Junchi Xing,Chunming Wu

DOI: https://doi.org/10.1109/INFOCOMWKSHPS50562.2020.9162940

2020-01-01

Abstract:The widely used encryption of network traffic poses a great challenge to anomaly detection. Currently, the supervised and semi-supervised solutions suffer from the problems of noisy label of data, non-stationary traffic distribution, and huge resource consumption for offline training. To address this, in this paper, we present an unsupervised, robust, and online anomaly detection method for encrypted traffic by using deep dictionary learning, called D2LAD. D2LAD offers the potential to extract sequential features from raw encrypted traffic data with the help of an LSTM-based autoencoder. Then, according to the sequential features, D2LAD is able to explore the hidden normal patterns by iterative deep dictionary learning. Eventually, D2LAD can obtain the anomaly score of raw data by calculating its relevance to the deep dictionary. We implement a prototype of D2LAD and evaluate its effectiveness and performance by experiments using realistic datasets. The experimental results show that our method achieves high accuracy and low resource usage, and outperforms the representative state-of-the-art methods in real-world settings.

Chuanyu Zhao,Shudong Li,Xiaobo Wu,Weihong Han,Zhihong Tian,Maofei Chen

DOI: https://doi.org/10.1109/dsc53577.2021.00097

2021-01-01

Abstract:The number of malware attacks that use encrypted HTTP traffic to self-propagate or communicate has increased dramatically in recent years. Traditional network traffic detection methods for non-encrypted traffic are difficult to be applied to encrypted traffic detection. While encryption is good for protecting users' privacy, it also comes with a security risk: malicious traffic may hide in encrypted traffic, leading to a series of security problems. Since the encrypted payload cannot be directly observed and it is large, we need to combine domain knowledge and machine learning method to excavate the features hidden in malicious traffic, so as to realize automatic detection of malicious traffic. In this paper, we propose a malicious traffic detection framework based on ensemble learning using the encrypted traffic from real malware, including normal traffic generated by 3000 normal hosts and malicious traffic generated by 3000 malware-infected hosts, provided by DATACON2020 competition. Considering the complexity to decrypt traffic, we use statistical features and sequence features in both flow-level and in host-level perspectives to describe encrypted traffic. Then we build multiple classifiers according to heterogeneous features. Finally we do majority voting to get final result. We achieve 95.0% TPR and 8.4% FPR.

Anish Singh Shekhawat,Fabio Di Troia,Mark Stamp

DOI: https://doi.org/10.48550/arXiv.2312.04596

2023-12-06

Abstract:In recent years there has been a dramatic increase in the number of malware attacks that use encrypted HTTP traffic for self-propagation or communication. Antivirus software and firewalls typically will not have access to encryption keys, and therefore direct detection of malicious encrypted data is unlikely to succeed. However, previous work has shown that traffic analysis can provide indications of malicious intent, even in cases where the underlying data remains encrypted. In this paper, we apply three machine learning techniques to the problem of distinguishing malicious encrypted HTTP traffic from benign encrypted traffic and obtain results comparable to previous work. We then consider the problem of feature analysis in some detail. Previous work has often relied on human expertise to determine the most useful and informative features in this problem domain. We demonstrate that such feature-related information can be obtained directly from machine learning models themselves. We argue that such a machine learning based approach to feature analysis is preferable, as it is more reliable, and we can, for example, uncover relatively unintuitive interactions between features.

Cryptography and Security,Machine Learning

Yige Chen,Tianning Zang,Yongzheng Zhang,Yuan Zhouz,Yipeng Wang,Yuan Zhou

DOI: https://doi.org/10.1109/icnp.2019.8888043

2019-10-01

Abstract:With the unprecedented prevalence of mobile network applications, cryptographic protocols, such as the Secure Socket Layer/Transport Layer Security (SSL/TLS), are widely used in mobile network applications for communication security. The proven methods for encrypted video stream classification or encrypted protocol detection are unsuitable for the SSL/TLS traffic. Consequently, application-level traffic classification based networking and security services are facing severe challenges in effectiveness. Existing encrypted traffic classification methods exhibit unsatisfying accuracy for applications with similar state characteristics. In this paper, we propose a multiple-attribute-based encrypted traffic classification system named Multi-Attribute Associated Fingerprints (MAAF). We develop MAAF based on the two key insights that the DNS traces generated during the application runtime contain classification guidance information and that the handshake certificates in the encrypted flows can provide classification clues. Apart from the exploitation of key insights, MAAF employs the context of the encrypted traffic to overcome the attribute-lacking problem during the classification. Our experimental results demonstrate that MAAF achieves 98.69% accuracy on the real-world traceset that consists of 16 applications, supports the early prediction, and is robust to the scale of the training traceset. Besides, MAAF is superior to the state-of-the-art methods in terms of both accuracy and robustness.

Haitao Zhang,Lei Luo,Yun Li,Lirong Chen,Xiaobo Wu

DOI: https://doi.org/10.1109/dsc55868.2022.00076

2022-01-01

Abstract:More and more data is transferred in encrypted ways, especially over HTTPS. As a result, network attackers often use encryption algorithms to transmit control commands to avoid detection. Malware or unidentified users may use unauthorized encrypted proxy to communicate and access malicious websites. Confirming the details of these behaviors facilitates the analysis of suspicious events, but intercepted encrypted traffic cannot be parsed. Since the payload of encrypted traffic is not observable, machine learning algorithm combined with domain knowledge is the mainstream method to detect malicious encrypted traffic. Considering the complexity of decrypting traffic, we start from host level and flow level, exploit packet length histogram, sequence features and statistical features to describe traffic. In particular, we use Word2Vec algorithm to represent packet length sequence. In experiment, we collect the encrypted traffic generated by malware communicating with multiple websites through encrypted proxy. Experiment result shows the effectiveness of our framework and achieve 96.2% Accuracy.

Kunlin Li,Baojiang Cui

DOI: https://doi.org/10.1007/978-3-030-79728-7_20

2021-06-24

Abstract:With the increasing popularity of traffic encryption protocols such as SSL/TLS, attacks based on encrypted traffic are more and more rampant, so does the need to inspect all SSL traffic. At present, the methods based on feature engineering and the methods based on deep learning and representation learning are the research hot-spots. In this paper, a new method of encrypted malicious traffic identification is proposed, which is based on deep learning and four- tuple feature. The unit of traffic identification is flow four-tuple. We extract 3 types of features which are statistical feature, handshake byte stream feature, and application data size sequence feature. We design different deep learning models to deal with various features and work together in traffic identification. We used the CTU Malware dataset to experiment. The results show that the accuracy of our method can reach 98.31%, which is better than that of other methods using four-tuple as the unit of flow identification and experimenting on the CTU Malware dataset.

Jiangang Hou,Tong Jiang,Yanmiao Li,Hao Guo,Zhen Zhang,Zhi Liu

DOI: https://doi.org/10.1109/CCCI52664.2021.9583191

2021-10-15

Abstract:With more and more encrypted traffic such as HTTPS, encrypted traffic protects not only normal traffic, but also malicious traffic. Identification of encrypted malicious traffic without decryption has become a research hotspot. Combined with deep learning, an important branch of machine learning, encrypted malicious traffic detection has achieved good results. This paper reviews the detection of encrypted malicious traffic in recent years. Firstly, we classify encrypted malicious traffic. Secondly, we sorts out the extraction characteristics of encrypted malicious traffic, the key and difficult problems we are facing at present. Then, with encrypted malicious traffic detection technology as the main line, we summarized the current detection model from the four core aspects of data collection, data processing, model training and evaluation improvement. Finally, we analyze the problems and point out future research directions.

Computer Science

Linxiao Yu,Jun Tao,Yifan Xu,Weice Sun,Zuyan Wang

DOI: https://doi.org/10.1016/j.comnet.2024.110475

IF: 5.493

2024-05-08

Computer Networks

Abstract:Recently, more and more applications have adopted security protocols like Transport Layer Security (TLS) for data encryption. However, these privacy-enhancing approaches have also been abused by the attackers to deliver malicious payloads. Many existing encrypted network classification methods suffer from the imbalanced volume of normal and malicious traffic, which leads to bad model robustness. In this paper, we propose a novel TLS fingerprinting approach to capture the characteristics of encrypted network traffic. The fingerprints are attributed graphs obtained from TLS sessions, which can simultaneously take into consideration the sequential and statistical features of these sessions. As the communication patterns of different applications differ considerably, the graphs representing TLS connections could be used to characterize the network with the help of the graph kernel method, which results in a model with high accuracy in malicious TLS session detection and application discrimination. Moreover, we adopt Locality-Sensitive Hashing (LSH) and filtering techniques to reduce the time cost of our model. Model evaluation on real-world datasets shows that our model is more robust than existing methods presented in this work when the malicious traffic takes up an extremely small portion of the whole traffic.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Ming Liu,Qichao Yang,Wenqing Wang,Shengli Liu

DOI: https://doi.org/10.3390/s24206507

IF: 3.9

2024-10-11

Sensors

Abstract:The exponential growth of encrypted network traffic poses significant challenges for detecting malicious activities online. The scale of emerging malicious traffic is significantly smaller than that of normal traffic, and the imbalanced data distribution poses challenges for detection. However, most existing methods rely on single-category features for classification, which struggle to detect covert malicious traffic behaviors. In this paper, we introduce a novel semi-supervised approach to identify malicious traffic by leveraging multimodal traffic characteristics. By integrating the sequence and topological information inherent in the traffic, we achieve a multifaceted representation of encrypted traffic. We design two independent neural networks to learn the corresponding sequence and topological features from the traffic. This dual-feature extraction enhances the model's robustness in detecting anomalies within encrypted traffic. The model is trained using a joint strategy that minimizes both the reconstruction error from the autoencoder and the classification loss, allowing it to effectively utilize limited labeled data alongside a large amount of unlabeled data. A confidence-estimation module enhances the classifier's ability to detect unknown attacks. Finally, our method is evaluated on two benchmark datasets, UNSW-NB15 and CICIDS2017, under various scenarios, including different training set label ratios and the presence of unknown attacks. Our model outperforms other models by 3.49% and 5.69% in F1 score at labeling rates of 1% and 0.1%, respectively.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

In-Su Jung,Yu-Rae Song,Lelisa Adeba Jilcha,Deuk-Hun Kim,Sun-Young Im,Shin-Woo Shim,Young-Hwan Kim,Jin Kwak

DOI: https://doi.org/10.3390/sym16060733

2024-06-13

Symmetry

Abstract:With the continuously growing requirement for encryption in network environments, web browsers are increasingly employing hypertext transfer protocol security. Despite the increase in encrypted malicious network traffic, the encryption itself limits the data accessible for analyzing such behavior. To mitigate this, several studies have examined encrypted network traffic by analyzing metadata and payload bytes. Recent studies have furthered this approach, utilizing graph neural networks to analyze the structural data patterns within malicious encrypted traffic. This study proposed an enhanced encrypted traffic analysis leveraging graph neural networks which can model the symmetric or asymmetric spatial relations between nodes in the traffic network and optimized feature dimensionality reduction. It classified malicious network traffic by leveraging key features, including the IP address, port, CipherSuite, MessageLen, and JA3 features within the transport-layer-security session data, and then analyzed the correlation between normal and malicious network traffic data. The proposed approach outperformed previous models in terms of efficiency, using fewer features while maintaining a high accuracy rate of 99.5%. This demonstrates its research value as it can classify malicious network traffic with a high accuracy based on fewer features.

multidisciplinary sciences

Chi-Kuan Chiu,Hsiao-Hsien Chang,Ching-Hao Mao,Te-En Wei

DOI: https://doi.org/10.1109/desec.2018.8625111

2018-12-01

Abstract:Malware and backdoor usually hide their malicious activities to communicate with C&C server through HTTP protocol. Various techniques for stealth are developed which directly leads security system's failure to detect hacker's activities. This paper focuses on profiling fingerprints of browsers running on different client-side host to detect anomaly among outbound HTTP traffics at behavioral and semantic level. Patterns describing fake header are also elaborately designed using graph structure and become significant features in the proposed method for the subsequent detection. Performance of proposed approach are evaluated with data from realistic environment and compare to state-of-the-art. Results show that the proposed method delivers accuracy up to 99%, also for the counterfeit fingerprint's detection it even achieve 100% recall, while the alternative approach totally failed under this scenario.

Sunghyun Yu,Yoojae Won

DOI: https://doi.org/10.3934/mbe.2023101

Abstract:Privacy protection in computer communication is gaining attention because plaintext transmission without encryption can be eavesdropped on and intercepted. Accordingly, the use of encrypted communication protocols is on the rise, along with the number of cyberattacks exploiting them. Decryption is essential for preventing attacks, but it risks privacy infringement and incurs additional costs. Network fingerprinting techniques are among the best alternatives, but existing techniques are based on information from the TCP/IP stack. They are expected to be less effective because cloud-based and software-defined networks have ambiguous boundaries, and network configurations not dependent on existing IP address schemes increase. Herein, we investigate and analyze the Transport Layer Security (TLS) fingerprinting technique, a technology that can analyze and classify encrypted traffic without decryption while addressing the problems of existing network fingerprinting techniques. Background knowledge and analysis information for each TLS fingerprinting technique is presented herein. We discuss the pros and cons of two groups of techniques, fingerprint collection and artificial intelligence (AI)-based. Regarding fingerprint collection techniques, separate discussions on handshake messages ClientHello/ServerHello, statistics of handshake state transitions, and client responses are provided. For AI-based techniques, discussions on statistical, time series, and graph techniques according to feature engineering are presented. In addition, we discuss hybrid and miscellaneous techniques that combine fingerprint collection with AI techniques. Based on these discussions, we identify the need for a step-by-step analysis and control study of cryptographic traffic to effectively use each technique and present a blueprint.

Jinfu Chen,Luo Song,Saihua Cai,Haodi Xie,Shang Yin,Bilal Ahmad

DOI: https://doi.org/10.1145/3613960

IF: 2.717

2023-08-07

ACM Transactions on Privacy and Security

Abstract:In recent years, the use of TLS (Transport Layer Security) protocol to protect communication information has become increasingly popular as users are more aware of network security. However, hackers have also exploited the salient features of the TLS protocol to carry out covert malicious attacks, which threaten the security of network space. Currently, the commonly used traffic detection methods are not always reliable when applied to the problem of encrypted malicious traffic detection due to their limitations. The most significant problem is that these methods do not focus on the key features of encrypted traffic. To address this problem, this study proposes an efficient detection model for encrypted malicious traffic based on transport layer security protocol and a multi-head self-attention mechanism called TLS-MHSA. Firstly, we extract the features of TLS traffic during pre-processing and perform traffic statistics to filter redundant features. Then, we use a multi-head self-attention mechanism to focus on learning key features as well as generate the most important combined features to construct the detection model, thereby detecting the encrypted malicious traffic. Finally, we use a public dataset to verify the effectiveness and efficiency of the TLS-MHSA model, and the experimental results show that the proposed TLS-MHSA model has high precision, recall, F1-measure, AUC-ROC as well as higher stability than seven state-of-the-art detection models.

computer science, information systems

Yueping Hong,Qi Li,Yanqing Yang,Meng Shen

DOI: https://doi.org/10.1016/j.ins.2023.119229

IF: 8.1

2023-06-02

Information Sciences

Abstract:At present, the TLS cryptographic protocol is widely deployed. While protecting the security and integrity of transmitted information, it also makes the detection of malicious behavior more difficult. In recent years, researchers have proposed many encrypted malicious traffic detection methods. However, the existing approaches have some shortcomings. Firstly, although researchers have extracted multi-view features from different aspects, which can be divided into vectorized features based on feature engineering and image features based on original data, existing methods cannot fully integrate the features of different forms of expression. Secondly, most of the existing methods do not fully analyze the correlation between different encrypted traffic. Thirdly, the existing methods based on correlation analysis have low processing efficiency and cannot be applied to real networks. In the paper, we present MalDiscovery , a novel technique to discover encrypted malicious traffic to address all the above issues. For encrypted malicious traffic, MalDiscovery constructs an attribute KNN graph, in which encrypted sessions are used as nodes to construct a KNN graph according to the similarity of image features, and vectorized features are used as attributes of corresponding nodes. After that, the GraphSAGE model is used to collect relevant node information through correlation analysis to enrich the embeddings of each node. Finally, we achieve the accurate binary classification of nodes in the graph based on richer embeddings. We use extensive experiments to evaluate the proposed method, and the experiment results show that MalDiscovery can achieve an accuracy of about 99.9%, significantly outperforming all compared methods.

computer science, information systems

Amanda Thomson,Leandros Maglaras,Naghmeh Moradpoor

2024-10-05

Abstract:Malicious domains are part of the landscape of the internet but are becoming more prevalent and more dangerous to both companies and individuals. They can be hosted on variety of technologies and serve an array of content, ranging from Malware, command and control, and complex Phishing sites that are designed to deceive and expose. Tracking, blocking and detecting such domains is complex, and very often involves complex allow or deny list management or SIEM integration with open-source TLS fingerprinting techniques. Many fingerprint techniques such as JARM and JA3 are used by threat hunters to determine domain classification, but with the increase in TLS similarity, particularly in CDNs, they are becoming less useful. The aim of this paper is to adapt and evolve open-source TLS fingerprinting techniques with increased features to enhance granularity, and to produce a similarity mapping system that enables the tracking and detection of previously unknown malicious domains. This is done by enriching TLS fingerprints with HTTP header data and producing a fine grain similarity visualisation that represented high dimensional data using MinHash and local sensitivity hashing. Influence was taken from the Chemistry domain, where the problem of high dimensional similarity in chemical fingerprints is often encountered. An enriched fingerprint was produced which was then visualised across three separate datasets. The results were analysed and evaluated, with 67 previously unknown malicious domains being detected based on their similarity to known malicious domains and nothing else. The similarity mapping technique produced demonstrates definite promise in the arena of early detection of Malware and Phishing domains.

Cryptography and Security

Chuanpu Fu,Qi Li,Ke Xu

DOI: https://doi.org/10.1109/tnet.2024.3370851

2024-01-01

IEEE/ACM Transactions on Networking

Abstract:Nowadays traffic on the Internet has been widely encrypted to protect its confidentiality and privacy. However, traffic encryption is always abused by attackers to conceal their malicious behaviors. Since encrypted malicious traffic is similar to benign flows, it can easily evade traditional detection. In particular, the existing encrypted traffic detection methods are supervised which rely on the prior knowledge of known attacks (e.g., labeled datasets). Detecting unknown encrypted malicious traffic, which does not require prior knowledge, is still an open problem. In this paper, we propose, an unsupervised machine learning (ML) based malicious traffic detection system. Particularly, is able to detect unknown patterns of encrypted malicious traffic by utilizing a graph built upon flow interaction patterns, instead of learning the features of specific known attacks. We develop an unsupervised graph learning method to detect abnormal interaction patterns by analyzing the graph features, which allows to detect unknown attacks without requiring any labeled datasets. Moreover, we establish an information theory model to prove the effectiveness of . We show the performance of by real-world experiments with 140 attacks. The experimental results illustrate that outperforms the state-of-the-art methods by 13.9% accuracy improvement. Moreover, achieves 15.82 Mpps detection throughput with the average detection latency of 0.29s.

telecommunications,computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Liangchen Chen,Shu Gao,Baoxu Liu,Zhigang Lu,Zhengwei Jiang

DOI: https://doi.org/10.1007/s11227-020-03372-1

IF: 3.3

2020-06-29

The Journal of Supercomputing

Abstract:With the rapid increase in amount of network encrypted traffic and malware samples using encryption to evade identification, detecting encrypted malicious traffic presents challenges. The quality of the encrypted traffic sampling method directly affects the result of malware detection, but most existing machine learning methods for sampling flow-based encrypted traffic data are inherently inaccurate. To solve these problems, an innovative three-stage hierarchical sampling approach based on the improved density peaks clustering algorithm (THS-IDPC) is proposed to enhance the accuracy and efficiency of encrypted malicious traffic detection model. First, we propose an improved density peaks clustering algorithm based on grid screening, custom center decision value and mutual neighbor degree (DPC-GS-MND). In DPC-GS-MND, grid screening effectively reduces the computational complexity and mutual neighbor degree improves the clustering accuracy. Then, we extract and research the three categories features of encrypted traffic data related to malicious activities, and adopt a three-layer hierarchical clustering algorithm based on DPC-GS-MND. Finally, a three-stage sampling approach based on the three-layer hierarchical clustering algorithm (THS-IDPC) is proposed to sample the encrypted traffic data for further deep detection. The experimental results demonstrated that the proposed THS-IDPC is very effective to reduce normal traffic from massive network encrypted traffic simultaneously, and the encrypted malicious traffic detection model with THS-IDPC sampling method can detect multiple encrypted malicious traffic families with higher accuracy and efficiency. Meanwhile, DPC-GS-MND and THS-IDPC have good application prospects in network intrusion detection system under the big data environment.

Jianyi Liu,Lanting Wang,Wei Hu,Yating Gao,Yaofu Cao,Bingjie Lin,Ru Zhang

DOI: https://doi.org/10.1155/2023/7117863

IF: 1.968

2023-01-08

Security and Communication Networks

Abstract:While encryption ensures the confidentiality and integrity of user data, more and more attackers try to hide attack behaviours through encryption, which brings new challenges to malicious traffic identification. How to effectively detect encrypted malicious traffic without decrypting traffic and protecting user privacy has become an urgent problem to be solved. Most of the current research only uses a single CNN, RNN, and SAE network to detect encrypted malicious traffic, which does not consider the forward and backward correlation between data packets, so it is difficult to effectively identify malicious features in encrypted traffic. This study proposes an approach that combines spatial-temporal feature with dual-attention mechanism, which is called TLARNN. Specifically, first we use 1D-CNN and BiGRU to extract spatial features in encrypted traffic packets and temporal features between encrypted streams, respectively, which enriches the features of different dimensions, and then, the soft attention mechanism is focused on the encrypted data packets to extract features. Ultimately, the second layer of the soft attention mechanism is used for aggregating malicious features. Several comparative experiments are designed to prove the effectiveness of the proposed scheme. The experimental results demonstrate that the proposed scheme has a significant performance improvement compared to existing ones.

computer science, information systems,telecommunications

Zihao Wang,Vrizlynn L. L. Thing

DOI: https://doi.org/10.1016/j.cose.2023.103143

2023-04-07

Abstract:The popularity of encryption mechanisms poses a great challenge to malicious traffic detection. The reason is traditional detection techniques cannot work without the decryption of encrypted traffic. Currently, research on encrypted malicious traffic detection without decryption has focused on feature extraction and the choice of machine learning or deep learning algorithms. In this paper, we first provide an in-depth analysis of traffic features and compare different state-of-the-art traffic feature creation approaches, while proposing a novel concept for encrypted traffic feature which is specifically designed for encrypted malicious traffic analysis. In addition, we propose a framework for encrypted malicious traffic detection. The framework is a two-layer detection framework which consists of both deep learning and traditional machine learning algorithms. Through comparative experiments, it outperforms classical deep learning and traditional machine learning algorithms, such as ResNet and Random Forest. Moreover, to provide sufficient training data for the deep learning model, we also curate a dataset composed entirely of public datasets. The composed dataset is more comprehensive than using any public dataset alone. Lastly, we discuss the future directions of this research.

Cryptography and Security,Artificial Intelligence,Machine Learning

Meng Shen,Yiting Liu,Liehuang Zhu,Xiaojiang Du,Jiankun Hu

DOI: https://doi.org/10.1109/tifs.2020.3046876

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Encrypted web traffic can reveal sensitive information of users, such as their browsing behaviors. Existing studies on encrypted traffic analysis focus on website fingerprinting. We claim that fine-grained webpage fingerprinting, which speculates specific webpages on a same website visited by a victim, allows exploiting more user private information, e.g., shopping interests in an online shopping mall. Since webpages from the same website usually have very similar traffic traces that make them indistinguishable, existing solutions may end up with low accuracy. In this paper, we propose FineWP, a novel fine-grained webpage fingerprinting method. We make an observation that the length information of packets in bidirectional client-server interactions can be distinctive features for webpage fingerprinting. The extracted features are then fed into traditional machine learning models to train classifiers, which achieve both high accuracy and low training overhead. We collect two real-world traffic datasets and construct closed- and open-world evaluations to verify the effectiveness of FineWP. The experimental results demonstrate that FineWP is superior to the state-of-the-art methods in terms of accuracy, time complexity and stability.

computer science, theory & methods,engineering, electrical & electronic