In this study, we present a comprehensive evaluation of the effectiveness of these statistical methods for real-time traffic classification problem. We evaluate three different flow feature sets that are used to capture distinct properties of each application, two of them consist of features generated from full flows and the third is made up of early sub-flow statistics derived from the first few packets of each flow. We compare various supervised machine learning schemes to identify the one most suitable for traffic classification. We also apply feature selection to identify the most significant features. The results indicate that statistical characteristics of traffic flows are capable to distinguish applications; in particular it’s feasible to use the features derived from early sub-flows for realtime traffic classification. The results also indicate that classifiers based on decision tree outperform others, as they obtain highest accuracy and fastest classifying speed.

Changyu Wang,Xiaohong Guan,Tao Qin,Pinghui Wang,Jing Tao,Yongwei Meng,Jingyuan Liu

DOI: https://doi.org/10.1016/j.knosys.2020.106192

IF: 8.139

2020-01-01

Knowledge-Based Systems

Abstract:Previous machine learning-based network traffic classification approaches hold the assumption that training and testing network environment are of the same. This assumption is invalid in most real cases due to the changes in traffic features and leads to the train-test gap issue: the model trained in the training environment performs poorly in the testing environment. In this paper, to address the gap, we propose CSA: a traffic classification approach based on packet-wise segmentation and aggregation. Firstly, we observe that some specific fragments of network flows - subflows - are robust against the gap. Therefore, we are motivated to segment the traffic flows into different subflows. Afterward, with the justification of our feature selection, 26 statistical features are extracted from each subflow and input into its corresponding sub-classifier. Secondly, with the results from sub-classifiers, we develop an aggregation method based on their classification accuracy to increase the overall classification performance. We experiment on five real datasets, including three collected from the Northwest Center of CERNET (China Education and Research Network) and two from public traces. By comparing with state-of-the-art baselines, the experiment results demonstrate the effectiveness of our CSA against the gap. (C) 2020 Published by Elsevier B.V.

Daokun Zhang,Jie Yin,Xingquan Zhu,Chengqi Zhang

DOI: https://doi.org/10.48550/arXiv.1801.05852

2018-07-19

Abstract:With the widespread use of information technologies, information networks are becoming increasingly popular to capture complex relationships across various disciplines, such as social networks, citation networks, telecommunication networks, and biological networks. Analyzing these networks sheds light on different aspects of social life such as the structure of societies, information diffusion, and communication patterns. In reality, however, the large scale of information networks often makes network analytic tasks computationally expensive or intractable. Network representation learning has been recently proposed as a new learning paradigm to embed network vertices into a low-dimensional vector space, by preserving network topology structure, vertex content, and other side information. This facilitates the original network to be easily handled in the new vector space for further analysis. In this survey, we perform a comprehensive review of the current literature on network representation learning in the data mining and machine learning field. We propose new taxonomies to categorize and summarize the state-of-the-art network representation learning techniques according to the underlying learning mechanisms, the network information intended to preserve, as well as the algorithmic designs and methodologies. We summarize evaluation protocols used for validating network representation learning including published benchmark datasets, evaluation methods, and open source algorithms. We also perform empirical studies to compare the performance of representative algorithms on common datasets, and analyze their computational complexity. Finally, we suggest promising research directions to facilitate future study.

Social and Information Networks,Machine Learning

Luming Yang,Shaojing Fu,Xuyun Zhang,Shize Guo,Yongjun Wang,Chi Yang

DOI: https://doi.org/10.1007/s11280-022-01057-8

2022-01-01

World Wide Web

Abstract:As the 5G rolls out around the world, many edge applications will be deployed by app vendors and accessed by massive end-users. Efficient detection of malicious network behavior is paid more and more attention. The current traffic detection work is still stuck on the analysis of high-dimensional data. It will restrict the improvement of threat monitoring and network governance when facing massive network flows. Characterization of network flows within simple domains is required to simplify the process of network analysis. Traffic characterization is a key task that allows service providers to detect and intercept anomalous traffic, such that high QoS (Quality of Service) and service availability are maintained and spread of malicious content is prevented. Unfortunately, there is still a lack of research on the concrete characterization of network data. Analogous to spectrum, in this paper, we proposed the concept of FlowSpectrum for the first time in order to represent the network flow, concretely. In the FlowSpectrum, network flow is represented as a spectral line rather than the raw data or a feature vector of the network flow. All flows are able to be mapped as spectral lines, and traffic identification is achieved by analyzing the positions of spectral lines. FlowSpectrum can significantly reduce the complexity of network traffic behavior analysis while enhancing the interpretability of detection and facilitating cyberspace behavior management. We designed a neural network structure based on semi-supervised AutoEncoder for decomposition and dimensionality reduction of network flows in FlowSpectrum. The characterization capability of FlowSpectrum is proved by thorough experiments. Moreover, we realized the correspondence between network behaviors and intervals of spectral lines, preliminarily. Generally speaking, FlowSpectrum can provide new ideas for the field of network traffic analysis.

Ming Liu,Qichao Yang,Wenqing Wang,Shengli Liu

DOI: https://doi.org/10.3390/s24206507

IF: 3.9

2024-10-11

Sensors

Abstract:The exponential growth of encrypted network traffic poses significant challenges for detecting malicious activities online. The scale of emerging malicious traffic is significantly smaller than that of normal traffic, and the imbalanced data distribution poses challenges for detection. However, most existing methods rely on single-category features for classification, which struggle to detect covert malicious traffic behaviors. In this paper, we introduce a novel semi-supervised approach to identify malicious traffic by leveraging multimodal traffic characteristics. By integrating the sequence and topological information inherent in the traffic, we achieve a multifaceted representation of encrypted traffic. We design two independent neural networks to learn the corresponding sequence and topological features from the traffic. This dual-feature extraction enhances the model's robustness in detecting anomalies within encrypted traffic. The model is trained using a joint strategy that minimizes both the reconstruction error from the autoencoder and the classification loss, allowing it to effectively utilize limited labeled data alongside a large amount of unlabeled data. A confidence-estimation module enhances the classifier's ability to detect unknown attacks. Finally, our method is evaluated on two benchmark datasets, UNSW-NB15 and CICIDS2017, under various scenarios, including different training set label ratios and the presence of unknown attacks. Our model outperforms other models by 3.49% and 5.69% in F1 score at labeling rates of 1% and 0.1%, respectively.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

ZiXuan Wang,ZeYi Li,MengYi Fu,YingChun Ye,Pan Wang

DOI: https://doi.org/10.1016/j.sysarc.2024.103091

IF: 5.836

2024-02-20

Journal of Systems Architecture

Abstract:Traffic Classification (TC) has been applied to a wide range of applications, from security monitoring to quality of service (QoS) provisioning in network Internet Service Providers (ISPs). In recent years, many researchers have applied Machine Learning (ML) or Deep Learning (DL) to TC, namely AI-TC. However, AI-TC methods face significant challenges, including high data dependency, exhaustively costly traffic labeling, and network subscribers' privacy. This paper proposes a TC framework for smart home networks using Federated Learning (FL) that protects traffic data privacy by performing local training and inference of TC models. Firstly, we design a DPI-based traffic labeling method on edge home gateways as FL nodes, which enables these nodes to have data labeling capability while protecting data privacy. Then, a semi-supervised TC model based on an autoencoder (AE) is proposed to reduce the dependence of the model on labeled traffic samples. Finally, an XAI-based method is utilized to interpret the model to ensure its explainability. We validate the proposed method on public and real datasets using benchmarking methods. The experimental results show that the method can achieve high performance using a small number of samples while protecting data privacy and improving the model's credibility. Experimental code can be found in the following url: https://github.com/PrinceXuan12138/HGW-TC-Experimental-code .

computer science, software engineering, hardware & architecture

Zefei Luo,Yu Li,Shuaishuai Tan,Daojing He

DOI: https://doi.org/10.1109/ijcnn60899.2024.10651222

2024-01-01

Abstract:Traffic classification is a crucial task in network security and management. Recent research has shown the effectiveness of deep learning when applied to encrypted traffic classification. However, the reliance of deep learning models on abundant labeled and balanced data poses challenges, particularly in traffic analysis where labeling is costly and imbalanced traffic distribution is common. To tackle this challenge, researchers have proposed self-supervised representation learning. This approach aims to derive universal traffic representations from vast amounts of unlabeled data, reducing the need for extensive labeling in downstream tasks. Current representation learning methods predominantly focus on exploring flow-level information, neglecting valuable trace information crucial for effective flow representation learning. In this study, we introduce SAFE, a self-supervised learning methodology tailored for flow representation learning. SAFE specifically delves into trace-level (i.e., a mixture of correlated flows) information to enhance flow embedding. Moreover, our analysis reveals that existing encrypted traffic datasets often contain numerous invalid samples. SAFE conducts a comprehensive examination of dataset characteristics, filtering out these invalid samples, thereby advancing the field significantly. Extensive experiments demonstrate that SAFE outperforms state-of-the-art methods.

Yitu Wang,Runqi Dong,Takayuki Nakachi,Wei Wang

DOI: https://doi.org/10.1109/wcnc55385.2023.10118849

2023-01-01

Abstract:Network traffic monitoring plays a crucial role in maintaining the security and reliability of the communication networks. Although Machine Learning (ML) assisted abnormal traffic detection has been emerged as a promising paradigm, the existing data-driven learning-based approaches are faced with challenges on inefficient traffic feature extraction and high computational complexity, especially when taking the evolving property of traffic process into consideration. To this end, we establish an online learning framework for abnormality traffic detection by embracing Gaussian Process (GP) and Sparse Representation (SR). The contributions of this paper are two-fold: 1). We utilize a special kernel, i.e., mixture of Gaussian, to better explore and exploit the evolving traffic characteristics, so as to more accurately model network traffic. 2). To combat noise and modeling error, we formulate a feature vector based on Kullback-Leibler (KL) divergence to measure the difference between normal and abnormal traffic, based on which SR is adopted to perform robust binary classification. Finally, we demonstrate the superiority of the proposed framework in terms of detection accuracy through simulation.

Tong Nie,Guoyang Qin,Wei Ma,Jian Sun

DOI: https://doi.org/10.1016/j.trc.2024.104890

2024-10-24

Abstract:Spatiotemporal Traffic Data (STTD) measures the complex dynamical behaviors of the multiscale transportation system. Existing methods aim to reconstruct STTD using low-dimensional models. However, they are limited to data-specific dimensions or source-dependent patterns, restricting them from unifying representations. Here, we present a novel paradigm to address the STTD learning problem by parameterizing STTD as an implicit neural representation. To discern the underlying dynamics in low-dimensional regimes, coordinate-based neural networks that can encode high-frequency structures are employed to directly map coordinates to traffic variables. To unravel the entangled spatial-temporal interactions, the variability is decomposed into separate processes. We further enable modeling in irregular spaces such as sensor graphs using spectral embedding. Through continuous representations, our approach enables the modeling of a variety of STTD with a unified input, thereby serving as a generalized learner of the underlying traffic dynamics. It is also shown that it can learn implicit low-rank priors and smoothness regularization from the data, making it versatile for learning different dominating data patterns. We validate its effectiveness through extensive experiments in real-world scenarios, showcasing applications from corridor to network scales. Empirical results not only indicate that our model has significant superiority over conventional low-rank models, but also highlight that the versatility of the approach extends to different data domains, output resolutions, and network topologies. Comprehensive model analyses provide further insight into the inductive bias of STTD. We anticipate that this pioneering modeling perspective could lay the foundation for universal representation of STTD in various real-world tasks. Code is available at <a class="link-external link-https" href="https://github.com/tongnie/traffic_dynamics" rel="external noopener nofollow">this https URL</a>.

Machine Learning

Meng Qin,Kai Lei,Bo Bai,Gong Zhang

DOI: https://doi.org/10.1145/3341216.3342213

2019-01-01

Abstract:In this paper, we study the network traffic classification task. Different from existing supervised methods that rely heavily on the labeled statistic features in a long period (e.g., several hours or days), we adopt a novel view of unsupervised profiling to explore the flow features and link patterns in a short time window (e.g., several seconds), dealing with the zero-day traffic problem. Concretely, we formulate the traffic identification task as a graph co-clustering problem with topology and edge attributes, and proposed a novel Hybrid Flow Clustering (HFC) model. The model can potentially achieve high classification performance, since it comprehensively leverages the available information of both features and linkage. Moreover, the two information sources integrated in HFC can also be utilized to generate the profiling for each flow category, helping to reveal the deep knowledge and semantics of network traffic. The effectiveness of the model is verified in the extensive experiments on several real datasets of various scenarios, where HFC achieves impressive results and presents powerful application ability.

Xiaoliang Lei,Hao Mei,Bin Shi,Hua Wei

DOI: https://doi.org/10.48550/arXiv.2208.06646

IF: 5.414

2022-08-13

Machine Learning

Abstract:Modeling how network-level traffic flow changes in the urban environment is useful for decision-making in transportation, public safety and urban planning. The traffic flow system can be viewed as a dynamic process that transits between states (e.g., traffic volumes on each road segment) over time. In the real-world traffic system with traffic operation actions like traffic signal control or reversible lane changing, the system's state is influenced by both the historical states and the actions of traffic operations. In this paper, we consider the problem of modeling network-level traffic flow under a real-world setting, where the available data is sparse (i.e., only part of the traffic system is observed). We present DTIGNN, an approach that can predict network-level traffic flows from sparse data. DTIGNN models the traffic system as a dynamic graph influenced by traffic signals, learns the transition models grounded by fundamental transition equations from transportation, and predicts future traffic states with imputation in the process. Through comprehensive experiments, we demonstrate that our method outperforms state-of-the-art methods and can better support decision-making in transportation.

Yu Wang,Yang Xiang,Jun Zhang,Shunzheng Yu

DOI: https://doi.org/10.1109/iwcmc.2012.6314275

2012-01-01

Abstract:Due to the limitations of the traditional port-based and payload-based traffic classification approaches, the past decade has seen extensive work on utilizing machine learning techniques to classify network traffic based on packet and flow level features. In particular, previous studies have shown that the unsupervised clustering approach is both accurate and capable of discovering previously unknown application classes. In this paper, we explore the utility of side information in the process of traffic clustering. Specifically, we focus on the flow correlation information that can be efficiently extracted from packet headers and expressed as instance-level constraints, which indicate that particular sets of flows are using the same application and thus should be put into the same cluster. To incorporate the constraints, we propose a modified constrained K-Means algorithm. A variety of real-world traffic traces are used to show that the constraints are widely available. The experimental results indicate that the constrained approach not only improves the quality of the resulted clusters, but also speeds up the convergence of the clustering process.

Cheng Wang,Wei Zhang,Hao Hao,Huiling Shi

DOI: https://doi.org/10.3390/electronics13071236

IF: 2.9

2024-03-28

Electronics

Abstract:The demand for encrypted communication is increasing with the continuous development of secure and trustworthy networks. In edge computing scenarios, the requirement for data processing security is becoming increasingly high. Therefore, the accurate identification of encrypted traffic has become a prerequisite to ensure edge intelligent device security. Currently, encrypted network traffic classification relies on single-feature extraction methods. These methods have simple feature extraction, making distinguishing encrypted network data flows and designing compelling manual features challenging. This leads to low accuracy in multi-classification tasks involving encrypted network traffic. This paper proposes a hybrid deep learning model for multi-classification tasks to address this issue based on the synergy of dilated convolution and gating unit mechanisms. The model comprises a Gated Dilated Convolution (GDC) module and a CA-LSTM module. The GDC module completes the spatial feature extraction of encrypted network traffic through dilated convolution and gating unit mechanisms. In contrast, the CA-LSTM module focuses on extracting temporal network traffic features. By employing a collaborative approach to extract spatio-temporal features, the model ensures feature extraction diversity, guarantees robustness, and effectively enhances the feature extraction rate. We evaluate our multi-classification model using the ISCX VPN-nonVPN public dataset. Experimental results show that the proposed method achieves an accuracy rate of over 95% and a recall rate of over 90%, significantly outperforming existing methods.

engineering, electrical & electronic,computer science, information systems,physics, applied

Tan Li,Shuangwu Chen,Zhen Yao,Xiang Chen,Jian Yang

DOI: https://doi.org/10.1109/FSKD.2018.8686880

2018-01-01

Abstract:Network traffic classification plays a fundamental role in area of network management and security. Recent days, machine learning techniques have been used to classify network traffic. In particular, semi-supervised learning is very fit for practical scenarios, where pre-labelled training flows are hard to obtain. In this paper, a semi-supervised classification scheme is proposed for network traffic classification by using deep generative models. Specifically, the feature extractor module aims to automatically find representation features of raw traffic data in a lower dimensional feature space. Subsequently, using these representation features, a separated classifier is trained by the semi-supervised classification module. The method is verified with three different levels of datasets: Anomaly detection-level, protocol-level and application-level. The results show that our scheme can not only detect malware traffic, but also classify the traffic according to their protocol, application, and attack types. Using less than 20% labelled flows of the whole dataset, we can achieve the accuracy of over 95% which is a satisfying value compared with supervised learning method.

Liupeng Jiang,Lei Chen,Wei Wang,Wei Wei,Zhihan Lv,Heng Wang

DOI: https://doi.org/10.1109/MNET.011.2000444

IF: 10.294

2021-01-01

IEEE Network

Abstract:With the increase of international trade activities, the dependence on container shipping is also increasing. The efficiency of container shipping activities will directly affect the trade exchanges between countries. However, traditional network analysis methods face many challenges, such as large-scale, highly dynamic and multi-dimensional issues. To this end, in this article, after reviewing existing network-based analysis methods and their limitations, we introduce the advanced network representation learning technology for container shipping network analysis. To demonstrate the effectiveness of the network representation learning based method, we perform a case study on container shipping network clustering, and the positive results demonstrate the potential of allying network representation learning for container shipping network analysis.

Pu Wang,Xinrun Lyu,Xiangzhan Yu,Chong Zhang

DOI: https://doi.org/10.1007/978-3-030-78618-2_60

2021-01-01

Abstract:As a basic work of network security, network traffic recognition plays an important role in network resource management and abnormal network traffic monitoring. At present, network traffic identification has become one of the hottest issues in academic research. In the past research, network traffic analysis was mainly done by Port Matching, Deep Packet Inspection. However, these methods are not perfect, and they are not suitable for today. This paper implements a traffic recognition method based on deep learning and machine learning. Besides, this paper implements unsupervised clustering of traffic. On the UNB ISCX data set, the experimental results are quite good.