Junchi Xing,Chunming Wu

DOI: https://doi.org/10.1109/INFOCOMWKSHPS50562.2020.9162940

2020-01-01

Abstract:The widely used encryption of network traffic poses a great challenge to anomaly detection. Currently, the supervised and semi-supervised solutions suffer from the problems of noisy label of data, non-stationary traffic distribution, and huge resource consumption for offline training. To address this, in this paper, we present an unsupervised, robust, and online anomaly detection method for encrypted traffic by using deep dictionary learning, called D2LAD. D2LAD offers the potential to extract sequential features from raw encrypted traffic data with the help of an LSTM-based autoencoder. Then, according to the sequential features, D2LAD is able to explore the hidden normal patterns by iterative deep dictionary learning. Eventually, D2LAD can obtain the anomaly score of raw data by calculating its relevance to the deep dictionary. We implement a prototype of D2LAD and evaluate its effectiveness and performance by experiments using realistic datasets. The experimental results show that our method achieves high accuracy and low resource usage, and outperforms the representative state-of-the-art methods in real-world settings.

Haozhen Zhang,Le Yu,Xi Xiao,Qing Li,Francesco Mercaldo,Xiapu Luo,Qixu Liu

DOI: https://doi.org/10.48550/arXiv.2307.16713

2023-07-31

Abstract:Encrypted traffic classification is receiving widespread attention from researchers and industrial companies. However, the existing methods only extract flow-level features, failing to handle short flows because of unreliable statistical properties, or treat the header and payload equally, failing to mine the potential correlation between bytes. Therefore, in this paper, we propose a byte-level traffic graph construction approach based on point-wise mutual information (PMI), and a model named Temporal Fusion Encoder using Graph Neural Networks (TFE-GNN) for feature extraction. In particular, we design a dual embedding layer, a GNN-based traffic graph encoder as well as a cross-gated feature fusion mechanism, which can first embed the header and payload bytes separately and then fuses them together to obtain a stronger feature representation. The experimental results on two real datasets demonstrate that TFE-GNN outperforms multiple state-of-the-art methods in fine-grained encrypted traffic classification tasks.

Machine Learning,Artificial Intelligence

Yueping Hong,Qi Li,Yanqing Yang,Meng Shen

DOI: https://doi.org/10.1016/j.ins.2023.119229

IF: 8.1

2023-06-02

Information Sciences

Abstract:At present, the TLS cryptographic protocol is widely deployed. While protecting the security and integrity of transmitted information, it also makes the detection of malicious behavior more difficult. In recent years, researchers have proposed many encrypted malicious traffic detection methods. However, the existing approaches have some shortcomings. Firstly, although researchers have extracted multi-view features from different aspects, which can be divided into vectorized features based on feature engineering and image features based on original data, existing methods cannot fully integrate the features of different forms of expression. Secondly, most of the existing methods do not fully analyze the correlation between different encrypted traffic. Thirdly, the existing methods based on correlation analysis have low processing efficiency and cannot be applied to real networks. In the paper, we present MalDiscovery , a novel technique to discover encrypted malicious traffic to address all the above issues. For encrypted malicious traffic, MalDiscovery constructs an attribute KNN graph, in which encrypted sessions are used as nodes to construct a KNN graph according to the similarity of image features, and vectorized features are used as attributes of corresponding nodes. After that, the GraphSAGE model is used to collect relevant node information through correlation analysis to enrich the embeddings of each node. Finally, we achieve the accurate binary classification of nodes in the graph based on richer embeddings. We use extensive experiments to evaluate the proposed method, and the experiment results show that MalDiscovery can achieve an accuracy of about 99.9%, significantly outperforming all compared methods.

computer science, information systems

Jianyi Liu,Lanting Wang,Wei Hu,Yating Gao,Yaofu Cao,Bingjie Lin,Ru Zhang

DOI: https://doi.org/10.1155/2023/7117863

IF: 1.968

2023-01-08

Security and Communication Networks

Abstract:While encryption ensures the confidentiality and integrity of user data, more and more attackers try to hide attack behaviours through encryption, which brings new challenges to malicious traffic identification. How to effectively detect encrypted malicious traffic without decrypting traffic and protecting user privacy has become an urgent problem to be solved. Most of the current research only uses a single CNN, RNN, and SAE network to detect encrypted malicious traffic, which does not consider the forward and backward correlation between data packets, so it is difficult to effectively identify malicious features in encrypted traffic. This study proposes an approach that combines spatial-temporal feature with dual-attention mechanism, which is called TLARNN. Specifically, first we use 1D-CNN and BiGRU to extract spatial features in encrypted traffic packets and temporal features between encrypted streams, respectively, which enriches the features of different dimensions, and then, the soft attention mechanism is focused on the encrypted data packets to extract features. Ultimately, the second layer of the soft attention mechanism is used for aggregating malicious features. Several comparative experiments are designed to prove the effectiveness of the proposed scheme. The experimental results demonstrate that the proposed scheme has a significant performance improvement compared to existing ones.

computer science, information systems,telecommunications

Juan Zheng,Zhiyong Zeng,Tao Feng

DOI: https://doi.org/10.1155/2022/4274139

IF: 1.968

2022-01-22

Security and Communication Networks

Abstract:Encrypted network traffic is the principal foundation of secure network communication, and it can help ensure the privacy and integrity of confidential information. However, it hides the characteristics of the data, increases the difficulty of detecting malicious traffic, and protects such malicious behavior. Therefore, encryption alone cannot fundamentally guarantee information security. It is also necessary to monitor traffic to detect malicious actions. At present, the more commonly used traffic classification methods are the method based on statistical features and the method based on graphs. However, these two methods are not always reliable when they are applied to the problem of encrypted malicious traffic detection due to their limitations. The former only focuses on the internal information of the network flow itself and ignores the external connections between the network flows. The latter is just the opposite. This paper proposes an encrypted malicious traffic detection method based on a graph convolutional network (GCN) called GCN-ETA, which considers the statistical features (internal information) of network flows and the structural information (external connections) between them. GCN-ETA consists of two parts: a feature extractor that uses an improved GCN and a classifier that uses a decision tree. Improving on the traditional GCN, the effect and speed of encrypted malicious traffic detection can be effectively improved and the deployment of the detection model in the real environment is increased, which provides a reference for the application of GCN in similar scenarios. This method has achieved excellent performance in experiments using real-world encrypted network traffic data for malicious traffic detection, with the accuracy, AUC, and F1-score exceeding 98% and more than 1,300 flows detected per second.

computer science, information systems,telecommunications

In-Su Jung,Yu-Rae Song,Lelisa Adeba Jilcha,Deuk-Hun Kim,Sun-Young Im,Shin-Woo Shim,Young-Hwan Kim,Jin Kwak

DOI: https://doi.org/10.3390/sym16060733

2024-06-13

Symmetry

Abstract:With the continuously growing requirement for encryption in network environments, web browsers are increasingly employing hypertext transfer protocol security. Despite the increase in encrypted malicious network traffic, the encryption itself limits the data accessible for analyzing such behavior. To mitigate this, several studies have examined encrypted network traffic by analyzing metadata and payload bytes. Recent studies have furthered this approach, utilizing graph neural networks to analyze the structural data patterns within malicious encrypted traffic. This study proposed an enhanced encrypted traffic analysis leveraging graph neural networks which can model the symmetric or asymmetric spatial relations between nodes in the traffic network and optimized feature dimensionality reduction. It classified malicious network traffic by leveraging key features, including the IP address, port, CipherSuite, MessageLen, and JA3 features within the transport-layer-security session data, and then analyzed the correlation between normal and malicious network traffic data. The proposed approach outperformed previous models in terms of efficiency, using fewer features while maintaining a high accuracy rate of 99.5%. This demonstrates its research value as it can classify malicious network traffic with a high accuracy based on fewer features.

multidisciplinary sciences

Quan Ding,Zhengpeng Zha,Yanjun Li,Zhenhua Ling

DOI: https://doi.org/10.14569/ijacsa.2024.01504110

IF: 0.9

2024-01-01

International Journal of Advanced Computer Science and Applications

Abstract:Encrypted traffic classification, a pivotal process in network security and management, involves analyzing and categorizing data traffic that has been encrypted for privacy and security. This task demands the extraction of distinctive and robust feature representations from content-concealed data to ensure accurate and reliable classification. Traditional approaches have focused on utilizing either the payload of encrypted traffic or statistical features for more precise classification. While these methods achieve relative success, their limitation lies in not harnessing multi-grained features, thus impeding further advancements in encrypted traffic classification capabilities. To tackle this challenge, ET-CompBERT is presented, an innovative framework specifically designed for the fusion of multi-granularity features in encrypted traffic, encompassing both payload and global temporal attributes. The extensive experiments reveal that our approach significantly enhances classification performance in data-rich scenarios (achieving up to a +4.43% improvement in certain cases over existing methods) and establishes state-of-the-art results on training sets with different sizes. The source codes will be released after paper acceptance.

Zitong Hu,Bo Qu,Xiang Li,Cong Li

DOI: https://doi.org/10.1007/978-981-97-5101-3_21

2024-01-01

Abstract:The exponential increase in encrypted traffic presents significant challenges to conventional traffic classification methodologies. The integration of deep learning and time series analysis has emerged as a contemporary approach, but the crucial higher interaction information among encrypted traffic packets is often neglected. Based on the fact that distinct categories of encrypted traffic manifest unique spatial structures and temporal patterns, we introduce a novel deep learning framework, termed Higher-Interaction-Graph encrypted classifier (HIGEC). This framework employs graph convolutional networks (GCN) and higher interaction information among packets for the precise classification of encrypted traffic flows. Initially, our approach incorporates a newly designed module that leverages metadata to transform each encrypted traffic flow into a graph structure, preserving the temporal information and spatial structure between packets. Subsequently, we introduce an advanced graph pooling and merge layer atop the GCN architecture that dynamically derives multi-order graph representations, augmenting our adaptability to diverse network environments. Meanwhile, we propose a new encrypted traffic dataset that addresses the inherent limitations of currently available public datasets to validate the effectiveness of our model. Comprehensive testing on our proposed dataset and two more public real-world datasets demonstrates that the HIGEC model significantly enhances accuracy, outperforming existing state-of-the-art methods.

Chuanyu Zhao,Shudong Li,Xiaobo Wu,Weihong Han,Zhihong Tian,Maofei Chen

DOI: https://doi.org/10.1109/dsc53577.2021.00097

2021-01-01

Abstract:The number of malware attacks that use encrypted HTTP traffic to self-propagate or communicate has increased dramatically in recent years. Traditional network traffic detection methods for non-encrypted traffic are difficult to be applied to encrypted traffic detection. While encryption is good for protecting users' privacy, it also comes with a security risk: malicious traffic may hide in encrypted traffic, leading to a series of security problems. Since the encrypted payload cannot be directly observed and it is large, we need to combine domain knowledge and machine learning method to excavate the features hidden in malicious traffic, so as to realize automatic detection of malicious traffic. In this paper, we propose a malicious traffic detection framework based on ensemble learning using the encrypted traffic from real malware, including normal traffic generated by 3000 normal hosts and malicious traffic generated by 3000 malware-infected hosts, provided by DATACON2020 competition. Considering the complexity to decrypt traffic, we use statistical features and sequence features in both flow-level and in host-level perspectives to describe encrypted traffic. Then we build multiple classifiers according to heterogeneous features. Finally we do majority voting to get final result. We achieve 95.0% TPR and 8.4% FPR.

Hong Huang,Xingxing Zhang,Ye Lu,Ze Li,Shaohua Zhou

DOI: https://doi.org/10.32604/cmc.2024.047918

2024-01-01

Abstract:While encryption technology safeguards the security of network communications, malicious traffic also uses encryption protocols to obscure its malicious behavior. To address the issues of traditional machine learning methods relying on expert experience and the insufficient representation capabilities of existing deep learning methods for encrypted malicious traffic, we propose an encrypted malicious traffic classification method that integrates global semantic features with local spatiotemporal features, called BERT-based Spatio-Temporal Features Network (BSTFNet). At the packet-level granularity, the model captures the global semantic features of packets through the attention mechanism of the Bidirectional Encoder Representations from Transformers (BERT) model. At the byte-level granularity, we initially employ the Bidirectional Gated Recurrent Unit (BiGRU) model to extract temporal features from bytes, followed by the utilization of the Text Convolutional Neural Network (TextCNN) model with multi-sized convolution kernels to extract local multi-receptive field spatial features. The fusion of features from both granularities serves as the ultimate multidimensional representation of malicious traffic. Our approach achieves accuracy and F1-score of 99.39% and 99.40%, respectively, on the publicly available USTC-TFC2016 dataset, and effectively reduces sample confusion within the Neris and Virut categories. The experimental results demonstrate that our method has outstanding representation and classification capabilities for encrypted malicious traffic.

computer science, information systems,materials science, multidisciplinary

Juncheng Guo,Yafei Sang,Peng Chang,Xiaolin Xu,Yongzheng Zhang

DOI: https://doi.org/10.1007/978-3-030-77964-1_16

2021-01-01

Abstract:As the use of encryption protocols increase, so does the challenge of identifying malware encrypted traffic. One of the most significant challenges is the robustness of the model in different scenarios. In this paper, we propose an ensemble learning approach based on multi-grained features to address this problem which is called MGEL. The MGEL builds diverse base learners using multi-grained features and then identifies malware encrypted traffic in a stacking way. Moreover, we introduce the self-attention mechanism to process sequence features and solve the problem of long-term dependence. We verify the effectiveness of the MGEL on two public datasets and the experimental results show that the MGEL approach outperforms other state-of-the-art methods in four evaluation metrics.

Boyu Sun,Wenyuan Yang,Mengqi Yan,Dehao Wu,Yuesheng Zhu,Zhiqiang Bai

DOI: https://doi.org/10.1109/ipccc50635.2020.9391542

2020-01-01

Abstract:The increase in the source and size of encrypted network traffic brings significant challenges for network traffic analysis. The challenging problem in the encrypted traffic classification field is obtaining high classification accuracy with small number of labeled samples. To solve this problem, we propose a novel encryption traffic classification method that learns the feature representation from the traffic structure and the traffic flow data in this paper. We construct a K-Nearest Neighbor (KNN) traffic graph to represent the structure of traffic data, which contains more similarity information about the traffic. We utilize a two-layer Graph Convolutional Network (GCN) architecture for flows feature extraction and encrypted traffic classification. We further use the autoencoder to learn the representation of the flow data itself and integrate it into the GCN-learned representation to form a more complete feature representation. The proposed method leverages the benefits of the GCN and the autoencoder, which can obtain higher classification performance with only very few labeled data. The experimental results on two public datasets demonstrate that our method achieves impressive results compared to the state-of-the-art competitors.

Ming Liu,Qichao Yang,Wenqing Wang,Shengli Liu

DOI: https://doi.org/10.3390/s24206507

IF: 3.9

2024-10-11

Sensors

Abstract:The exponential growth of encrypted network traffic poses significant challenges for detecting malicious activities online. The scale of emerging malicious traffic is significantly smaller than that of normal traffic, and the imbalanced data distribution poses challenges for detection. However, most existing methods rely on single-category features for classification, which struggle to detect covert malicious traffic behaviors. In this paper, we introduce a novel semi-supervised approach to identify malicious traffic by leveraging multimodal traffic characteristics. By integrating the sequence and topological information inherent in the traffic, we achieve a multifaceted representation of encrypted traffic. We design two independent neural networks to learn the corresponding sequence and topological features from the traffic. This dual-feature extraction enhances the model's robustness in detecting anomalies within encrypted traffic. The model is trained using a joint strategy that minimizes both the reconstruction error from the autoencoder and the classification loss, allowing it to effectively utilize limited labeled data alongside a large amount of unlabeled data. A confidence-estimation module enhances the classifier's ability to detect unknown attacks. Finally, our method is evaluated on two benchmark datasets, UNSW-NB15 and CICIDS2017, under various scenarios, including different training set label ratios and the presence of unknown attacks. Our model outperforms other models by 3.49% and 5.69% in F1 score at labeling rates of 1% and 0.1%, respectively.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Jiangang Hou,Tong Jiang,Yanmiao Li,Hao Guo,Zhen Zhang,Zhi Liu

DOI: https://doi.org/10.1109/CCCI52664.2021.9583191

2021-10-15

Abstract:With more and more encrypted traffic such as HTTPS, encrypted traffic protects not only normal traffic, but also malicious traffic. Identification of encrypted malicious traffic without decryption has become a research hotspot. Combined with deep learning, an important branch of machine learning, encrypted malicious traffic detection has achieved good results. This paper reviews the detection of encrypted malicious traffic in recent years. Firstly, we classify encrypted malicious traffic. Secondly, we sorts out the extraction characteristics of encrypted malicious traffic, the key and difficult problems we are facing at present. Then, with encrypted malicious traffic detection technology as the main line, we summarized the current detection model from the four core aspects of data collection, data processing, model training and evaluation improvement. Finally, we analyze the problems and point out future research directions.

Computer Science

Peng Zhu,Gang Wang,Jingheng He,Yueli Dong,Yu Chang

DOI: https://doi.org/10.1016/j.array.2024.100338

2024-03-01

Array

Abstract:As data privacy issues become more and more sensitive, increasing numbers of websites usually encrypt traffic when transmitting it. This method can largely protect privacy, but it also brings a huge challenge. Aiming at the problem that encrypted traffic classification makes it difficult to obtain a global optimal solution, this paper proposes an encrypted traffic identification model called the ET-BERT and 1D-CNN fusion network (BCFNet), based on multi-scale feature fusion. This method combines feature learning with classification tasks, unified into an end-to-end model. The local features of encrypted traffic extracted based on the improved Inception one-dimensional convolutional neural network structure are fused with the global features extracted by the ET-BERT model. The one-dimensional convolutional neural network is more suitable for the encrypted traffic of a one-dimensional sequence than the commonly used two-dimensional convolutional neural network. The proposed model can learn the nonlinear relationship between the input data and the expected label and obtain the global optimal solution with a greater probability. This paper verifies the ISCX VPN-nonVPN dataset and compares the results of the BCFNet model with the other five baseline models on accuracy, precision, recall, and F1 indicators. The experimental results demonstrate that the BCFNet model has a greater overall effect than the other five models. Its accuracy can reach 98.88%.

Shengbao Li,Yuchuan Huang,Tianye Gao,Lanqi Yang,Yige Chen,Quanbo Pan,Tianning Zang,Fei Chen

DOI: https://doi.org/10.1155/2023/9118153

2023-04-30

Wireless Communications and Mobile Computing

Abstract:In recent years, an increasing number of mobile platforms and applications have adopted traffic encryption protocol technology to ensure privacy and security. Existing researches on encrypted traffic identification approaches often rely on a single-modal feature pattern (such as packet sequence and statistical features), which cannot fully represent the detail information of complex traffic features, and so their predictions are susceptible to anomalies. In order to improve the effect of classification on encrypted app traffic, we propose FusionTC, a novel app traffic classification framework based on feature fusion of flow sequence. FusionTC consists of two-level subclassifiers, which are used to perform decision-level fusion of multimodal features by an upgraded stacking method. The comprehensive capture and fusion of multimodal traffic details, coupled with the refined processing and segmentation of traffic, enables FusionTC to significantly promote classification accuracy and enhance robustness in challenging situations. Based on our self-built app traffic dataset, FusionTC improves the accuracy by at least 3.2% over the state-of-the-art approaches.

computer science, information systems,telecommunications,engineering, electrical & electronic

Chengyuan Zhang,Changqing An,Jessie Hui Wang,Ziyi Zhao,Tao Yu,Jilong Wang

DOI: https://doi.org/10.1109/iThings-GreenCom-CPSCom-SmartData-Cybermatics53846.2021.00060

2021-01-01

Abstract:Network traffic classification is the foundation of many network security services. As the widespread use of encrypted protocols makes packet payload invisible, it becomes impossible for traditional rule-based methods to classify network traffic correctly. To solve this problem, recent researches use deep learning algorithms to extract features of flows and classify the traffic data. In this paper, we propose the Self-Attention based Flow Sequence Network (SAFSN), an end-to-end encrypted traffic classification model. We employ both the elements' dependence within a single flow and the dependence between flows, which can be well combined with the self-attention mechanism. We evaluate SAFSN on a real-world dataset covering 40 apps, and the results indicate that SAFSN does well in multi-classification tasks and outperforms all the other methods. Specially SAFSN can achieve an 8.83% higher F-score and an 8.45% higher accuracy than the state-of-the-art machine learning classifier.

Zihao Wang,Vrizlynn L. L. Thing

DOI: https://doi.org/10.1016/j.cose.2023.103143

2023-04-07

Abstract:The popularity of encryption mechanisms poses a great challenge to malicious traffic detection. The reason is traditional detection techniques cannot work without the decryption of encrypted traffic. Currently, research on encrypted malicious traffic detection without decryption has focused on feature extraction and the choice of machine learning or deep learning algorithms. In this paper, we first provide an in-depth analysis of traffic features and compare different state-of-the-art traffic feature creation approaches, while proposing a novel concept for encrypted traffic feature which is specifically designed for encrypted malicious traffic analysis. In addition, we propose a framework for encrypted malicious traffic detection. The framework is a two-layer detection framework which consists of both deep learning and traditional machine learning algorithms. Through comparative experiments, it outperforms classical deep learning and traditional machine learning algorithms, such as ResNet and Random Forest. Moreover, to provide sufficient training data for the deep learning model, we also curate a dataset composed entirely of public datasets. The composed dataset is more comprehensive than using any public dataset alone. Lastly, we discuss the future directions of this research.

Cryptography and Security,Artificial Intelligence,Machine Learning

Chuanpu Fu,Qi Li,Ke Xu

DOI: https://doi.org/10.1109/tnet.2024.3370851

2024-01-01

IEEE/ACM Transactions on Networking

Abstract:Nowadays traffic on the Internet has been widely encrypted to protect its confidentiality and privacy. However, traffic encryption is always abused by attackers to conceal their malicious behaviors. Since encrypted malicious traffic is similar to benign flows, it can easily evade traditional detection. In particular, the existing encrypted traffic detection methods are supervised which rely on the prior knowledge of known attacks (e.g., labeled datasets). Detecting unknown encrypted malicious traffic, which does not require prior knowledge, is still an open problem. In this paper, we propose, an unsupervised machine learning (ML) based malicious traffic detection system. Particularly, is able to detect unknown patterns of encrypted malicious traffic by utilizing a graph built upon flow interaction patterns, instead of learning the features of specific known attacks. We develop an unsupervised graph learning method to detect abnormal interaction patterns by analyzing the graph features, which allows to detect unknown attacks without requiring any labeled datasets. Moreover, we establish an information theory model to prove the effectiveness of . We show the performance of by real-world experiments with 140 attacks. The experimental results illustrate that outperforms the state-of-the-art methods by 13.9% accuracy improvement. Moreover, achieves 15.82 Mpps detection throughput with the average detection latency of 0.29s.

telecommunications,computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Kun Yang,Lu Xu,Yang Xu,Jonathan Chao

2020-01-01

Abstract:Encrypted application classification (EAC) has become an emerging and challenging task for network monitoring and management, and statistical-based approaches are less impacted by encrypted streams. However, much effort is required from domain experts to handcraft statistical features. To solve this problem, this paper proposes an end-to-end encrypted application classification framework (E2E-EACF) based on one dimensional convolutional neural network (1D-CNN). Only encrypted payload (EncP) and inter-arrival time (IAT) are required by the framework to classify encrypted flows. Experimental results denmonstrate that E2E-EACF can achieve more than 91.00% accuracy and 0.92 F1 score (the harmonic average of precision and recall) on a public dataset (WRCCDC), better than classical machine learning algorithms (e.g., decision tree and support vector machine).