Yi-Chuan Wang,Bin-Bin Bai,Xin-Hong Hei,Ju Ren,Wen-Jiang Ji

DOI: https://doi.org/10.6688/jise.202007_36(4).0005

2020-01-01

Journal of information science and engineering

Abstract:In recent years, unscrupulous hacker attacks have led to the information leakage of enterprise and individual network users, which makes the network security issue unprecedented concerned. Botnet and dark network, which use C & C channel of unknown protocol format to communicate, are the important parts. With the development of wireless mobile networks technology, this problem becomes more prominent. Classifying and identifying the unknown protocol features can help us to judge and predict the unknown attack behavior in the Internet of things environment, so as to protect the network security. Firstly, this paper compares the protocol features to be detected with the existing protocol features in the feature base through the vectorization operation of protocol features, selects the feature set with high recognition rate, and judges the similarity between protocols. The extracted composite features are digitized to generate 0-1 matrix, then Principal Component Analysis (PCA) dimension reduction is processed, and finally clustering analysis is carried out. A Clique to Protocol Feature Vectorization (CPFV) algorithm is designed to improve the efficiency of protocol clustering and finally generate a new protocol format. The experimental results show that compared with the traditional Clique and BIRCH algorithms, the proposed optimization algorithm improves the accuracy by 20% and the stability by 15%. It can cluster and identify unknown protocols accurately and quickly.

Na Xing,Shuai Zhao,Yuehai Wang,Keqing Ning,Xiufeng Liu

DOI: https://doi.org/10.14569/ijacsa.2023.0140743

2023-01-01

Abstract:recent years, deep learning-based network intrusion detection systems (IDS) have shown impressive results in detecting attacks. However, most existing IDS can only recognize known attacks that were included in their training data. When faced with unknown attacks, these systems are often unable to take appropriate actions and incorrectly classify them into known categories, leading to reduced detection performance. Furthermore, as the number and types of network attacks continue to increase, it becomes challenging for these IDS to update their model parameters promptly and adapt to new attack scenarios. To address these issues, this paper introduces a dynamic intrusion detection system, Dynamic Unknown Attack Intrusion Detection System (DUA-IDS). This system aims to learn and detect unknown attacks effectively. DUA-IDS comprises three components: Feature Extractor: This component employs CNN and Transformer models to extract data features from various perspectives. Threshold-Based Classifier: The second part utilizes the nearest mean rule of samples to classify known and unknown attacks, enabling the distinction between them. Dynamic Learning Module: The third part incorporates data playback and knowledge distillation techniques to retain existing category knowledge while continuously learning new attack categories. To assess the effectiveness of DUA-IDS, this paper conducted experiments using the UNSW-NB15 public dataset. The experimental results show that DUA-IDS improves the classification accuracy of flow network data with unknown traffic attacks. Can accurately distinguish unknown traffic and correctly classify known traffic. When dynamically learning unknown traffic, the classification accuracy of previously learned known traffic is less affected. This indicates the advantages of DUA-IDS in detecting unknown attacks and learning new attack categories.

Stephan Kleber,Milan Stute,Matthias Hollick,Frank Kargl

DOI: https://doi.org/10.1109/DSN-W54100.2022.00023

2022-11-08

Abstract:Reverse engineering of unknown network protocols based on recorded traffic traces enables security analyses and debugging of undocumented network services. In particular for binary protocols, existing approaches (1) lack comprehensive methods to classify or determine the data type of a discovered segment in a message, e.,g., a number, timestamp, or network address, that would allow for a semantic interpretation and (2) have strong assumptions that prevent analysis of lower-layer protocols often found in IoT or mobile systems. In this paper, we propose the first generic method for analyzing unknown messages from binary protocols to reveal the data types in message fields. To this end, we split messages into segments of bytes and use their vector interpretation to calculate similarities. These can be used to create clusters of segments with the same type and, moreover, to recognize specific data types based on the clusters' characteristics. Our extensive evaluation shows that our method provides precise classification in most cases and a data-type-recognition precision of up to 100% at reasonable recall, improving the state-of-the-art by a factor between 1.3 and 3.7 in realistic scenarios. We open-source our implementation to facilitate follow-up works.

Cryptography and Security,Networking and Internet Architecture

Haiyang Liu,Linghang Meng,Yuantao Gu

DOI: https://doi.org/10.1109/iceict55736.2022.9909347

2022-01-01

Abstract:In recent years, with the rapid development of Internet communication and satellite communication, and other fields, the number of network protocol types has gradually increased, which contains a large number of private protocols or unknown protocols, which makes the network management and maintenance work increasingly heavy and very difficult. To address this problem, we proposed a classification method of unknown protocols. By preprocessing, feature extraction, and clustering method based on hyperparametric optimization scheme, two classes of classifiers are constructed to classify and identify the unknown protocol data to meet the actual business requirements. The experimental results show that the improved optimization method has a 4.6% increase in the mean probability of obtaining the global optimal solution compared with the traditional optimization method, and the proposed method can effectively identify and classify the protocols.

Jiantao Shi,Xiangzhan Yu,Zechao Liu

DOI: https://doi.org/10.1155/2021/6672911

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:In recent years, with the rapid development of mobile Internet and 5G technology, great changes have been brought to our lives, and human beings have stepped into the era of big data. These new features and techniques in 5G support many different types of mobile applications for users, which makes network security extremely challenging. Among them, more and more applications involve users' private data, such as location information, financial information, and biological information. In order to prevent users' privacy disclosure, most applications choose to use private protocols. However, such private protocols also provide a means for malware and malicious applications to steal users' privacy and confidential data. From a more secure point of view, we need to provide a way for users to know how many private protocols are running on their mobile phones and distinguish which are authorized applications and which are not. Therefore, the analysis and identification of private protocols have become a hot topic in current research. How to extract the characteristics of network protocol effectively and identify the private protocol accurately becomes the most important part of this research. In this paper, we combine genetic algorithm and association rule algorithm and then propose a set of feature extraction algorithm and protocol recognition algorithm for unknown protocols. The experimental analysis based on the actual data shows that these methods can effectively solve the problems of feature extraction and recognition for unknown protocols and can greatly improve the accuracy of private protocol recognition.

Yipeng Wang,Xiaochun Yun,Yongzheng Zhang

DOI: https://doi.org/10.1109/icnp.2015.43

2015-01-01

Abstract:Protocol traffic analysis is important for a variety of networking and security infrastructures, such as intrusion detection and prevention systems, network management systems, and protocol specification parsers. In this paper, we propose ProHacker, a nonparametric approach that extracts robust and accurate protocol keywords from network traces and effectively identifies the protocol trace from mixed Internet traffic. ProHacker is based on the key insight that the n-grams of protocol traces have highly predictable statistical nature that can be effectively captured by statistical language models and leveraged for robust and accurate protocol identification. In ProHacker, we first extract protocol keywords using a nonparametric Bayesian statistical model, and then use the corresponding protocol keywords to classify protocol traces by a semi-supervised learning algorithm. We implement and evaluate ProHacker on real-world traces, including SMTP, FTP, PPLive, SopCast, and PPStream, and our experimental results show that ProHacker can accurately identify the protocol trace with an average precision of about 99.42% and an average recall of about 98.64%. We also compare the results of ProHacker to two state-of-the-art approaches ProWord and Securitas using backbone traffic. We show that ProHacker provides significant improvements on precision and recall for online protocol identification.

Yipeng Wang,Xiaochun Yun,Yongzheng Zhang,Liwei Chen,Tianning Zang

DOI: https://doi.org/10.1016/j.comnet.2017.09.006

IF: 5.493

2017-01-01

Computer Networks

Abstract:Protocol traffic analysis is a fundamental problem regarding a variety of networking and security applications, such as intrusion detection and prevention systems, network management systems, and protocol specification parsers. In this paper, we propose ProHacker, a nonparametric approach that extracts robust and accurate protocol keywords from the byte sequences generated by an application protocol, and effectively identifies the protocol trace from mixed Internet traffic. ProHacker is based on the key insight that the n-grams of protocol traces have highly predictable statistical nature that can be effectively captured by statistical language models and be leveraged for robust and accurate protocol identification. In ProHacker, we first extract protocol keywords using a nonparametric Bayesian statistical model, and then use the corresponding protocol keywords to classify protocol traces by a semi-supervised learning algorithm. We implement and evaluate ProHacker on real-world traces, and our experimental results show that ProHacker can accurately identify the protocol trace with an average precision of about 99.4% and an average recall of about 99.28%. We compare the results of ProHacker to one state-of-the-art approach, ProWord, and one our previous work, Securitas, using backbone traffic. We note that ProHacker provides significant improvements on precision and recall for online protocol identification.

Zhaoxuan Li,Ziming Zhao,Rui Zhang,Haoyang Lu,Wenhao Li,Fan Zhang,Siqi Lu,Rui Xue

DOI: https://doi.org/10.1016/j.comnet.2024.110563

IF: 5.493

2024-01-01

Computer Networks

Abstract:The continuous emergence of malware has threatened to the Android platform and user privacy. With the evolution of the Android system and malware, it is challenging to design a method that can accurately identify the categories of sophisticated malware, including known and unknown families, as well as their obfuscated variants, given that they may be newly emerging and lack available detection knowledge. Although some methods try to use anomaly detection and zero-shot technology to identify unseen applications, they are limited to binary classification or lack the robustness, stability, universality, and interpretability in multi-class identification. To this end, we first propose a generic meta-features mining algorithm, which can discover the potential relationships between samples belonging to the same category. Then we present metaNet, a novel method leveraging meta-features to identify sophisticated Android malware. Specifically, metaNet is mainly powered by four components: (i) mExtractor is a feature collector to obtain the static and dynamic features. (ii) mProcessor is taking unique meta-features of each category from extracted features. (iii) mLearner is a machine learning suite that leverages features and meta-features to design and train a classifier called HSU-Net. (iv) mEnforcer is a flexible deployer that identifies categories of malware families in the real world. We implement a prototype of metaNet with 15K lines of Python code and compare it with state-of-the-art (SOTA) methods. The results show that it can not only achieve superior performance in terms of known families (99.52% of accuracy) and unknown families (99.31% of accuracy trained with 80% known families) for binary classification, but also perform well in multi-class identification, i.e., 99.05% and 93.45% of accuracy for known and unknown families, respectively. Furthermore, we deploy and evaluate metaNet in the real world. It can identify applications over an acceptable time and memory overheads, i.e., average of 11.8s and 56MB per sample with a size of 8MB. Also, the few-shot detection and feature perturbation experiments reflect its robustness and stability benefiting from meta-features. Finally, we collect the traffic of 112 decentralized applications (DApps) belonging to 16 categories, such as finance and health, and evaluated metaNet in DApp identification. The results illustrate its applicability across various tasks. That is, it can accurately classify 94.6% and 81.36% of DApp flows in all-known and 80%-known DApp scenarios, respectively, outperforming the SOTA methods.

Zhun Zhang,Qihe Liu,Shilin Qiu,Shijie Zhou,Cheng Zhang

DOI: https://doi.org/10.1109/access.2020.3033494

IF: 3.9

2020-01-01

IEEE Access

Abstract:In recent years, due to the frequent occurrence of network intrusions, more and more researchers have begun to focus on network intrusion detection. However, it is still a challenge to detect unknown attacks. Currently, there are two main methods of unknown attack detection: clustering and honeypot. But they still have unsolved problems such as difficulty in collecting unknown attack samples and failure to detect on time. Zero-Shot learning is proposed to deal with the problem in this article, which can recognize unknown attacks by learning the mapping relations between feature space and semantic space (such as attribute space). When the semantic descriptions of all attacks (including known and unknown attacks) are provided, the classifier built by Zero-Shot learning can extract common semantic information among all attacks and construct connections between known and unknown attacks. The classifier then utilizes the connections to classify unknown attacks although there are no samples for unknown attacks. In this article, we first propose to use Zero-Shot learning to overcome the challenge of unknown attack detection and illustrate the feasibility of this method. Secondly, we then propose a novel method of Zero-Shot learning based on sparse autoencoder for unknown attack detection. This method maps the feature of known attacks to the semantic space, and restores the semantic space to the feature space by constrains of reconstruction error, and establishes the feature to semantic mapping, which is used to detect unknown attacks. Verification tests have been carried out by using the public dataset NSL-KDD. From the experiments conducted in this work, the results show that the average accuracy reaches 88.3% which performs better than other methods.

Yuluo Hou,Yusheng Fu,Jinhong Guo,Jie Xu,Renting Liu,Xin Xiang

DOI: https://doi.org/10.1007/s12652-022-04350-6

IF: 3.662

2022-01-01

Journal of Ambient Intelligence and Humanized Computing

Abstract:In recent years, deep learning techniques have been widely applied to network intrusion detection. However, current detection methods suffer from a low detection rate, rendering them useless in fighting unknown attacks. Thus, in this article, we proposed a hybrid detection system based on deep learning techniques. First, to understand comprehensively the pattern of normal network traffic and anomaly detection, a designed nonsymmetric autoencoder (NAE) is proposed. The NAE extracts the latent feature of network traffic with two different convolution neural networks and multiple linear layers are applied to the NAE’s decoder to reconstruct the input. Besides, a latent feature extraction scheme using the NAE encoder is proposed and a deep neural network (DNN) is trained with this latent feature to achieve detection. In addition, in order to strengthen system stability, a hybrid scheme is proposed that considers the detection results of NAE and DNN, and makes the comprehensive decision. Experiments are performed on the NSL-KDD, N-baIoT and BoT-IoT datasets respectively to evaluate the proposed hybrid model. The evaluation is carried out through classification evaluation indexes such as accuracy, precision, recall, F1-score. The results have shown that our proposed hybrid model gets the best detection ability of abnormal traffic compared with several state-of-the-art intrusion detection methods.

Chunfeng Luo,Yuantao Gu

DOI: https://doi.org/10.1109/iceict55736.2022.9908998

2022-01-01

Abstract:In non-cooperative mode, the analysis of network traffic data lacks corresponding prior knowledge, and conventional protocol analysis methods cannot be applied to the analysis of unknown protocols. This paper proposes a method for identifying unknown protocol frame structure based on trie and sequential feature analysis. A Trie is used for frequent sequence storage and is pruned and merged according to confidence and entropy. Finally we show the protocol frame hierarchy through sequential feature analysis and state transition diagram. The results on the public test data show that for frame structure recognition without prior knowledge, the algorithm can correctly identify the lower-level protocol stack structure, and has a higher performance under the condition of ensuring a higher accuracy rate.

Tianxiang Yu,Yang Xin,Yuexin Tao,Bingqing Hou,Hongliang Zhu

DOI: https://doi.org/10.1155/2022/2924479

IF: 1.968

2022-10-08

Security and Communication Networks

Abstract:Network communication protocol reverse engineering is useful for network security, including protocol fuzz testing, botnet command infiltration, and service script generation. Many models have been proposed to generate field boundary, field semantic, state machine, and some other format information from network trace and program execution for text-based protocol and hybrid protocols. However, how to extract format information from network trace data for binary-based protocol still remains a challenging issue. Existing network-trace-based models focus on text-based and hybrid protocols, using tokenization and some other heuristic rules, like field identification, to perform reverse engineering, which makes it hard to apply to binary-based protocol. In this paper, we propose a whole mechanism for binary-based protocol reverse engineering based on auto-encoder models and other clustering algorithms using only network trace data. After evaluation, we set some metrics and compare our model with existing other models, showing its necessity to the field of protocol reverse engineering.

computer science, information systems,telecommunications

Siyuan Pan,Yijun Wang,Zhi Xue,Xiang Lin

DOI: https://doi.org/10.3969/j.issn.1000-386x.2018.04.058

2018-01-01

Abstract:With the increasing demand for network security,the requirements for the analysis of remote control Trojan in APT attacks are also constantly increasing.Correspondingly,various methods and tools for analyzing unknown network protocols appear.In this paper,we introduced several existing methods of unknown network protocol reverse,and draw on the advantages of the existing methods.An improved method based on message data Tokenization,multiple sequence alignment and agglomerative hierarchical clustering for APT Trojan network protocol is proposed.

WANG Yi-peng,YUN Xiao-chun,ZHANG Yong-zheng,LI Shu-hao

DOI: https://doi.org/10.3969/j.issn.1000-436x.2013.10.016

2013-01-01

Abstract:Obtaining qualified training data for protocol identification generally requires domain experts to be involved, which is time-consuming and laborious. A novel approach for network protocol identification based on active learning and SVM algorithm was proposed. The experimental evaluations on real-world network traces show this approach can accurately and efficiently classify the target network protocol from mixed Internet traffic, and meanwhile display a sig-nificant reduction in the number of labeled samples. Therefore, this approach can be employed as an auxiliary tool for analyzing unknown protocols in real-world environment.

Tangda Yu,Futai Zou,Linsen Li,Ping Yi

DOI: https://doi.org/10.1109/cyberc.2019.00020

2019-01-01

Abstract:In recent years, with the widespread use of encrypted traffic communication technology, network traffic encryption has been gradually becoming a standard of communication. This phenomenon has a great impact on traditional traffic detection methods, especially on anomaly detection methods, which are highly dependent on the type of network protocol types and traffic data. By surveying the existing encrypted traffic classification and analyzing these methods, we found that there are two main methods for detection: payload-based detection and feature-based detection. On this basis, this paper puts forward an Encrypted Malicious Traffic Detection System which is based on multi-AEs(Autoencoder). We use malicious sandbox for traffic data collection, mark malicious flow and normal flow with labels. After that, we use multilayer networks of AEs for feature extraction and training classifier model. Our system analyzes the feature of cryptographic protocol from handshake phase to Authentication phase on the basis of existing research, and we extract the traffic feature for a better classification by further expanding flow feature vector to the higher dimensions. In addition, we compared the performance of our model with the traditional learning model under the same environment. The experimental results showed that our system had higher detection accuracy and lower loss rate. We also studied the influence of dataset imbalance on results in the detection of encrypted traffic by several experiments. According to the experimental evaluation, dataset imbalance will lead to the decrease of positive rate.

Rui Li,Xi Xiao,Shiguang Ni,Hai-Tao Zheng,Shu‐Tao Xia

DOI: https://doi.org/10.1109/iwqos.2018.8624128

2018-01-01

Abstract:Network traffic classification, which can map network traffic to protocols in the application layer, is a fundamental technique for network management and security issues such as Quality of Service, network measurement, and network monitoring. Recent researchers focus on extracting features for traditional machine learning methods from flows or datagrams of the specific protocol. However, as the rapid growth of network applications, previous works cannot handle complex novel protocols well. In this paper, we introduce the recurrent neural network to network traffic classification and design a novel neural network, the Byte Segment Neural Network (BSNN). BSNN treats network datagrams as input and gives the classification results directly. In BSNN, a datagram is firstly broken into serval byte segments. Then, these segments are fed to encoders which are based on the recurrent neural network. The information extracted by encoders is combined to a representation vector of the whole datagram. Finally, we apply the softmax function to use this vector for predicting the application protocol of this datagram. There are several key advantages of BSNN: 1) no need for prior knowledge of target applications; 2) can handle both connection-oriented protocols and connection-less protocols; 3) supports multi-classification for protocols; 4) shows outstanding accuracy in both traditional protocols and complex novel protocols. Our thorough experiments on real-world data with different protocols indicate that BSNN gains average F1-measure about 95.82% in multi-classification for five protocols including QQ, PPLive, DNS, 360 and BitTorrent. And it also shows excellent performance for detection of novel protocols. Furthermore, compared with two recent state-of-the-art works, BSNN has superiority over the traditional machine learning-based method and the packet inspection method.

Jihyo Kim,Jiin Koo,Sangheum Hwang

DOI: https://doi.org/10.1016/j.eswa.2023.120461

2023-08-01

Abstract:Deep neural networks have achieved outstanding performance over various tasks, but they have a critical issue: over-confident predictions even for completely unknown samples. Many studies have been proposed to successfully filter out these unknown samples, but they only considered narrow and specific tasks, referred to as misclassification detection, open-set recognition, or out-of-distribution detection. In this work, we argue that these tasks should be treated as fundamentally an identical problem because an ideal model should possess detection capability for all those tasks. Therefore, we introduce the unknown detection task, an integration of previous individual tasks, for a rigorous examination of the detection capability of deep neural networks on a wide spectrum of unknown samples. To this end, unified benchmark datasets on different scales were constructed and the unknown detection capabilities of existing popular methods were subject to comparison. We found that Deep Ensemble consistently outperforms the other approaches in detecting unknowns; however, all methods are only successful for a specific type of unknown. The reproducible code and benchmark datasets are available at <a class="link-external link-https" href="https://github.com/daintlab/unknown-detection-benchmarks" rel="external noopener nofollow">this https URL</a> .

Computer Vision and Pattern Recognition,Machine Learning

Junhai Yang,Fenghua Li,Yixuan Zhang,Junhao Zhang,Liang Fang,Yunchuan Guo

2024-12-04

Abstract:Protocol Reverse Engineering (PRE) is used to analyze protocols by inferring their structure and behavior. However, current PRE methods mainly focus on field identification within a single protocol and neglect Protocol State Machine (PSM) analysis in mixed protocol environments. This results in insufficient analysis of protocols' abnormal behavior and potential vulnerabilities, which are crucial for detecting and defending against new attack patterns. To address these challenges, we propose an automatic PSM inference framework for unknown protocols, including a fuzzy membership-based auto-converging DBSCAN algorithm for protocol format clustering, followed by a session clustering algorithm based on Needleman-Wunsch and K-Medoids algorithms to classify sessions by protocol type. Finally, we refine a probabilistic PSM algorithm to infer protocol states and the transition conditions between these states. Experimental results show that, compared with existing PRE techniques, our method can infer PSMs while enabling more precise classification of protocols.

Cryptography and Security

Yipeng Wang,Xiaochun Yun,M. Zubair Shafiq,Liyan Wang,Alex X. Liu,Zhibin Zhang,Danfeng (Daphne) Yao,Yongzheng Zhang,Li Guo

DOI: https://doi.org/10.1109/icnp.2012.6459963

2012-01-01

Abstract:Extracting the protocol message format specifications of unknown applications from network traces is important for a variety of applications such as application protocol parsing, vulnerability discovery, and system integration. In this paper, we propose ProDecoder, a network trace based protocol message format inference system that exploits the semantics of protocol messages without the executable code of application protocols. ProDecoder is based on the key insight that the n-grams of protocol traces exhibit highly skewed frequency distribution that can be leveraged for accurate protocol message format inference. In ProDecoder, we first discover the latent relationship among n-grams by first grouping protocol messages with the same semantics and then inferring message formats by keyword based clustering and cluster sequence alignment. We implemented and evaluated ProDecoder to infer message format specifications of SMB (a binary protocol) and SMTP (a textual protocol). Our experimental results show that ProDecoder accurately parses and infers SMB protocol with 100% precision and recall. For SMTP, ProDecoder achieves approximately 95% precision and recall.

Xiong Tang,Zichi Wang,Xinpeng Zhang

DOI: https://doi.org/10.3390/sym15051079

2023-01-01

Abstract:Deep neural networks have achieved remarkable success in various fields of artificial intelligence. However, these models, which contain a large number of parameters, are widely distributed and disseminated by researchers, engineers, and even unauthorized users. Except for intelligent tasks, typically overparameterized deep neural networks have become new digital covers for data hiding, which may pose significant security challenges to AI systems. To address this issue, this paper proposes a symmetric steganalysis scheme specifically designed for neural networks trained for image classification tasks. The proposed method focuses on detecting the presence of additional data without access to the internal structure or parameters of the host network. It employs a well-designed method based on histogram distribution to find the optimal decision threshold, with a symmetric determining rule where the original networks and stego networks undergo two highly symmetrical flows to generate the classification labels; the method has been shown to be practical and effective. SVM and ensemble classifiers were chosen as the binary classifier for their applicability to feature vectors output from neural networks based on different datasets and network structures. This scheme is the first of its kind, focusing on steganalysis for neural networks based on the distribution of network output, compared to conventional digital media such as images, audio, and video. Overall, the proposed scheme offers a promising approach to enhancing the security of deep neural networks against data hiding attacks.