Chuanyu Zhao,Shudong Li,Xiaobo Wu,Weihong Han,Zhihong Tian,Maofei Chen

DOI: https://doi.org/10.1109/dsc53577.2021.00097

2021-01-01

Abstract:The number of malware attacks that use encrypted HTTP traffic to self-propagate or communicate has increased dramatically in recent years. Traditional network traffic detection methods for non-encrypted traffic are difficult to be applied to encrypted traffic detection. While encryption is good for protecting users' privacy, it also comes with a security risk: malicious traffic may hide in encrypted traffic, leading to a series of security problems. Since the encrypted payload cannot be directly observed and it is large, we need to combine domain knowledge and machine learning method to excavate the features hidden in malicious traffic, so as to realize automatic detection of malicious traffic. In this paper, we propose a malicious traffic detection framework based on ensemble learning using the encrypted traffic from real malware, including normal traffic generated by 3000 normal hosts and malicious traffic generated by 3000 malware-infected hosts, provided by DATACON2020 competition. Considering the complexity to decrypt traffic, we use statistical features and sequence features in both flow-level and in host-level perspectives to describe encrypted traffic. Then we build multiple classifiers according to heterogeneous features. Finally we do majority voting to get final result. We achieve 95.0% TPR and 8.4% FPR.

Fengrui Xiao,Feng Yang,Shuangwu Chen,Jian Yang

DOI: https://doi.org/10.1007/978-3-030-94029-4_1

2022-01-01

Abstract:Nowadays, network traffic detection plays a very important role in protecting cyberspace security, and more and more applications realize data privacy protection through encryption technology. Regular expression matching based methods, such as deep packet inspection that relies on plaintext traffic cannot be applied to detecting encrypted random communication content, and the existing detecting methods based on time-series features often ignore the encryption protocol features. In this work, we design an ensemble learning system based on stack algorithms to identify encrypted malicious traffic, which can detect the interactive behavior and the encryption protocols simultaneously. In detail, we construct a deep learning classifier based on Long Short-Term Memory (LSTM) for time-series features, and a machine learning classifier based on random forests for encryption protocol features. Then, we use the stacking algorithm in ensemble learning to combine them to form a new classifier. Finally, relying on the Datacon2020 dataset, extensive experiments are conducted. The experimental results indicate that the proposed method improves the detection rate of encrypted malicious traffic while keeping a low false positive rate.

Didier Frank Isingizwe,Meng Wang,Wenmao Liu,Dongsheng Wang,Tiejun Wu,Jun Li

DOI: https://doi.org/10.1109/icct52962.2021.9658106

2021-01-01

Abstract:Malware traffic classification is an essential pillar of network intrusion detection systems. The explosive growth of traffic encryption makes it infeasible to classify malware traffic with port-based or signature-based approaches. Nowadays, researchers and industrial developers turn to learning-based approaches for encrypted malware traffic classification, mining the statistical patterns of traffic behaviors. However, different machine learning models with different hyper-parameters can be used, and one can hardly explain why a learning approach works or not. To alleviate this problem, this paper conducts encrypted malware traffic classification with the automated machine learning (AutoML) approach which contains 7 representative models in the pipeline and realizes automated hyper-parameter tuning and model assembling. Experimenting on real-world encrypted malware traffic, this paper analyzes the performance of the ensemble model of AutoML and how each model performs in detail to understand its contribution. Moreover, the analysis of AutoML feature selection shows discriminant features on encrypted malware traffic especially TLS metadata related. The concrete experiments and analysis give insight to the following studies on encrypted malware traffic classification.

Peng Xiao,Ying Yan,Jian Hu,Zhenhong Zhang

DOI: https://doi.org/10.1155/2024/8725832

IF: 1.968

2024-06-02

Security and Communication Networks

Abstract:Malicious encrypted traffic detection is a critical component of network security management. Previous detection methods can be categorized into two classes as follows: one is to use the feature engineering method to construct traffic features for classification and the other is to use the end-to-end method that directly inputs the original traffic to obtain traffic features for classification. Both of the abovementioned two methods have the problem that the obtained features cannot fully characterize the traffic. To this end, this paper proposes a hierarchical multimodal deep learning model (HMMED) for malicious encrypted traffic detection. This model adopts the abovementioned two feature generation methods to learn the features of payload and header, respectively, then fuses the features to get the final traffic features, and finally inputs the final traffic features into the softmax classifier for classification. In addition, since traditional deep learning is highly dependent on the training set size and data distribution, resulting in a model that is not very generalizable and difficult to adapt to unseen encrypted traffic, the model proposed in this paper uses a large amount of unlabeled encrypted traffic in the pretraining layer to pretrain a submodel used to obtain a generic packet payload representation. The test results on the USTC-TFC2016 dataset show that the proposed model can effectively solve the problem of insufficient feature extraction of traditional detection methods and improve the ACC of malicious encrypted traffic detection.

computer science, information systems,telecommunications

Ming Liu,Qichao Yang,Wenqing Wang,Shengli Liu

DOI: https://doi.org/10.3390/s24206507

IF: 3.9

2024-10-11

Sensors

Abstract:The exponential growth of encrypted network traffic poses significant challenges for detecting malicious activities online. The scale of emerging malicious traffic is significantly smaller than that of normal traffic, and the imbalanced data distribution poses challenges for detection. However, most existing methods rely on single-category features for classification, which struggle to detect covert malicious traffic behaviors. In this paper, we introduce a novel semi-supervised approach to identify malicious traffic by leveraging multimodal traffic characteristics. By integrating the sequence and topological information inherent in the traffic, we achieve a multifaceted representation of encrypted traffic. We design two independent neural networks to learn the corresponding sequence and topological features from the traffic. This dual-feature extraction enhances the model's robustness in detecting anomalies within encrypted traffic. The model is trained using a joint strategy that minimizes both the reconstruction error from the autoencoder and the classification loss, allowing it to effectively utilize limited labeled data alongside a large amount of unlabeled data. A confidence-estimation module enhances the classifier's ability to detect unknown attacks. Finally, our method is evaluated on two benchmark datasets, UNSW-NB15 and CICIDS2017, under various scenarios, including different training set label ratios and the presence of unknown attacks. Our model outperforms other models by 3.49% and 5.69% in F1 score at labeling rates of 1% and 0.1%, respectively.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Jingcai Guo,Yuanyuan Xu,Wenchao Xu,Yufeng Zhan,Yuxia Sun,Song Guo

2023-05-02

Abstract:Malware open-set recognition (MOSR) aims at jointly classifying malware samples from known families and detect the ones from novel unknown families, respectively. Existing works mostly rely on a well-trained classifier considering the predicted probabilities of each known family with a threshold-based detection to achieve the MOSR. However, our observation reveals that the feature distributions of malware samples are extremely similar to each other even between known and unknown families. Thus the obtained classifier may produce overly high probabilities of testing unknown samples toward known families and degrade the model performance. In this paper, we propose the Multi-modal Dual-Embedding Networks, dubbed MDENet, to take advantage of comprehensive malware features (i.e., malware images and malware sentences) from different modalities to enhance the diversity of malware feature space, which is more representative and discriminative for down-stream recognition. Last, to further guarantee the open-set recognition, we dually embed the fused multi-modal representation into one primary space and an associated sub-space, i.e., discriminative and exclusive spaces, with contrastive sampling and rho-bounded enclosing sphere regularizations, which resort to classification and detection, respectively. Moreover, we also enrich our previously proposed large-scaled malware dataset MAL-100 with multi-modal characteristics and contribute an improved version dubbed MAL-100+. Experimental results on the widely used malware dataset Mailing and the proposed MAL-100+ demonstrate the effectiveness of our method.

Cryptography and Security,Machine Learning

Wei Gu,Hongyan Xing,Tianhao Hou

DOI: https://doi.org/10.1049/2024/2850804

2024-02-17

IET Information Security

Abstract:The continuous malicious attacks on Internet of Things devices pose a potential threat to the economic and private information security of end-users, especially on the dominant Android devices. Combining static analysis methods with deep Learning is a promising approach to defend against that. This kind of method has two limitations: the first is that the current single-permission mechanism is not insufficient to regulate interapplication resource acquisition; another problem is that current work on feature learning is dedicated to modifying a single network structure, which may result in a suboptimal solution. In this study, to solve the abovementioned problems, we propose a novel malware detection framework MFEMDroid, which combines multitype features analysis and ensemble modeling. The Provider feature, facilitating information requests between applications (apps) and serving as an indispensable data storage method, plays a vital role in characterizing app behavior. Hence, we extract permissions and Provider features to comprehensively characterize app behavior and probe potentially dangerous combinations between or within these features. To address oversparse datasets and reduce feature learning overhead, we employ an auto-encoder for feature dimensionality reduction. Furthermore, we design an ensemble network based on SENet, ResNet, and the evolutionary convolutional neural network Squeeze Excitation Residual Network (SEResNet) to explore the hidden associations between different types of features from multiple perspectives. We performed extensive experiments to evaluate its method performance on real-world samples. The evaluation results demonstrate that the proposed framework can detect malware with an accuracy of 95.38%, which is much better than state-of-the-art solutions. These promising experimental results show that MFEMDroid is an effective approach to detect Android malware.

computer science, information systems, theory & methods

Ke Xu,Xixi Zhang,Yu Wang,Tomoaki Ohtsuki,Bamidele Adebisi,Hikmet Sari,Guan Gui

DOI: https://doi.org/10.1109/jiot.2024.3357072

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Malware traffic classification (MTC) is one of the important techniques to ensure the security of cyberspace, which aims to detect anomalies and classify different types of network traffic. Recently, MTC methods based on deep learning (DL) have shown their excellent performance. However, these DL-based methods rely on datasets with manually labeled samples for training, which are costly and hard to obtain. To address this problem, this paper proposes a novel self-supervised MTC method based on the framework of masked auto-encoder (MAE). Specifically, MAE first constructs a reasonable unsupervised pretext task with a random masking strategy, which reduces the redundant information in samples and speeds up the pre-training process. The transformer-based backbone network then efficiently extracts features from the non-redundant traffic data efficiently. The proposed MTC-MAE method employs self-supervised learning on a large-scale unlabeled dataset to acquire unbiased features, and fine-tunes on specific datasets to adapt to diverse traffic classification scenarios. Simulation experiments show that our proposed MTC-MAE method is able to learn universal features with high quality and has excellent classification performance on various downstream datasets. The datasets we used, code implementation, and pre-trained models are available on GitHub.

computer science, information systems,telecommunications,engineering, electrical & electronic

Tangda Yu,Futai Zou,Linsen Li,Ping Yi

DOI: https://doi.org/10.1109/cyberc.2019.00020

2019-01-01

Abstract:In recent years, with the widespread use of encrypted traffic communication technology, network traffic encryption has been gradually becoming a standard of communication. This phenomenon has a great impact on traditional traffic detection methods, especially on anomaly detection methods, which are highly dependent on the type of network protocol types and traffic data. By surveying the existing encrypted traffic classification and analyzing these methods, we found that there are two main methods for detection: payload-based detection and feature-based detection. On this basis, this paper puts forward an Encrypted Malicious Traffic Detection System which is based on multi-AEs(Autoencoder). We use malicious sandbox for traffic data collection, mark malicious flow and normal flow with labels. After that, we use multilayer networks of AEs for feature extraction and training classifier model. Our system analyzes the feature of cryptographic protocol from handshake phase to Authentication phase on the basis of existing research, and we extract the traffic feature for a better classification by further expanding flow feature vector to the higher dimensions. In addition, we compared the performance of our model with the traditional learning model under the same environment. The experimental results showed that our system had higher detection accuracy and lower loss rate. We also studied the influence of dataset imbalance on results in the detection of encrypted traffic by several experiments. According to the experimental evaluation, dataset imbalance will lead to the decrease of positive rate.

Jinpei Yan,Yong Qi,Qifan Rao

DOI: https://doi.org/10.1155/2018/7247095

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Malware detection plays a crucial role in computer security. Recent researches mainly use machine learning based methods heavily relying on domain knowledge for manually extracting malicious features. In this paper, we propose MalNet, a novel malware detection method that learns features automatically from the raw data. Concretely, we first generate a grayscale image from malware file, meanwhile extracting its opcode sequences with the decompilation tool IDA. Then MalNet uses CNN and LSTM networks to learn from grayscale image and opcode sequence, respectively, and takes a stacking ensemble for malware classification. We perform experiments on more than 40,000 samples including 20,650 benign files collected from online software providers and 21,736 malwares provided by Microsoft. The evaluation result shows that MalNet achieves 99.88% validation accuracy for malware detection. In addition, we also take malware family classification experiment on 9 malware families to compare MalNet with other related works, in which MalNet outperforms most of related works with 99.36% detection accuracy and achieves a considerable speed-up on detecting efficiency comparing with two state-of-the-art results on Microsoft malware dataset.

Yuxuan Chen,Rongpeng Li,Zhifeng Zhao,Honggang Zhang

2024-11-20

Abstract:We present MERLOT, a scalable mixture-of-expert (MoE) based refinement of distilled large language model optimized for encrypted traffic classification. By applying model distillation techniques in a teacher-student paradigm, compact models derived from GPT-2-base retain high classification accuracy while minimizing computational costs. These models function as specialized experts in an MoE architecture, dynamically assigned via a gating network. Unlike generation-based methods, our approach directly classifies encrypted traffic using the final decoder token with contextual feature embedding as input. Experiments on 10 datasets show superior or competitive performance over the state-of-the-art models while significantly reducing resource demands, underscoring its effectiveness and robustness.

Machine Learning,Cryptography and Security

Jinming Wang,Tao Yang,Bingjing Yan,Pengchao Yao,Wenhai Wang,Qiang Yang

DOI: https://doi.org/10.1109/EI256261.2022.10117041

2022-01-01

Abstract:With the development and advances of information and networking technologies in Cyber-physical Power systems (CPPS), the frequency of information exchange between CPPS and the external networks is significantly increasing, leading to an ever-growing risk of cyberspace threats and attacks, e.g., malware injection to the CPPS. The existing detectors against malware are mainly based on static analysis, which deals well with known malware, but cannot cope with unknown or obfuscated malware. To this end, this paper proposed a novel multi-classifier ensemble system (MCES) for malware detection based on behavioral analysis. The developed detection model of MCES is a hierarchical learning model with kernel components consisting of base classifiers and one meta classifier. The proposed solution is assessed through experiments based on in total 14800 malware and 14800 benign samples. The numerical results demonstrated that MCES outperformed existing machine learning-based classifiers in identifying malware through application program interface (API) call sequences. The proposed model achieved the highest accuracy of 97.54%, and the highest recall of 97.85% in comparison with the state-of-the-art deep learning based malware detectors.

Zhou Zhihong,Bin Hu,Li Jianhua,Yin Ying,Chen Xiuzhen,Ma Jin,Yao Lihong

DOI: https://doi.org/10.1007/s11416-022-00429-y

2022-01-01

Journal of Computer Virology and Hacking Techniques

Abstract:As network traffic is increasingly valued for privacy protection and the encrypted SSL/TLS (Secure Sockets Layer/Transport Layer Security) traffic is surging, more and more malicious behaviors are hidden in it. Current detection methods are less accurate in detecting new and unknown malicious traffic. Although the method based on the supervised machine learning model has excellent accuracy performance, it has low detection strength and poor scalability for new and unknown malicious traffic. Therefore, this paper proposes a malicious SSL/TLS traffic detection method based on feature adaptive learning. The model can automatically learn key classification information from the unmarked malicious SSL/TLS encrypted traffic, and uses the 5-Tuple-Masking technology to optimize the input data, which greatly enhances the model's adaptation ability to new malicious traffic in complex network environments. After experimental verification, its comprehensive accuracy rate reaches 89.25%. Moreover, the supervised convolutional neural network detection method is used to compare and test the feasibility of this model in the field of malicious SSL/TLS traffic detection.

Ji Wang,Qi Jing,Jianbo Gao,Xuanwei Qiu

DOI: https://doi.org/10.1109/wcnc45663.2020.9120537

2020-01-01

Abstract:For the dramatic increase of Android malware and low efficiency of manual check process, deep learning methods started to be an auxiliary means for Android malware detection these years. However, these models are highly dependent on the quality of datasets, and perform unsatisfactory results when the quality of training data is not good enough. In the real world, the quality of datasets without manually check cannot be guaranteed, even Google Play may contain malicious applications, which will cause the trained model failure. To address the challenge, we propose a robust Android malware detection approach based on selective ensemble learning, trying to provide an effective solution not that limited to the quality of datasets. The proposed model utilizes genetic algorithm to help find the best combination of the component learners and improve robustness of the model. Our results show that the proposed approach achieves a more robust performance than other approaches in the same area.

Chen Liu,Bo Li,Jun Zhao,Ming Su,Xu-Dong Liu

DOI: https://doi.org/10.48550/arXiv.2106.12288

2021-06-24

Abstract:Detecting the newly emerging malware variants in real time is crucial for mitigating cyber risks and proactively blocking intrusions. In this paper, we propose MG-DVD, a novel detection framework based on dynamic heterogeneous graph learning, to detect malware variants in real time. Particularly, MG-DVD first models the fine-grained execution event streams of malware variants into dynamic heterogeneous graphs and investigates real-world meta-graphs between malware objects, which can effectively characterize more discriminative malicious evolutionary patterns between malware and their variants. Then, MG-DVD presents two dynamic walk-based heterogeneous graph learning methods to learn more comprehensive representations of malware variants, which significantly reduces the cost of the entire graph retraining. As a result, MG-DVD is equipped with the ability to detect malware variants in real time, and it presents better interpretability by introducing meaningful meta-graphs. Comprehensive experiments on large-scale samples prove that our proposed MG-DVD outperforms state-of-the-art methods in detecting malware variants in terms of effectiveness and efficiency.

Cryptography and Security,Machine Learning

Jingcai Guo,Han Wang,Yuanyuan Xu,Wenchao Xu,Yufeng Zhan,Yuxia Sun,Song Guo

DOI: https://doi.org/10.1109/TNNLS.2024.3373809

2024-03-21

Abstract:Malware open-set recognition (MOSR) is an emerging research domain that aims at jointly classifying malware samples from known families and detecting the ones from novel unknown families, respectively. Existing works mostly rely on a well-trained classifier considering the predicted probabilities of each known family with a threshold-based detection to achieve the MOSR. However, our observation reveals that the feature distributions of malware samples are extremely similar to each other even between known and unknown families. Thus, the obtained classifier may produce overly high probabilities of testing unknown samples toward known families and degrade the model performance. In this article, we propose the multi \ modal dual-embedding networks, dubbed MDENet, to take advantage of comprehensive malware features from different modalities to enhance the diversity of malware feature space, which is more representative and discriminative for down-stream recognition. Concretely, we first generate a malware image for each observed sample based on their numeric features using our proposed numeric encoder with a re-designed multiscale CNN structure, which can better explore their statistical and spatial correlations. Besides, we propose to organize tokenized malware features into a sentence for each sample considering its behaviors and dynamics, and utilize language models as the textual encoder to transform it into a representable and computable textual vector. Such parallel multimodal encoders can fuse the above two components to enhance the feature diversity. Last, to further guarantee the open-set recognition (OSR), we dually embed the fused multimodal representation into one primary space and an associated sub-space, i.e., discriminative and exclusive spaces, with contrastive sampling and ρ -bounded enclosing sphere regularizations, which resort to classification and detection, respectively. Moreover, we also enrich our previously proposed large-scaled malware dataset MAL-100 with multimodal characteristics and contribute an improved version dubbed MAL-100 + . Experimental results on the widely used malware dataset Mailing and the proposed MAL-100 + demonstrate the effectiveness of our method.

Chen Yang,Gang Xiong,Qing Zhang,Junzheng Shi,Gaopeng Gou,Zhen Li,Chang Liu

DOI: https://doi.org/10.1016/j.comnet.2023.109731

IF: 5.493

2023-03-29

Computer Networks

Abstract:Encrypted traffic classification requires identifying the services and programs running behind the content-invisible traffic data for improving quality of service and providing security assurance. Mainstream solutions achieve reliable performance by training on large-scale datasets. However, with the continuous emergence and development of encryption services, collecting and labeling sufficient amounts of encrypted traffic becomes impractical. Therefore, it is critical to utilize the few labeled data for accurate encrypted traffic classification. In this paper, we propose a M ulti-task R epresentation E nhanced Meta -learning model ( MetaMRE ) for few-shot encrypted traffic classification. Specifically, we design a flow discrepancy enhancement module that combines supervised learning and clustering-based unsupervised learning to boost the discrepancy of encrypted traffic representations from a few labeled data. Moreover, MetaMRE introduces a multi-task collaborative meta-learning module that makes full use of non-target task data to learn the optimal initialization parameters suitable for the encrypted traffic classification, and then only a small amount of labeled encrypted traffic is required to adapt to the target classification task. Extensive evaluations on various real-world datasets show that the MetaMRE outperforms existing state-of-the-art methods and copes well with version updates and cross-domain problems in encrypted traffic classification.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Jiangang Hou,Tong Jiang,Yanmiao Li,Hao Guo,Zhen Zhang,Zhi Liu

DOI: https://doi.org/10.1109/CCCI52664.2021.9583191

2021-10-15

Abstract:With more and more encrypted traffic such as HTTPS, encrypted traffic protects not only normal traffic, but also malicious traffic. Identification of encrypted malicious traffic without decryption has become a research hotspot. Combined with deep learning, an important branch of machine learning, encrypted malicious traffic detection has achieved good results. This paper reviews the detection of encrypted malicious traffic in recent years. Firstly, we classify encrypted malicious traffic. Secondly, we sorts out the extraction characteristics of encrypted malicious traffic, the key and difficult problems we are facing at present. Then, with encrypted malicious traffic detection technology as the main line, we summarized the current detection model from the four core aspects of data collection, data processing, model training and evaluation improvement. Finally, we analyze the problems and point out future research directions.

Computer Science

Zihao Wang,Vrizlynn L. L. Thing

DOI: https://doi.org/10.1016/j.cose.2023.103143

2023-04-07

Abstract:The popularity of encryption mechanisms poses a great challenge to malicious traffic detection. The reason is traditional detection techniques cannot work without the decryption of encrypted traffic. Currently, research on encrypted malicious traffic detection without decryption has focused on feature extraction and the choice of machine learning or deep learning algorithms. In this paper, we first provide an in-depth analysis of traffic features and compare different state-of-the-art traffic feature creation approaches, while proposing a novel concept for encrypted traffic feature which is specifically designed for encrypted malicious traffic analysis. In addition, we propose a framework for encrypted malicious traffic detection. The framework is a two-layer detection framework which consists of both deep learning and traditional machine learning algorithms. Through comparative experiments, it outperforms classical deep learning and traditional machine learning algorithms, such as ResNet and Random Forest. Moreover, to provide sufficient training data for the deep learning model, we also curate a dataset composed entirely of public datasets. The composed dataset is more comprehensive than using any public dataset alone. Lastly, we discuss the future directions of this research.

Cryptography and Security,Artificial Intelligence,Machine Learning

Zhixing Xue,Weina Niu,Xixuan Ren,Jie Li,Xiaosong Zhang,Ruidong Chen

DOI: https://doi.org/10.1088/1742-6596/2024/1/012049

2021-01-01

Journal of Physics Conference Series

Abstract:In recent years, smartphones have been developing fast. Android, a mobile platform convenient and open to all, has attracted more audience than any one of its counterpart. However, mobile devices are frequently attacked by malware, which calls to malware detection. Currently, we are lacking studies of Android malware detection based on ensemble learning. In this work, we propose a model to detect Android malware. The model takes the encrypted traffic that the malware generates as input. Through clustering, the model removes the third-party traffic and retains the purity of the first-party traffic. The model extracts traffic features to construct host-level traffic fingerprint and classifies the malware through stacking-based ensemble learning. We use the publicly available dataset CICAndMal2017 to build the classification model. This dataset successfully classifies malware into different categories. In the controlled experiments we use SVM and Random Forest models. The results show that our model is significantly more accurate in classifying malware than SVM and Random Forest models, with an accurate rate of 96.7% in the optimal condition.