Xiaotian Yu,Shengxuming Zhang,Lingxiang Jia,Yuexuan Wang,Mingli Song,Zunlei Feng

DOI: https://doi.org/10.1016/j.neucom.2023.126829

IF: 6

2024-01-01

Neurocomputing

Abstract:Recently, many benchmark datasets have been found to contain noisy labels caused by unavoidable human mistakes. Many researchers propose new noise-aware loss functions to achieve robust classification performance. However, we discover that existing noise-aware loss functions cannot fully heal the damage caused by the noise. On the other hand, some methods filter out low confidence samples and train new models, whereas the filtered samples contain both noisy and hard samples that are critical for the robustness of models. Based on the above two discoveries, we devised the Noise-aware Network (NA-Net) for robust training with noisy labels. Each layer of NA-Net contains three groups of convolution kernels responsible for mix samples, clean samples, and noisy samples, termed as mix-kernels, clean-kernels, and noise-kernels, respectively. Mix-kernels are used for finding the clean samples with a newly devised noise-immune (NI) loss function; clean-kernels are targeted at learning better features without being misguided by noise; noise-kernels are trained by the remaining samples to rectify wrong labels for the next iteration. Meanwhile, for increasing the classification performance of mix-kernels, the extracted feature maps of clean-kernels without being poisoned are combined as the input of mix-kernels of the next layer. Also, the knowledge distillation strategy is adopted to distill the knowledge from clean-kernels to the noise-kernels. Extensive experiments demonstrate that the mutual promotion of three groups of kernels in NA-Net achieves state-of-the-art performance on both artificial noisy datasets and real-world datasets.

Akbar Telikani,Amir H. Gandomi,Kim-Kwang Raymond Choo,Jun Shen

DOI: https://doi.org/10.1109/tnsm.2021.3112283

2022-03-01

IEEE Transactions on Network and Service Management

Abstract:Network traffic classification (NTC) plays an important role in cyber security and network performance, for example in intrusion detection and facilitating a higher quality of service. However, due to the unbalanced nature of traffic datasets, NTC can be extremely challenging and poor management can degrade classification performance. While existing NTC methods seek to re-balance data distribution through resampling strategies, such approaches are known to suffer from information loss, overfitting, and increased model complexity. To address these challenges, we propose a new cost-sensitive deep learning approach to increase the robustness of deep learning classifiers against the imbalanced class problem in NTC. First, the dataset is divided into different partitions, and a cost matrix is created for each partition by considering the data distribution. Then, the costs are applied to the cost function layer to penalize classification errors. In our approach, costs are diverse in each type of misclassification because the cost matrix is specifically generated for each partition. To determine its utility, we implement the proposed cost-sensitive learning method in two deep learning classifiers, namely: stacked autoencoder and convolution neural networks. Our experiments on the ISCX VPN-nonVPN dataset show that the proposed approach can obtain higher classification performance on low-frequency classes, in comparison to three other NTC methods.

Xi Xiao,Shuo Wang,Guangwu Hu,Qing Li,Kelong Mao,Xiapu Luo,Bin Zhang,Shutao Xia

DOI: https://doi.org/10.1109/tdsc.2024.3478838

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Network traffic classification plays a crucial role in network management and cyberspace security. As the Internet evolves with new applications and protocols, traditional machine learning-based methods relying on feature mining have become obsolete. Instead, deep learning-based methods are becoming more popular in the field of traffic classification due to their end-to-end processing approach. However, the vulnerability of neural networks to adversarial examples significantly compromises their performance. In this paper, we propose Robust Byte-Label Joint Attention Network (RBLJAN), an efficient and robust deep learning-based framework for encrypted network traffic classification at both the packet-level and the flow-level. RBLJAN comprises a classifier and an adversarial traffic generator. The classifier utilizes mechanisms such as header-payload parallel processing and byte-label joint attention learning to capture implicit correlations between bytes and labels, enabling the construction of powerful packet representations. The generator produces adversarial examples that are fed to the classifier to enhance its robustness. Experimental results demonstrate that RBLJAN achieves over 99% average F1-score on real-world legitimate traffic datasets and achieves 97.86% average F1-score on malware identification. Moreover, RBLJAN exhibits superior performance in terms of detection speed and robustness compared to state-of-the-art methods in real-world scenarios.

Dazhou Liu,Younghee Park

DOI: https://doi.org/10.3390/s24072295

IF: 3.9

2024-04-05

Sensors

Abstract:Anonymous networks, which aim primarily to protect user identities, have gained prominence as tools for enhancing network security and anonymity. Nonetheless, these networks have become a platform for adversarial affairs and sources of suspicious attack traffic. To defend against unpredictable adversaries on the Internet, detecting anonymous network traffic has emerged as a necessity. Many supervised approaches to identify anonymous traffic have harnessed machine learning strategies. However, many require access to engineered datasets and complex architectures to extract the desired information. Due to the resistance of anonymous network traffic to traffic analysis and the scarcity of publicly available datasets, those approaches may need to improve their training efficiency and achieve a higher performance when it comes to anonymous traffic detection. This study utilizes feature engineering techniques to extract pattern information and rank the feature importance of the static traces of anonymous traffic. To leverage these pattern attributes effectively, we developed a reinforcement learning framework that encompasses four key components: states, actions, rewards, and state transitions. A lightweight system is devised to classify anonymous and non-anonymous network traffic. Subsequently, two fine-tuned thresholds are proposed to substitute the traditional labels in a binary classification system. The system will identify anonymous network traffic without reliance on labeled data. The experimental results underscore that the system can identify anonymous traffic with an accuracy rate exceeding 80% (when based on pattern information).

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Ruijie Zhao,Yiteng Huang,Xianwen Deng,Zhi Xue,Jiabin Li,Zijing Huang,Yijun Wang

DOI: https://doi.org/10.1109/msn53354.2021.00045

2021-01-01

Abstract:Supervising anonymity network is a critical issue in the field of network security, and traditional traffic analysis methods cannot cope with complex anonymity traffic. In recent years, the traffic analysis method based on deep learning has achieved good performance. However, most of the existing studies do not consider the temporal-spatial correlation of the traffic, and only use a single flow for classification. A few works take continuous flows as flow sequence for traffic classification, but they do not distinguish the different importance of each flow. To tackle this issue, we propose a novel flow-based traffic classifier called FLOW TRANSFORMER to classify anonymity network traffic. FLOW TRANSFORMER uses multi-head attention mechanism to set higher weights for important flows, and extracts flow sequence features according to the importance weights. Besides, the RF-based feature selection method is designed to select the optimal feature combination, which can effectively avoid the insignificant features from reducing the performance and efficiency of the classifier. Experimental results on two real-world traffic datasets demonstrate that the proposed method outperforms state-of-the-art methods with a large margin.

Taiyu Wong,Hongyan Cui,Yuepeng Shen,Wenqi Lin,Tao Yu

DOI: https://doi.org/10.1109/uv.2018.8642139

2018-01-01

Abstract:As more and more personal information is used in network services, network anonymity has received more and more attention. Attackers could endanger the victims’ privacy by attacking or eavesdropping nodes during the networks routing. For example, attackers could retrieve the IP and MAC address of victims from network traffics, and use it to corelate the network behavior to individuals. The emerging Software Defined Network (SDN) technique provides a pretty flexible platform that can control the whole network by software programming, which propose a new solution to realize the network anonymity problem. In this paper, we propose a solution based on SDN to anonymize both MAC and IP addresses of network traffics in order to mitigate the privacy threats, and programing it. Furthermore, we test the anonymity function on our SDN Testbed. Our solution supports two working modes: a two-way anonymous mode which anonymizes the IP and MAC addresses of all data packets, and an one-way anonymous mode which anonymizes MAC and IP addresses of senders.

Tangda Yu,Futai Zou,Linsen Li,Ping Yi

DOI: https://doi.org/10.1109/cyberc.2019.00020

2019-01-01

Abstract:In recent years, with the widespread use of encrypted traffic communication technology, network traffic encryption has been gradually becoming a standard of communication. This phenomenon has a great impact on traditional traffic detection methods, especially on anomaly detection methods, which are highly dependent on the type of network protocol types and traffic data. By surveying the existing encrypted traffic classification and analyzing these methods, we found that there are two main methods for detection: payload-based detection and feature-based detection. On this basis, this paper puts forward an Encrypted Malicious Traffic Detection System which is based on multi-AEs(Autoencoder). We use malicious sandbox for traffic data collection, mark malicious flow and normal flow with labels. After that, we use multilayer networks of AEs for feature extraction and training classifier model. Our system analyzes the feature of cryptographic protocol from handshake phase to Authentication phase on the basis of existing research, and we extract the traffic feature for a better classification by further expanding flow feature vector to the higher dimensions. In addition, we compared the performance of our model with the traditional learning model under the same environment. The experimental results showed that our system had higher detection accuracy and lower loss rate. We also studied the influence of dataset imbalance on results in the detection of encrypted traffic by several experiments. According to the experimental evaluation, dataset imbalance will lead to the decrease of positive rate.

Zhiyong Bu,Bin Zhou,Pengyu Cheng,Kecheng Zhang,Zhen-Hua Ling

DOI: https://doi.org/10.1109/ACCESS.2020.3010637

IF: 3.9

2020-01-01

IEEE Access

Abstract:Network traffic classification aims to recognize different application or traffic types by analyzing received data packets. This paper presents a neural network model with deep and parallel network-in-network (NIN) structures for classifying encrypted network traffic. Comparing with standard convolutional neural networks (CNN), NIN adopts a micro network after each convolution layer to enhance local modeling. Besides, NIN utilizes a global average pooling instead of traditional fully connected layers before final classification, which reduces the number of model parameters significantly. In our proposed method, deep NIN models with multiple MLP convolutional layers are built to map fixed-length packet vectors towards application or traffic labels. Furthermore, a parallel decision strategy of building two sub-networks to process packet header and packet body separately is designed considering that they may carry different kinds of clues for classification. The results of our experiments on the "ISCX VPN-nonVPN" encrypted traffic dataset show that NIN models can achieve a better balance between classification accuracy and model complexity than conventional CNNs. The parallel decision strategy can further improve the accuracy of using single NIN model for encrypted network traffic classification. Finally, the test set F1 scores of 0.983 and 0.985 are achieved for traffic characterization and application identification respectively.

Jinghong Lan,Xudong Liu,Bo Li,Yanan Li,Tongtong Geng

DOI: https://doi.org/10.1016/j.cose.2022.102663

2022-05-01

Abstract:Darknet traffic classification is crucial for identifying anonymous network applications and defensing cyber crimes. Although notable research efforts have been dedicated to classifying darknet traffic by combining machine learning algorithms and elaborately designed features, current methods either heavily depend on hand-crafted features or overlook the global intrinsic relationships among the local features automatically extracted from different data positions, leading to limited classification performance. To tackle this issue, we propose DarknetSec, a novel self-attentive deep learning method for darknet traffic classification and application identification. Concretely, DarknetSec utilizes a cascaded model with a 1-dimensional Convolutional Neural Network (1D CNN) and a bidirectional Long Short-Term Memory (Bi-LSTM) network to capture local spatial-temporal features from the payload content of packets, while the self-attention mechanism is integrated into the abovementioned feature extraction network to mine the intrinsic relationships and hidden connections among the previously extracted content features. In addition, DarknetSec extracts side-channel features from payload statistics to enhance its classification performance. We evaluate DarknetSec on the CICDarknet2020 dataset, which is a representative of darknet traffic covering both Virtual Private Network (VPN) and The Onion Router (Tor) applications. Thorough experiments show that DarknetSec is superior to other state-of-the-art methods, achieving a multiclass accuracy of 92.22% and a macro-F1-score of 92.10%. Additionally, DarknetSec maintains its high accuracy when applied to other encrypted traffic classification tasks.

computer science, information systems

Jin Cheng,Yulei Wu,Junling You,Tong Li,Hui Li,Jingguo Ge,Yuepeng E

DOI: https://doi.org/10.1016/j.comnet.2021.108472

IF: 5.493

2021-11-01

Computer Networks

Abstract:Increased awareness of privacy protection has led to a surge in the volume of encrypted traffic, which creates a heavy burden for efficient network management (e.g. quality-of-service guarantees). The opacity of encrypted traffic essentially requires high computational overheads to make traffic classification, which is even worse when encrypted traffic surges. However, existing deep learning approaches sacrifice the efficiency to obtain high-precision classification results, which are no longer suitable for scenarios with large volumes of encrypted traffic. In this paper, a lightweight and online approach implemented as MATEC is proposed. The way we optimize the classification process follows the "Maximizing the reuse of thin modules" design principle. The multi-head attention and the convolutional network are adopted in the thin module. Attributed to the one-step interaction of all packets and the parallel computing of the multi-head attention mechanism, a key advantage of our model is that the number of parameters and running time are significantly reduced. In addition, the effectiveness and efficiency of convolutional networks have been proved in traffic classification. Comparisons to the existing state-of-the-art models on three typical datasets demonstrate that the proposed MATEC model has higher accuracy and running efficiency. In addition, the number of parameters is reduced to 1.8% of the state-of-the-art models and the training time halves.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Chengyuan Zhang,Changqing An,Jessie Hui Wang,Ziyi Zhao,Tao Yu,Jilong Wang

DOI: https://doi.org/10.1109/iThings-GreenCom-CPSCom-SmartData-Cybermatics53846.2021.00060

2021-01-01

Abstract:Network traffic classification is the foundation of many network security services. As the widespread use of encrypted protocols makes packet payload invisible, it becomes impossible for traditional rule-based methods to classify network traffic correctly. To solve this problem, recent researches use deep learning algorithms to extract features of flows and classify the traffic data. In this paper, we propose the Self-Attention based Flow Sequence Network (SAFSN), an end-to-end encrypted traffic classification model. We employ both the elements' dependence within a single flow and the dependence between flows, which can be well combined with the self-attention mechanism. We evaluate SAFSN on a real-world dataset covering 40 apps, and the results indicate that SAFSN does well in multi-classification tasks and outperforms all the other methods. Specially SAFSN can achieve an 8.83% higher F-score and an 8.45% higher accuracy than the state-of-the-art machine learning classifier.

Yizhuo Zhao,Yukun Zhu,Xiong Li,Ruidong Chen,Mohammad S. Obaidat,Pandi Vijayakumar

DOI: https://doi.org/10.1109/globecom54140.2023.10436868

2023-01-01

Abstract:Encrypted behavior identification is crucial in ensuring network security. Most existing solutions in this area recognize behavior by observing encrypted traffic patterns between users and applications. However, such solutions rely on features such as timing, packet sequence, and packet length, which may be affected by network fluctuations, and thus have weak generalization capabilities. In this paper, we first analyze the impact of noise on the network, such as parameters and network delays during API requests. By combining a noise-based traffic collector with an improved Transformer model, we propose a system-level denoising Transformer method for encrypted traffic behavior identification called SD-Transformer. It is able to filter system noise by utilizing an attention mechanism and targeted noise packet masking. We evaluate the performance of SD-Transformer on three datasets, i.e., ISCX-VPN, USTC-TFC, and our generated noise-containingWeb Application Traffic dataset (WEB-APP), and it achieves an accuracy of 95.97%, 93.59%, and 99.82%, respectively. Besides, compared to the state-of-the-art methods, the accuracy is increased to 96.82% (.16.0%) and 85.41% (.17.76%) on the WEB-APP dataset under different API parameters and network latency environments, respectively. Additionally, the target mask of the SD-Transformer achieves 96.45% accuracy with an improvement of 11.29% on the WEB-APP dataset with latency.

Boyu Sun,Wenyuan Yang,Mengqi Yan,Dehao Wu,Yuesheng Zhu,Zhiqiang Bai

DOI: https://doi.org/10.1109/ipccc50635.2020.9391542

2020-01-01

Abstract:The increase in the source and size of encrypted network traffic brings significant challenges for network traffic analysis. The challenging problem in the encrypted traffic classification field is obtaining high classification accuracy with small number of labeled samples. To solve this problem, we propose a novel encryption traffic classification method that learns the feature representation from the traffic structure and the traffic flow data in this paper. We construct a K-Nearest Neighbor (KNN) traffic graph to represent the structure of traffic data, which contains more similarity information about the traffic. We utilize a two-layer Graph Convolutional Network (GCN) architecture for flows feature extraction and encrypted traffic classification. We further use the autoencoder to learn the representation of the flow data itself and integrate it into the GCN-learned representation to form a more complete feature representation. The proposed method leverages the benefits of the GCN and the autoencoder, which can obtain higher classification performance with only very few labeled data. The experimental results on two public datasets demonstrate that our method achieves impressive results compared to the state-of-the-art competitors.

Xin Wang,Shuhui Chen,Jinshu Su

DOI: https://doi.org/10.1109/access.2020.3029190

IF: 3.9

2020-01-01

IEEE Access

Abstract:The proliferation of handheld devices has led to an explosive growth of mobile traffic volumes on the Internet. Identifying mobile apps from network traffic has become a crucial task for mobile network management and security. Traditionally, the design of accurate identifiers relies on the deep packet inspection (DPI) techniques. However, such approaches have become less effective with the raising adoption of encrypted protocols in mobile applications (mostly TLS). To address the problem, various machine learning methods have been studied and used. Most of them use linear classifiers on top of hand-engineered features, which are unreliable due to the complexity of mobile traffic. In this article we propose App-Net, an end-to-end hybrid neural network for mobile app identification from encrypted TLS traffic. App-Net is designed by combining RNN and CNN in a parallel way and can automatically learn effective features from raw TLS flows. With coordinated fusion and optimized training, the hybrid and multimodal architecture is able to characterize both flow sequence patterns and app signatures to learn a joint flow-app embedding. We evaluate App-Net on a real-world dataset covering 80 apps. The results show that our method can achieve an excellent performance and outperform the state-of-the-art methods.

computer science, information systems,telecommunications,engineering, electrical & electronic

Peng Zhang,Chuang Lin

DOI: https://doi.org/10.1007/978-3-319-31083-1_5

2016-01-01

Abstract:Wireless network coding is a promising technique that can enhance the throughput of wireless networks. However, such a technique also bears a serious security drawback: it breaks the current privacy-preserving protocols (e.g., Onion Routing), since their operations conflict each other. As user privacy in wireless networks is highly valued nowadays, a new privacy-preserving scheme that can function with wireless network coding becomes indispensable. To this end, this chapter presents a novel anonymity scheme named ANOC, which can function in network coding-based wireless mesh networks. ANOC is built upon the classic Onion Routing protocol and resolves its conflict with network coding by introducing efficient cooperation among relay nodes. Using ANOC, we can perform network coding to achieve a higher throughput, while still preserving user privacy in wireless mesh networks. We formally show how ANOC achieves the property of relationship anonymity and conduct extensive experiments via NSclick to demonstrate its feasibility and efficiency when integrated with network coding.

Yanjie He,Wei Li

DOI: https://doi.org/10.3390/s22114216

IF: 3.9

2022-01-01

Sensors

Abstract:Anonymous proxies are used by criminals for illegal network activities due to their anonymity, such as data theft and cyber attacks. Therefore, anonymous proxy traffic detection is very essential for network security. In recent years, detection based on deep learning has become a hot research topic, since deep learning can automatically extract and select traffic features. To make (heterogeneous) network traffic adapt to the homogeneous input of typical deep learning algorithms, a major branch of existing studies convert network traffic into images for detection. However, such studies are commonly subject to the limitation of large-sized image representation of network traffic, resulting in very large storage and computational resource overhead. To address this limitation, a novel method for anonymous proxy traffic detection is proposed. The method is one of the solutions to reduce storage and computational resource overhead. Specifically, it converts the sequences of the size and inter-arrival time of the first N packets of a flow into images, and then categorizes the converted images using the one-dimensional convolutional neural network. Both proprietary and public datasets are used to validate the proposed method. The experimental results show that the converted images of the method are at least 90% smaller than that of existing image-based deep learning methods. With substantially smaller image sizes, the method can still achieve F1 scores up to 98.51% in Shadowsocks traffic detection and 99.8% in VPN traffic detection.

Ruijie Zhao,Mingwei Zhan,Xianwen Deng,Yanhao Wang,Yijun Wang,Guan Gui,Zhi Xue

DOI: https://doi.org/10.1609/aaai.v37i4.25674

2023-01-01

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Traffic classification is a critical task in network security and management. Recent research has demonstrated the effectiveness of the deep learning-based traffic classification method. However, the following limitations remain: (1) the traffic representation is simply generated from raw packet bytes, resulting in the absence of important information; (2) the model structure of directly applying deep learning algorithms does not take traffic characteristics into account; and (3) scenario-specific classifier training usually requires a labor-intensive and time-consuming process to label data. In this paper, we introduce a masked autoencoder (MAE) based traffic transformer with multi-level flow representation to tackle these problems. To model raw traffic data, we design a formatted traffic representation matrix with hierarchical flow information. After that, we develop an efficient Traffic Transformer, in which packet-level and flow-level attention mechanisms implement more efficient feature extraction with lower complexity. At last, we utilize the MAE paradigm to pre-train our classifier with a large amount of unlabeled data, and perform fine-tuning with a few labeled data for a series of traffic classification tasks. Experiment findings reveal that our method outperforms state-of-the-art methods on five real-world traffic datasets by a large margin. The code is available at https://github.com/NSSL-SJTU/YaTC.

Wei Wang,Ming Zhu,Jinlin Wang,Xuewen Zeng,Zhongzhen Yang

DOI: https://doi.org/10.1109/isi.2017.8004872

2017-07-01

Abstract:Traffic classification plays an important and basic role in network management and cyberspace security. With the widespread use of encryption techniques in network applications, encrypted traffic has recently become a great challenge for the traditional traffic classification methods. In this paper we proposed an end-to-end encrypted traffic classification method with one-dimensional convolution neural networks. This method integrates feature extraction, feature selection and classifier into a unified end-to-end framework, intending to automatically learning nonlinear relationship between raw input and expected output. To the best of our knowledge, it is the first time to apply an end-to-end method to the encrypted traffic classification domain. The method is validated with the public ISCX VPN-nonVPN traffic dataset. Among all of the four experiments, with the best traffic representation and the fine-tuned model, 11 of 12 evaluation metrics of the experiment results outperform the state-of-the-art method, which indicates the effectiveness of the proposed method.

Yuzong Hu,Futai Zou,Linsen Li,Ping Yi

DOI: https://doi.org/10.1109/trustcom50675.2020.00064

2020-01-01

Abstract:In recent years, more and more anonymous network have been developed. Since user's identity is difficult to trace in anonymous networks, many illegal activities are carried out in darknet. In this paper, we propose a hierarchical classifier of darknet traffic which can distinguish four types of darknet(Tor, I2P, ZeroNet, Freenet) and 25 darknet users' behavior. Due to the lack of public datasets, we deployed a darknet data probe that can capture real darknet traffic in Tor, I2P, ZeroNet, Freenet. After collecting and labeling darknet traffic, we extract 26 time-based flow features that can represent the characteristics of darknet traffic and train a hierarchical classifier constructed by 6 local classifiers. Results show that the classifier can easily distinguish Tor, I2P, ZeroNet, Freenet four kinds of darknet clients with an accuracy of 96.9% and identify 8 kinds of user behaviors for each type of darknet with an accuracy of 91.6% on average. With the help of this hierarchical classification method, darknet user behaviors can be accurately distinguished at the traffic exit.

Jun Li,Shunyi Zhang,Yanqing Lu,Junrong Yan

DOI: https://doi.org/10.1007/s11767-007-0110-4

2009-01-01

Abstract:Accurate and real-time classification of network traffic is significant to network operation and management such as QoS differentiation, traffic shaping and security surveillance. However, with many newly emerged P2P applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, traditional classification approaches turn to be ineffective. In this paper, we present a layered hybrid system to classify current Internet traffic, motivated by variety of network activities and their requirements of traffic classification. The proposed method could achieve fast and accurate traffic classification with low overheads and robustness to accommodate both known and unknown/encrypted applications. Furthermore, it is feasible to be used in the context of real-time traffic classification. Our experimental results show the distinct advantages of the proposed classification system, compared with the one-step Machine Learning (ML) approach.