Ma Rongkuan,Zheng Hao,Wang Jingyi,Wang Mufeng,Wei Qiang,Wang Qingxian

DOI: https://doi.org/10.1631/fitee.2000709

IF: 2.526

2022-01-01

Frontiers of Information Technology & Electronic Engineering

Abstract:Proprietary (or semi-proprietary) protocols are widely adopted in industrial control systems (ICSs). Inferring protocol format by reverse engineering is important for many network security applications, e.g., program tests and intrusion detection. Conventional protocol reverse engineering methods have been proposed which are considered time-consuming, tedious, and error-prone. Recently, automatical protocol reverse engineering methods have been proposed which are, however, neither effective in handling binary-based ICS protocols based on network traffic analysis nor accurate in extracting protocol fields from protocol implementations. In this paper, we present a framework called the industrial control system protocol reverse engineering framework (ICSPRF) that aims to extract ICS protocol fields with high accuracy. ICSPRF is based on the key insight that an individual field in a message is typically handled in the same execution context, e.g., basic block (BBL) group. As a result, by monitoring program execution, we can collect the tainted data information processed in every BBL group in the execution trace and cluster it to derive the protocol format. We evaluate our approach with six open-source ICS protocol implementations. The results show that ICSPRF can identify individual protocol fields with high accuracy (on average a 94.3% match ratio). ICSPRF also has a low coarse-grained and overly fine-grained match ratio. For the same metric, ICSPRF is more accurate than AutoFormat (88.5% for all evaluated protocols and 80.0% for binary-based protocols).

Yipeng Wang,Xiaochun Yun,Yongzheng Zhang

DOI: https://doi.org/10.1109/icnp.2015.43

2015-01-01

Abstract:Protocol traffic analysis is important for a variety of networking and security infrastructures, such as intrusion detection and prevention systems, network management systems, and protocol specification parsers. In this paper, we propose ProHacker, a nonparametric approach that extracts robust and accurate protocol keywords from network traces and effectively identifies the protocol trace from mixed Internet traffic. ProHacker is based on the key insight that the n-grams of protocol traces have highly predictable statistical nature that can be effectively captured by statistical language models and leveraged for robust and accurate protocol identification. In ProHacker, we first extract protocol keywords using a nonparametric Bayesian statistical model, and then use the corresponding protocol keywords to classify protocol traces by a semi-supervised learning algorithm. We implement and evaluate ProHacker on real-world traces, including SMTP, FTP, PPLive, SopCast, and PPStream, and our experimental results show that ProHacker can accurately identify the protocol trace with an average precision of about 99.42% and an average recall of about 98.64%. We also compare the results of ProHacker to two state-of-the-art approaches ProWord and Securitas using backbone traffic. We show that ProHacker provides significant improvements on precision and recall for online protocol identification.

Junhai Yang,Fenghua Li,Yixuan Zhang,Junhao Zhang,Liang Fang,Yunchuan Guo

2024-12-04

Abstract:Protocol Reverse Engineering (PRE) is used to analyze protocols by inferring their structure and behavior. However, current PRE methods mainly focus on field identification within a single protocol and neglect Protocol State Machine (PSM) analysis in mixed protocol environments. This results in insufficient analysis of protocols' abnormal behavior and potential vulnerabilities, which are crucial for detecting and defending against new attack patterns. To address these challenges, we propose an automatic PSM inference framework for unknown protocols, including a fuzzy membership-based auto-converging DBSCAN algorithm for protocol format clustering, followed by a session clustering algorithm based on Needleman-Wunsch and K-Medoids algorithms to classify sessions by protocol type. Finally, we refine a probabilistic PSM algorithm to infer protocol states and the transition conditions between these states. Experimental results show that, compared with existing PRE techniques, our method can infer PSMs while enabling more precise classification of protocols.

Cryptography and Security

Haiyang Wei,Zhengjie Du,Haohui Huang,Yue Liu,Guang Cheng,Linzhang Wang,Bing Mao

2024-06-14

Abstract:State machines play a pivotal role in augmenting the efficacy of protocol analyzing to unveil more vulnerabilities. However, the task of inferring state machines from network protocol implementations presents significant challenges. Traditional methods based on dynamic analysis often overlook crucial state transitions due to limited coverage, while static analysis faces difficulties with complex code structures and behaviors. To address these limitations, we propose an innovative state machine inference approach powered by Large Language Models (LLMs). Utilizing text-embedding technology, this method allows LLMs to dissect and analyze the intricacies of protocol implementation code. Through targeted prompt engineering, we systematically identify and infer the underlying state machines. Our evaluation across six protocol implementations demonstrates the method's high efficacy, achieving an accuracy rate exceeding 90% and successfully delineating differences on state machines among various implementations of the same protocol. Importantly, integrating this approach with protocol fuzzing has notably enhanced AFLNet's code coverage by 10% over RFCNLP, showcasing the considerable potential of LLMs in advancing network protocol security analysis. Our proposed method not only marks a significant step forward in accurate state machine inference but also opens new avenues for improving the security and reliability of protocol implementations.

Cryptography and Security

Yipeng Wang,Xiaochun Yun,Yongzheng Zhang,Liwei Chen,Tianning Zang

DOI: https://doi.org/10.1016/j.comnet.2017.09.006

IF: 5.493

2017-01-01

Computer Networks

Abstract:Protocol traffic analysis is a fundamental problem regarding a variety of networking and security applications, such as intrusion detection and prevention systems, network management systems, and protocol specification parsers. In this paper, we propose ProHacker, a nonparametric approach that extracts robust and accurate protocol keywords from the byte sequences generated by an application protocol, and effectively identifies the protocol trace from mixed Internet traffic. ProHacker is based on the key insight that the n-grams of protocol traces have highly predictable statistical nature that can be effectively captured by statistical language models and be leveraged for robust and accurate protocol identification. In ProHacker, we first extract protocol keywords using a nonparametric Bayesian statistical model, and then use the corresponding protocol keywords to classify protocol traces by a semi-supervised learning algorithm. We implement and evaluate ProHacker on real-world traces, and our experimental results show that ProHacker can accurately identify the protocol trace with an average precision of about 99.4% and an average recall of about 99.28%. We compare the results of ProHacker to one state-of-the-art approach, ProWord, and one our previous work, Securitas, using backbone traffic. We note that ProHacker provides significant improvements on precision and recall for online protocol identification.

Haiyang Wei,Zhengjie Du,Haohui Huang,Yue Liu,Guang Cheng,Linzhang Wang,Bing Mao

DOI: https://doi.org/10.48550/arxiv.2405.00393

2024-01-01

Abstract:State machines play a pivotal role in augmenting the efficacy of protocolanalyzing to unveil more vulnerabilities. However, the task of inferring statemachines from network protocol implementations presents significant challenges.Traditional methods based on dynamic analysis often overlook crucial statetransitions due to limited coverage, while static analysis faces difficultieswith complex code structures and behaviors. To address these limitations, wepropose an innovative state machine inference approach powered by LargeLanguage Models (LLMs). Utilizing text-embedding technology, this method allowsLLMs to dissect and analyze the intricacies of protocol implementation code.Through targeted prompt engineering, we systematically identify and infer theunderlying state machines. Our evaluation across six protocol implementationsdemonstrates the method's high efficacy, achieving an accuracy rate exceeding90implementations of the same protocol. Importantly, integrating this approachwith protocol fuzzing has notably enhanced AFLNet's code coverage by 10RFCNLP, showcasing the considerable potential of LLMs in advancing networkprotocol security analysis. Our proposed method not only marks a significantstep forward in accurate state machine inference but also opens new avenues forimproving the security and reliability of protocol implementations.

Qingkai Shi,Xiangzhe Xu,Xiangyu Zhang

2024-07-01

Abstract:Reverse engineering of protocol message formats is critical for many security applications. Mainstream techniques use dynamic analysis and inherit its low-coverage problem -- the inferred message formats only reflect the features of their inputs. To achieve high coverage, we choose to use static analysis to infer message formats from the implementation of protocol parsers. In this work, we focus on a class of extremely challenging protocols whose formats are described via constraint-enhanced regular expressions and parsed using finite-state machines. Such state machines are often implemented as complicated parsing loops, which are inherently difficult to analyze via conventional static analysis. Our new technique extracts a state machine by regarding each loop iteration as a state and the dependency between loop iterations as state transitions. To achieve high, i.e., path-sensitive, precision but avoid path explosion, the analysis is controlled to merge as many paths as possible based on carefully-designed rules. The evaluation results show that we can infer a state machine and, thus, the message formats, in five minutes with over 90% precision and recall, far better than state of the art. We also applied the state machines to enhance protocol fuzzers, which are improved by 20% to 230% in terms of coverage and detect ten more zero-days compared to baselines.

Cryptography and Security,Programming Languages,Software Engineering

Zhaoxuan Li,Ziming Zhao,Rui Zhang,Haoyang Lu,Wenhao Li,Fan Zhang,Siqi Lu,Rui Xue

DOI: https://doi.org/10.1016/j.comnet.2024.110563

IF: 5.493

2024-01-01

Computer Networks

Abstract:The continuous emergence of malware has threatened to the Android platform and user privacy. With the evolution of the Android system and malware, it is challenging to design a method that can accurately identify the categories of sophisticated malware, including known and unknown families, as well as their obfuscated variants, given that they may be newly emerging and lack available detection knowledge. Although some methods try to use anomaly detection and zero-shot technology to identify unseen applications, they are limited to binary classification or lack the robustness, stability, universality, and interpretability in multi-class identification. To this end, we first propose a generic meta-features mining algorithm, which can discover the potential relationships between samples belonging to the same category. Then we present metaNet, a novel method leveraging meta-features to identify sophisticated Android malware. Specifically, metaNet is mainly powered by four components: (i) mExtractor is a feature collector to obtain the static and dynamic features. (ii) mProcessor is taking unique meta-features of each category from extracted features. (iii) mLearner is a machine learning suite that leverages features and meta-features to design and train a classifier called HSU-Net. (iv) mEnforcer is a flexible deployer that identifies categories of malware families in the real world. We implement a prototype of metaNet with 15K lines of Python code and compare it with state-of-the-art (SOTA) methods. The results show that it can not only achieve superior performance in terms of known families (99.52% of accuracy) and unknown families (99.31% of accuracy trained with 80% known families) for binary classification, but also perform well in multi-class identification, i.e., 99.05% and 93.45% of accuracy for known and unknown families, respectively. Furthermore, we deploy and evaluate metaNet in the real world. It can identify applications over an acceptable time and memory overheads, i.e., average of 11.8s and 56MB per sample with a size of 8MB. Also, the few-shot detection and feature perturbation experiments reflect its robustness and stability benefiting from meta-features. Finally, we collect the traffic of 112 decentralized applications (DApps) belonging to 16 categories, such as finance and health, and evaluated metaNet in DApp identification. The results illustrate its applicability across various tasks. That is, it can accurately classify 94.6% and 81.36% of DApp flows in all-known and 80%-known DApp scenarios, respectively, outperforming the SOTA methods.

YiPeng Wang,Xiaochun Yun,Yongzheng Zhang,Liwei Chen,Guangjun Wu

DOI: https://doi.org/10.1016/j.jnca.2017.10.009

IF: 7.574

2017-01-01

Journal of Network and Computer Applications

Abstract:Protocol fingerprints are a set of byte subsequences within packet payload that can distinguish individual application protocols. They play an important role for deep packet analysis in traffic normalization and network management. In this paper, we propose ProPrint, a network trace-based protocol fingerprint inference system. In ProPrint, we first build a protocol language model based on a modified nonparametric Bayesian statistical model. Second, we use the corresponding protocol language model to identify field boundaries in packet payload, such that we can segment each payload into a set of protocol feature words according to the hidden structure information. Third, we propose a ranking algorithm that selects true protocol fingerprints from the candidate protocol feature words. In evaluations, we measure ProPrint on real-world network traces, and also compare ProPrint to existing state-of-the-art solutions, ProWord and Securitas. The experimental results show that ProPrint performs better than ProWord and Securitas on f-measure for online application classification.

Sicong Li,Jian Wang,Shuo Wang,Yafei Song

DOI: https://doi.org/10.1016/j.heliyon.2024.e35965

IF: 3.776

2024-08-08

Heliyon

Abstract:With the development of automated malware toolkits, cybersecurity faces evolving threats. Although visualization-based malware analysis has proven to be an effective method, existing approaches struggle with challenging malware samples due to alterations in the texture features of binary images during the visualization preprocessing stage, resulting in poor performance. Furthermore, to enhance classification accuracy, existing methods sacrifice prediction time by designing deeper neural network architectures. This paper proposes PAFE, a lightweight and visualization-based rapid malware classification method. It addresses the issue of texture feature variations in preprocessing through pixel-filling techniques and applies data augmentation to overcome the challenges of class imbalance in small sample datasets. PAFE combines multi-scale feature fusion and a channel attention mechanism, enhancing feature expression through modular design. Extensive experimental results demonstrate that PAFE outperforms the current state-of-the-art methods in both efficiency and effectiveness for malware variant classification, achieving an accuracy rate of 99.25 % with a prediction time of 10.04 ms.

Yong Wang,Nan Zhang,Yan-mei Wu,Bin-bin Su

DOI: https://doi.org/10.1007/978-3-642-53917-6_40

2013-01-01

Abstract:Protocol reverse engineering is becoming important in analyzing unknown protocols. Unfortunately, many techniques often have some limitations for few priori information or the time-consuming problem. To address these issues, we propose a framework based on protocol finite state machine FSM construction, which can infer the protocol specifications without any priori information of protocols. To improve our framework's efficiency, we identify the keywords before the finite state construction. Our framework constructs two FSMs, one is L --- FSM language FSM and the other is S --- FSM state FSM. L --- FSM is to illustrate the protocol languages. S --- FSM shows protocol sessions' state transitions. We evaluate our framework with both binary and text protocol. The ARP and the SMTP are the target protocols as inputs. The precision rate and the recall rate are used for evaluation criterias in our experiments. The ARP's precision and recall rate are both reached 100%. The SMTP's precision rate is 100% and recall rate is almost 98%.

Yipeng Wang,Xiaochun Yun,M. Zubair Shafiq,Liyan Wang,Alex X. Liu,Zhibin Zhang,Danfeng (Daphne) Yao,Yongzheng Zhang,Li Guo

DOI: https://doi.org/10.1109/icnp.2012.6459963

2012-01-01

Abstract:Extracting the protocol message format specifications of unknown applications from network traces is important for a variety of applications such as application protocol parsing, vulnerability discovery, and system integration. In this paper, we propose ProDecoder, a network trace based protocol message format inference system that exploits the semantics of protocol messages without the executable code of application protocols. ProDecoder is based on the key insight that the n-grams of protocol traces exhibit highly skewed frequency distribution that can be leveraged for accurate protocol message format inference. In ProDecoder, we first discover the latent relationship among n-grams by first grouping protocol messages with the same semantics and then inferring message formats by keyword based clustering and cluster sequence alignment. We implemented and evaluated ProDecoder to infer message format specifications of SMB (a binary protocol) and SMTP (a textual protocol). Our experimental results show that ProDecoder accurately parses and infers SMB protocol with 100% precision and recall. For SMTP, ProDecoder achieves approximately 95% precision and recall.

Yixuan Ma,Shuang Liu,Jiajun Jiang,Guanhong Chen,Keqiu Li

DOI: https://doi.org/10.1145/3468264.3473925

2021-10-29

Abstract:Driven by the high profit, Portable Executable (PE) malware has been consistently evolving in terms of both volume and sophistication. PE malware family classification has gained great attention and a large number of approaches have been proposed. With the rapid development of machine learning techniques and the exciting results they achieved on various tasks, machine learning algorithms have also gained popularity in the PE malware family classification task. Three mainstream approaches that use learning based algorithms, as categorized by the input format the methods take, are image-based, binary-based and disassembly-based approaches. Although a large number of approaches are published, there is no consistent comparisons on those approaches, especially from the practical industry adoption perspective. Moreover, there is no comparison in the scenario of concept drift, which is a fact for the malware classification task due to the fast evolving nature of malware. In this work, we conduct a thorough empirical study on learning-based PE malware classification approaches on 4 different datasets and consistent experiment settings. Based on the experiment results and an interview with our industry partners, we find that (1) there is no individual class of methods that significantly outperforms the others; (2) All classes of methods show performance degradation on concept drift (by an average F1-score of 32.23%); and (3) the prediction time and high memory consumption hinder existing approaches from being adopted for industry usage.

Cryptography and Security,Machine Learning,Software Engineering

Yapeng Ye,Zhuo Zhang,Fei Wang,Xiangyu Zhang,Dongyan Xu

DOI: https://doi.org/10.14722/ndss.2021.24531

2021-01-01

Abstract:Network protocol reverse engineering is an important challenge with many security applications. A popular kind of method leverages network message traces. These methods rely on pair-wise sequence alignment and/or tokenization. They have various limitations such as difficulties of handling a large number of messages and dealing with inherent uncertainty. In this paper, we propose a novel probabilistic method for network trace based protocol reverse engineering. It first makes use of multiple sequence alignment to align all messages and then reduces the problem to identifying the keyword field from the set of aligned fields. The keyword field determines the type of a message. The identification is probabilistic, using random variables to indicate the likelihood of each field (being the true keyword). A joint distribution is constructed among the random variables and the observations of the messages. Probabilistic inference is then performed to determine the most likely keyword field, which allows messages to be properly clustered by their true types and enables the recovery of message format and state machine. Our evaluation on 10 protocols shows that our technique substantially outperforms the state-of-the-art and our case studies show the unique advantages of our technique in IoT protocol reverse engineering and malware analysis.

Michael Zipperle,Yu Zhang,Elizabeth Chang,Tharam Dillon

DOI: https://doi.org/10.1016/j.jisa.2023.103682

IF: 4.96

2024-01-20

Journal of Information Security and Applications

Abstract:With the rapidly increasing volume of cyber-attacks over the past years due to the new working-from-home paradigm, protecting hosts, networks, and individuals from cyber threats is in higher demand than ever. One promising solution are Provenance-based Intrusion Detection Systems (PIDS), which correlate host-based security logs to generate provenance graphs that describe the causal relationship between system entities. PIDS have shown significant potential in enhancing detection performance and reducing false alarms compared to traditional Intrusion Detection Systems (IDS). Rule-based approaches used in PIDS utilize expert-defined rule sets to identify known malicious patterns in provenance graphs. Although these rule-based techniques have been widely applied, they can only detect known attack patterns, are heavily dependent on the quality of the rules, and creating rules manually is time-consuming. To address these shortcomings, this study proposed two novel techniques: the Multi-level Attack Description Model (MADM) for describing attack patterns at multiple granularity levels and the Provenance-enabled Automated Rule Generation and Matching Framework (PARGMF) to generate rules deterministically and promptly. We evaluated the proposed approaches using the DARPA OpTC dataset, complemented by a practical case study. This case study involved a prototype extension for the CAPEv2 sandbox environment, demonstrating the real-world applicability of our approaches. Our results demonstrate, firstly, that PARGMF generates rules deterministically with an average processing time of only 13.11 s compared to multiple hours or even days for manual rule creation by security experts. Secondly, through generalization of attack descriptions, MADM enhanced the robustness of rules by 21.9% for Behavioural Attack Description (BAD) and 25% for Structural Attack Description (SAD) compared to approaches without generalization. Another added benefit compared to existing approaches is that PARGMF also generates differential graphs to support security experts' timely validation of security alarms.

computer science, information systems

Yi-Chuan Wang,Bin-Bin Bai,Xin-Hong Hei,Ju Ren,Wen-Jiang Ji

DOI: https://doi.org/10.6688/jise.202007_36(4).0005

2020-01-01

Journal of information science and engineering

Abstract:In recent years, unscrupulous hacker attacks have led to the information leakage of enterprise and individual network users, which makes the network security issue unprecedented concerned. Botnet and dark network, which use C & C channel of unknown protocol format to communicate, are the important parts. With the development of wireless mobile networks technology, this problem becomes more prominent. Classifying and identifying the unknown protocol features can help us to judge and predict the unknown attack behavior in the Internet of things environment, so as to protect the network security. Firstly, this paper compares the protocol features to be detected with the existing protocol features in the feature base through the vectorization operation of protocol features, selects the feature set with high recognition rate, and judges the similarity between protocols. The extracted composite features are digitized to generate 0-1 matrix, then Principal Component Analysis (PCA) dimension reduction is processed, and finally clustering analysis is carried out. A Clique to Protocol Feature Vectorization (CPFV) algorithm is designed to improve the efficiency of protocol clustering and finally generate a new protocol format. The experimental results show that compared with the traditional Clique and BIRCH algorithms, the proposed optimization algorithm improves the accuracy by 20% and the stability by 15%. It can cluster and identify unknown protocols accurately and quickly.

Syed Khurram Jah Rizvi,Warda Aslam,Muhammad Shahzad,Shahzad Saleem,Muhammad Moazam Fraz

DOI: https://doi.org/10.1007/s40747-021-00560-1

2021-10-12

Abstract:Abstract Enterprises are striving to remain protected against malware-based cyber-attacks on their infrastructure, facilities, networks and systems. Static analysis is an effective approach to detect the malware, i.e., malicious Portable Executable (PE). It performs an in-depth analysis of PE files without executing, which is highly useful to minimize the risk of malicious PE contaminating the system. Yet, instant detection using static analysis has become very difficult due to the exponential rise in volume and variety of malware. The compelling need of early stage detection of malware-based attacks significantly motivates research inclination towards automated malware detection. The recent machine learning aided malware detection approaches using static analysis are mostly supervised. Supervised malware detection using static analysis requires manual labelling and human feedback; therefore, it is less effective in rapidly evolutionary and dynamic threat space. To this end, we propose a progressive deep unsupervised framework with feature attention block for static analysis-based malware detection (PROUD-MAL). The framework is based on cascading blocks of unsupervised clustering and features attention-based deep neural network. The proposed deep neural network embedded with feature attention block is trained on the pseudo labels. To evaluate the proposed unsupervised framework, we collected a real-time malware dataset by deploying low and high interaction honeypots on an enterprise organizational network. Moreover, endpoint security solution is also deployed on an enterprise organizational network to collect malware samples. After post processing and cleaning, the novel dataset consists of 15,457 PE samples comprising 8775 malicious and 6681 benign ones. The proposed PROUD-MAL framework achieved an accuracy of more than 98.09% with better quantitative performance in standard evaluation parameters on collected dataset and outperformed other conventional machine learning algorithms. The implementation and dataset are available at https://bit.ly/35Sne3a .

computer science, artificial intelligence

Wei Qiao,Yebo Feng,Teng Li,Zijian Zhang,Zhengzi Xu,Zhuo Ma,Yulong Shen,JianFeng Ma,Yang Liu

2024-10-23

Abstract:Advanced Persistent Threats (APTs) represent sophisticated cyberattacks characterized by their ability to remain undetected within the victim system for extended periods, aiming to exfiltrate sensitive data or disrupt operations. Existing detection approaches often struggle to effectively identify these complex threats, construct the attack chain for defense facilitation, or resist adversarial attacks. To overcome these challenges, we propose Slot, an advanced APT detection approach based on provenance graphs and graph reinforcement learning. Slot excels in uncovering multi-level hidden relationships, such as causal, contextual, and indirect connections, among system behaviors through provenance graph mining. By pioneering the integration of graph reinforcement learning, Slot dynamically adapts to new user activities and evolving attack strategies, enhancing its resilience against adversarial attacks. Additionally, Slot automatically constructs the attack chain according to detected attacks with clustering algorithms, providing precise identification of attack paths and facilitating the development of defense strategies. Evaluations with real-world datasets demonstrate Slot's outstanding accuracy, efficiency, adaptability, and robustness in APT detection, with most metrics surpassing state-of-the-art methods. Additionally, case studies conducted to assess Slot's effectiveness in supporting APT defense further establish it as a practical and reliable tool for cybersecurity protection.

Cryptography and Security

Zijun Hang,Yi Xie,Yuliang Lu,Yongjie Wang

DOI: https://doi.org/10.1145/3607199.3607206

2023-10-16

Abstract:Malicious traffic classification is crucial for Intrusion Detection Systems (IDS). However, traditional Machine Learning approaches necessitate expert knowledge and a significant amount of well-labeled data. Although recent studies have employed pre-training models from the Natural Language Processing domain, such as ET-BERT, for traffic classification, their effectiveness is impeded by limited input length and fixed Byte Pair Encoding. To address these challenges, this paper presents Flow-MAE, a pre-training model that employs Masked AutoEncoders (MAE) from the Computer Vision domain to achieve accurate, efficient, and robust malicious network traffic classification. Flow-MAE overcomes these challenges by utilizing burst (a generic representation of network traffic) and patch embedding to accommodate extensive traffic length. Moreover, Flow-MAE introduces a self-supervised pre-training task, the Masked Patch Model, which captures unbiased representations from bursts with varying lengths and patterns. Experimental results from six datasets reveal that Flow-MAE achieves new state-of-the-art accuracy (>0.99), efficiency (>900 samples/s), and robustness across diverse network traffic types. In comparison to the state-of-the-art ET-BERT, Flow-MAE exhibits improvements in accuracy and speed by 0.41%-1.93% and 7.8x-10.3x, respectively, while necessitating only 0.2% FLOPs and 44% memory overhead. The efficacy of the core designs is validated through few-shot learning and ablation experiments. The code is publicly available at https://github.com/NLear/Flow-MAE.

Computer Science

Xiaochen Liu,Jizhong Shen,Wufeng Zhao

DOI: https://doi.org/10.1109/IWW-BCI.2019.8737320

2019-01-01

Abstract:To detect network fraud, a three-stimulus paradigm was used in a mock crime P300-based concealed information test. A P300-based deception detection method based on a modified genetic algorithm and a confidence-coefficient-based combined classifier was created for mock network fraud detection. After the multi-domain integrated signal preprocessing and feature extraction, a modified logistic equation based multi-population genetic algorithm was adopted for feature selection to obtain an optimal feature subset. Then the confidence coefficient was proposed to determine the classification difficulty levels of samples. A combined classifier based on confidence coefficient was proposed for classification. Compared with the component classifiers and other individual classifiers, the combined classifier requires 34% less computing time and the mean classification accuracy rate is 0.2 to 2.23 percentage points higher for twelve subjects using leave-one-out cross validation. Experiment results confirm that the proposed method is effective to detect deception during network fraud simulation.