Mao Tian,Peng Chang,Yafei Sang,Yongzheng Zhang,Shuhao Li

DOI: https://doi.org/10.1109/ict.2019.8798799

2019-04-01

Abstract:The expanding volume of HTTPS traffic (both legitimate and malicious) creates even more challenges for mobile network security and management. In this work, we propose AIBMF(Application Identification Based on Multi-view Features), a fine-grained approach to classify HTTPS traffic by their application type. The key idea of AIBMF is to combine three kinds of features—payload convolution features, packet size sequence and packet content type sequence. Based on these different view features, a deep learning model (using CNN, embedding and RNN) is constructed for HTTPS traffic identification task. To evaluate the effectiveness of AIBMF, we run a comprehensive set of experiments on a real-world dataset (about 100,000+ flows), which shows that our approach achieves 96.06% accuracy and outperforms the state-of-the-art method (3.6% on F1 score).

Yige Chen,Tianning Zang,Yongzheng Zhang,Yuan Zhouz,Yipeng Wang,Yuan Zhou

DOI: https://doi.org/10.1109/icnp.2019.8888043

2019-10-01

Abstract:With the unprecedented prevalence of mobile network applications, cryptographic protocols, such as the Secure Socket Layer/Transport Layer Security (SSL/TLS), are widely used in mobile network applications for communication security. The proven methods for encrypted video stream classification or encrypted protocol detection are unsuitable for the SSL/TLS traffic. Consequently, application-level traffic classification based networking and security services are facing severe challenges in effectiveness. Existing encrypted traffic classification methods exhibit unsatisfying accuracy for applications with similar state characteristics. In this paper, we propose a multiple-attribute-based encrypted traffic classification system named Multi-Attribute Associated Fingerprints (MAAF). We develop MAAF based on the two key insights that the DNS traces generated during the application runtime contain classification guidance information and that the handshake certificates in the encrypted flows can provide classification clues. Apart from the exploitation of key insights, MAAF employs the context of the encrypted traffic to overcome the attribute-lacking problem during the classification. Our experimental results demonstrate that MAAF achieves 98.69% accuracy on the real-world traceset that consists of 16 applications, supports the early prediction, and is robust to the scale of the training traceset. Besides, MAAF is superior to the state-of-the-art methods in terms of both accuracy and robustness.

Yafei Sang,Mao Tian,Yongzheng Zhang,Peng Chang,Shuyuan Zhao

DOI: https://doi.org/10.1007/978-3-030-60248-2_33

2020-01-01

Abstract:Mobile application identification, as the fundamental technique in the field of network security and management, suffers from a critical problem, namely ‘encrypted traffic’. The proven methods for encrypted traffic identification have a major drawback, which is new come applications continue to suffer from catastrophic forgetting, a dramatic decrease in overall performance when training with new app classes added incrementally. This is due to the current model requiring the entire dataset, consisting of all the samples from the old and the new classes, to update the model. The updating requirement becomes easily unsustainable as the number of apps grows, To address the issue, we propose IncreAIBMF framework to learn deep neural networks incrementally, using new apps data and only a small exemplar set corresponding to samples from the old apps. The key idea behind IncreAIBMF is an incremental learning framework which possesses new application identification ability by incorporating the cross-distilled loss, which can not only learn the new app classes and also retain the previous knowledge corresponding to the old app classes. Our experiment results show that IncreAIBMF achieves 87.3% on Macro Precision, 87.8% on F1 Score and 88.9% on Macro Recall, respectively, on the real-world traces that consists of 50 mobile applications, supports the early prediction, and is robust to the scale of the app classes. Besides, the basic variant of IncreAIBMF, AIBMF is superior to the state-of-the-art methods in terms of identification performance.

Xin Wang,Shuhui Chen,Jinshu Su

DOI: https://doi.org/10.1109/access.2020.3029190

IF: 3.9

2020-01-01

IEEE Access

Abstract:The proliferation of handheld devices has led to an explosive growth of mobile traffic volumes on the Internet. Identifying mobile apps from network traffic has become a crucial task for mobile network management and security. Traditionally, the design of accurate identifiers relies on the deep packet inspection (DPI) techniques. However, such approaches have become less effective with the raising adoption of encrypted protocols in mobile applications (mostly TLS). To address the problem, various machine learning methods have been studied and used. Most of them use linear classifiers on top of hand-engineered features, which are unreliable due to the complexity of mobile traffic. In this article we propose App-Net, an end-to-end hybrid neural network for mobile app identification from encrypted TLS traffic. App-Net is designed by combining RNN and CNN in a parallel way and can automatically learn effective features from raw TLS flows. With coordinated fusion and optimized training, the hybrid and multimodal architecture is able to characterize both flow sequence patterns and app signatures to learn a joint flow-app embedding. We evaluate App-Net on a real-world dataset covering 80 apps. The results show that our method can achieve an excellent performance and outperform the state-of-the-art methods.

computer science, information systems,telecommunications,engineering, electrical & electronic

Shahbaz Rezaei,Bryce Kroencke,Xin Liu

DOI: https://doi.org/10.1109/access.2019.2962018

IF: 3.9

2020-01-01

IEEE Access

Abstract:Many network services and tools (e.g. network monitors, malware-detection systems, routing and billing policy enforcement modules in ISPs) depend on identifying the type of traffic that passes through the network. With the widespread use of mobile devices, the vast diversity of mobile apps, and the massive adoption of encryption protocols (such as TLS), large-scale encrypted traffic classification becomes increasingly difficult. In this paper, we propose a deep learning model for mobile app identification that works even with encrypted traffic. The proposed model only needs the payload of the first few packets for classification, and, hence, it is suitable even for applications that rely on early prediction, such as routing and QoS provisioning. The deep model achieves between 84% to 98% accuracy for the identification of 80 popular apps. We also perform occlusion analysis to bring insight into what data is leaked from SSL/TLS protocol that allows accurate app identification. Moreover, our traffic analysis shows that many apps generate not only app-specific traffic, but also numerous ambiguous flows. Ambiguous flows are flows generated by common functionality modules, such as advertisement and traffic analytics. Because such flows are common among many different apps, identifying the source app that generates ambiguous flows is challenging. To address this challenge, we propose a CNN+LSTM model that uses adjacent flows to learn the order and pattern of multiple flows, to better identify the app that generates them. We show that such flow association considerably improves the accuracy, particularly for ambiguous flows. Furthermore, we show that our approach is robust to mixed traffic scenarios where some unrelated flows may appear in adjacent flows. To the best of our knowledge, this is the first work that identifies the source app for ambiguous flows.

computer science, information systems,telecommunications,engineering, electrical & electronic

Gaofeng He,Bingfeng Xu,Lu Zhang,Haiting Zhu

DOI: https://doi.org/10.1177/1550147718817292

IF: 1.938

2018-12-01

International Journal of Distributed Sensor Networks

Abstract:Mobile application (simply “app”) identification at a per-flow granularity is vital for traffic engineering, network management, and security practices. However, uncertainty is caused by a growing fraction of encrypted traffic such as Hypertext Transfer Protocol Secure. To address this challenge, we have carefully analyzed mobile app traffic (mainly including Domain Name System, Hypertext Transfer Protocol, and encrypted traffic such as Secure Sockets Layer and Transport Layer Security) and observed that (1) the sets of server hostnames queried by different apps are distinguishable; (2) mobile apps may query multiple server hostnames simultaneously, that is, apps may send several Domain Name System lookups within a short time interval; and (3) the encrypted traffic may be similar to various other network flows generated by the same app. Based on these three observations, in this article, we propose a novel app identification methodology for encrypted network flows. To be specific, temporal, lexical, and metadata similarity are investigated to select correlated traffic and information retrieving techniques are adopted to identify apps. We ran a thorough set of experiments to assess the performance of the proposed approaches. The experimental results show that the identification accuracy can be as high as 95%, and the proposed methods have low storage requirements as well as fast training speeds.

computer science, information systems,telecommunications

Kunlin Li,Baojiang Cui

DOI: https://doi.org/10.1007/978-3-030-79728-7_20

2021-06-24

Abstract:With the increasing popularity of traffic encryption protocols such as SSL/TLS, attacks based on encrypted traffic are more and more rampant, so does the need to inspect all SSL traffic. At present, the methods based on feature engineering and the methods based on deep learning and representation learning are the research hot-spots. In this paper, a new method of encrypted malicious traffic identification is proposed, which is based on deep learning and four- tuple feature. The unit of traffic identification is flow four-tuple. We extract 3 types of features which are statistical feature, handshake byte stream feature, and application data size sequence feature. We design different deep learning models to deal with various features and work together in traffic identification. We used the CTU Malware dataset to experiment. The results show that the accuracy of our method can reach 98.31%, which is better than that of other methods using four-tuple as the unit of flow identification and experimenting on the CTU Malware dataset.

Xin Wang,Shuhui Chen,Jinshu Su

DOI: https://doi.org/10.1155/2020/4707909

2020-02-19

Wireless Communications and Mobile Computing

Abstract:The proliferation of mobile devices over recent years has led to a dramatic increase in mobile traffic. Demand for enabling accurate mobile app identification is coming as it is an essential step to improve a multitude of network services: accounting, security monitoring, traffic forecasting, and quality-of-service. However, traditional traffic classification techniques do not work well for mobile traffic. Besides, multiple machine learning solutions developed in this field are severely restricted by their handcrafted features as well as unreliable datasets. In this paper, we propose a framework for real network traffic collection and labeling in a scalable way. A dedicated Android traffic capture tool is developed to build datasets with perfect ground truth. Using our established dataset, we make an empirical exploration on deep learning methods for the task of mobile app identification, which can automate the feature engineering process in an end-to-end fashion. We introduce three of the most representative deep learning models and design and evaluate our dedicated classifiers, namely, a SDAE, a 1D CNN, and a bidirectional LSTM network, respectively. In comparison with two other baseline solutions, our CNN and RNN models with raw traffic inputs are capable of achieving state-of-the-art results regardless of TLS encryption. Specifically, the 1D CNN classifier obtains the best performance with an accuracy of 91.8% and macroaverage F -measure of 90.1%. To further understand the trained model, sample-specific interpretations are performed, showing how it can automatically learn important and advanced features from the uppermost bytes of an app’s raw flows.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zhaoxuan Li,Ziming Zhao,Rui Zhang,Haoyang Lu,Wenhao Li,Fan Zhang,Siqi Lu,Rui Xue

DOI: https://doi.org/10.1016/j.comnet.2024.110563

IF: 5.493

2024-01-01

Computer Networks

Abstract:The continuous emergence of malware has threatened to the Android platform and user privacy. With the evolution of the Android system and malware, it is challenging to design a method that can accurately identify the categories of sophisticated malware, including known and unknown families, as well as their obfuscated variants, given that they may be newly emerging and lack available detection knowledge. Although some methods try to use anomaly detection and zero-shot technology to identify unseen applications, they are limited to binary classification or lack the robustness, stability, universality, and interpretability in multi-class identification. To this end, we first propose a generic meta-features mining algorithm, which can discover the potential relationships between samples belonging to the same category. Then we present metaNet, a novel method leveraging meta-features to identify sophisticated Android malware. Specifically, metaNet is mainly powered by four components: (i) mExtractor is a feature collector to obtain the static and dynamic features. (ii) mProcessor is taking unique meta-features of each category from extracted features. (iii) mLearner is a machine learning suite that leverages features and meta-features to design and train a classifier called HSU-Net. (iv) mEnforcer is a flexible deployer that identifies categories of malware families in the real world. We implement a prototype of metaNet with 15K lines of Python code and compare it with state-of-the-art (SOTA) methods. The results show that it can not only achieve superior performance in terms of known families (99.52% of accuracy) and unknown families (99.31% of accuracy trained with 80% known families) for binary classification, but also perform well in multi-class identification, i.e., 99.05% and 93.45% of accuracy for known and unknown families, respectively. Furthermore, we deploy and evaluate metaNet in the real world. It can identify applications over an acceptable time and memory overheads, i.e., average of 11.8s and 56MB per sample with a size of 8MB. Also, the few-shot detection and feature perturbation experiments reflect its robustness and stability benefiting from meta-features. Finally, we collect the traffic of 112 decentralized applications (DApps) belonging to 16 categories, such as finance and health, and evaluated metaNet in DApp identification. The results illustrate its applicability across various tasks. That is, it can accurately classify 94.6% and 81.36% of DApp flows in all-known and 80%-known DApp scenarios, respectively, outperforming the SOTA methods.

Jia Li,Xiaochun Yun,Mao Tian,Jiang Xie,Shuhao Li,Yongzheng Zhang,Yu Zhou

DOI: https://doi.org/10.1109/WCNC.2019.8885817

2019-01-01

Abstract:Aiming at solving the problem of HTTP malicious traffic detection on mobile networks, we propose a method of HMTD(HTTP Malicious Traffic Detection) based on the spatio-temporal sequence characteristics of traffic data. The traditional malicious traffic detection methods are relatively simple and mainly biased towards misuse detection or abnormal detection and probably suffer from a high false positive rate or false negative rate, so they are difficult to adapt to the current rapid development of the Internet. HMTD uses neural networks for malicious traffic identification, and extracts features from malicious and normal HTTP traffic, which can produce excellent detection results. HMTD utilizes CNN to extract the packet spatial characteristics in the traffic, and utilizes LSTM to extract the temporal characteristics between the packets in the traffic. The experimental results demonstrate that the proposed method can achieve an accuracy of more than 99.4% in the actual network environment and has excellent performance in terms of Precision and Recall.

Hong Huang,Xingxing Zhang,Ye Lu,Ze Li,Shaohua Zhou

DOI: https://doi.org/10.32604/cmc.2024.047918

2024-01-01

Abstract:While encryption technology safeguards the security of network communications, malicious traffic also uses encryption protocols to obscure its malicious behavior. To address the issues of traditional machine learning methods relying on expert experience and the insufficient representation capabilities of existing deep learning methods for encrypted malicious traffic, we propose an encrypted malicious traffic classification method that integrates global semantic features with local spatiotemporal features, called BERT-based Spatio-Temporal Features Network (BSTFNet). At the packet-level granularity, the model captures the global semantic features of packets through the attention mechanism of the Bidirectional Encoder Representations from Transformers (BERT) model. At the byte-level granularity, we initially employ the Bidirectional Gated Recurrent Unit (BiGRU) model to extract temporal features from bytes, followed by the utilization of the Text Convolutional Neural Network (TextCNN) model with multi-sized convolution kernels to extract local multi-receptive field spatial features. The fusion of features from both granularities serves as the ultimate multidimensional representation of malicious traffic. Our approach achieves accuracy and F1-score of 99.39% and 99.40%, respectively, on the publicly available USTC-TFC2016 dataset, and effectively reduces sample confusion within the Neris and Virut categories. The experimental results demonstrate that our method has outstanding representation and classification capabilities for encrypted malicious traffic.

computer science, information systems,materials science, multidisciplinary

Ming Liu,Qichao Yang,Wenqing Wang,Shengli Liu

DOI: https://doi.org/10.3390/s24206507

IF: 3.9

2024-10-11

Sensors

Abstract:The exponential growth of encrypted network traffic poses significant challenges for detecting malicious activities online. The scale of emerging malicious traffic is significantly smaller than that of normal traffic, and the imbalanced data distribution poses challenges for detection. However, most existing methods rely on single-category features for classification, which struggle to detect covert malicious traffic behaviors. In this paper, we introduce a novel semi-supervised approach to identify malicious traffic by leveraging multimodal traffic characteristics. By integrating the sequence and topological information inherent in the traffic, we achieve a multifaceted representation of encrypted traffic. We design two independent neural networks to learn the corresponding sequence and topological features from the traffic. This dual-feature extraction enhances the model's robustness in detecting anomalies within encrypted traffic. The model is trained using a joint strategy that minimizes both the reconstruction error from the autoencoder and the classification loss, allowing it to effectively utilize limited labeled data alongside a large amount of unlabeled data. A confidence-estimation module enhances the classifier's ability to detect unknown attacks. Finally, our method is evaluated on two benchmark datasets, UNSW-NB15 and CICIDS2017, under various scenarios, including different training set label ratios and the presence of unknown attacks. Our model outperforms other models by 3.49% and 5.69% in F1 score at labeling rates of 1% and 0.1%, respectively.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Peng Zhu,Gang Wang,Jingheng He,Yueli Dong,Yu Chang

DOI: https://doi.org/10.1016/j.array.2024.100338

2024-03-01

Array

Abstract:As data privacy issues become more and more sensitive, increasing numbers of websites usually encrypt traffic when transmitting it. This method can largely protect privacy, but it also brings a huge challenge. Aiming at the problem that encrypted traffic classification makes it difficult to obtain a global optimal solution, this paper proposes an encrypted traffic identification model called the ET-BERT and 1D-CNN fusion network (BCFNet), based on multi-scale feature fusion. This method combines feature learning with classification tasks, unified into an end-to-end model. The local features of encrypted traffic extracted based on the improved Inception one-dimensional convolutional neural network structure are fused with the global features extracted by the ET-BERT model. The one-dimensional convolutional neural network is more suitable for the encrypted traffic of a one-dimensional sequence than the commonly used two-dimensional convolutional neural network. The proposed model can learn the nonlinear relationship between the input data and the expected label and obtain the global optimal solution with a greater probability. This paper verifies the ISCX VPN-nonVPN dataset and compares the results of the BCFNet model with the other five baseline models on accuracy, precision, recall, and F1 indicators. The experimental results demonstrate that the BCFNet model has a greater overall effect than the other five models. Its accuracy can reach 98.88%.

Shengbao Li,Yuchuan Huang,Tianye Gao,Lanqi Yang,Yige Chen,Quanbo Pan,Tianning Zang,Fei Chen

DOI: https://doi.org/10.1155/2023/9118153

2023-04-30

Wireless Communications and Mobile Computing

Abstract:In recent years, an increasing number of mobile platforms and applications have adopted traffic encryption protocol technology to ensure privacy and security. Existing researches on encrypted traffic identification approaches often rely on a single-modal feature pattern (such as packet sequence and statistical features), which cannot fully represent the detail information of complex traffic features, and so their predictions are susceptible to anomalies. In order to improve the effect of classification on encrypted app traffic, we propose FusionTC, a novel app traffic classification framework based on feature fusion of flow sequence. FusionTC consists of two-level subclassifiers, which are used to perform decision-level fusion of multimodal features by an upgraded stacking method. The comprehensive capture and fusion of multimodal traffic details, coupled with the refined processing and segmentation of traffic, enables FusionTC to significantly promote classification accuracy and enhance robustness in challenging situations. Based on our self-built app traffic dataset, FusionTC improves the accuracy by at least 3.2% over the state-of-the-art approaches.

computer science, information systems,telecommunications,engineering, electrical & electronic

Guang-Lu Sun,Yibo Xue,Yingfei Dong,Dongsheng Wang,Chenglong Li

DOI: https://doi.org/10.1109/GLOCOM.2010.5683649

2010-01-01

Abstract:Classifying encrypted traffic is critical to effective network analysis and management. While traditional payload- based methods are powerless to deal with encrypted traffic, machine learning methods have been proposed to address this issue. However, these methods often bring heavy overhead into the system. In this paper, we propose a hybrid method that combines signature-based methods and statistical analysis methods to address this issue. We first identify SSL/TLS traffic with signature matching methods, and then apply statistical analysis to determine concrete application protocols. Our experimental results show that the proposed method is able to recognize over 99% of SSL/TLS traffic and achieve 94.52% in F-score for protocols identification.

Jianxi Chen,Jiahao Huang,Xinghua Lu

DOI: https://doi.org/10.1109/ICSP54964.2022.9778340

2022-04-15

Abstract:By converting network traffic into images and using convolutional network prediction methods, the accuracy of malicious network traffic can be effectively improved. As TLS traffic encryption is used in more and more network applications, while protecting security and privacy, network attackers can achieve the purpose of evading detection by encrypting malicious traffic. The traditional method of using a firewall and anti-virus software to decrypt the encryption key to access the encrypted data is not only inefficient and destroys the original purpose of encryption to protect privacy, but also when the key cannot be decrypted, the traditional method The decryption capability of the traditional method is insufficient. In this paper, we propose a method to transform network traffic into network fingerprint images without decrypting the encrypted data, and then feed the images into a convolutional neural network for prediction to achieve the classification of malicious traffic. The experimental results show that the method of identifying network fingerprint images by using CNN has high accuracy and prediction capability.

Computer Science

Tangda Yu,Futai Zou,Linsen Li,Ping Yi

DOI: https://doi.org/10.1109/cyberc.2019.00020

2019-01-01

Abstract:In recent years, with the widespread use of encrypted traffic communication technology, network traffic encryption has been gradually becoming a standard of communication. This phenomenon has a great impact on traditional traffic detection methods, especially on anomaly detection methods, which are highly dependent on the type of network protocol types and traffic data. By surveying the existing encrypted traffic classification and analyzing these methods, we found that there are two main methods for detection: payload-based detection and feature-based detection. On this basis, this paper puts forward an Encrypted Malicious Traffic Detection System which is based on multi-AEs(Autoencoder). We use malicious sandbox for traffic data collection, mark malicious flow and normal flow with labels. After that, we use multilayer networks of AEs for feature extraction and training classifier model. Our system analyzes the feature of cryptographic protocol from handshake phase to Authentication phase on the basis of existing research, and we extract the traffic feature for a better classification by further expanding flow feature vector to the higher dimensions. In addition, we compared the performance of our model with the traditional learning model under the same environment. The experimental results showed that our system had higher detection accuracy and lower loss rate. We also studied the influence of dataset imbalance on results in the detection of encrypted traffic by several experiments. According to the experimental evaluation, dataset imbalance will lead to the decrease of positive rate.

Zhiyuan Li,Xiaoping Xu

DOI: https://doi.org/10.1016/j.comnet.2024.110298

IF: 5.493

2024-03-02

Computer Networks

Abstract:Identifying various types of Internet applications is a key issue for network management. Traffic classification is one of the important technologies for identifying Internet applications traffic. However, some secure technologies such as protocol encryption, information hiding, and traffic obfuscation pose new challenges to traffic identification and classification, especially in feature extraction. In addition, multi-classification has always been a difficult problem in traffic classification research. This paper proposes a spatio-temporal features fusion-based multi-classification model, named as L2-BiTCN-CNN. Our approach combines bidirectional temporal convolutional network (TCN) and convolutional neural network (CNN) to create an enhanced model. The L2-BiTCN model utilizes a bidirectional approach to learn both forward and backward sequence features of traffic, with a focus on the hierarchical structure of network traffic known as "byte-packet-session flow". To fully extract timing characteristics between adjacent bytes and packets, this model incorporates attention mechanisms for both "byte hierarchy" and "packet hierarchy". Filters of various sizes are utilizes in the CNN stage to capture packet features of different ranges. The spatial features of the packets are then obtained through two convolution and average pooling processes. The results of the experiments provide evidence of the effectiveness and superiority of our approach. Our model achieved an impressive overall accuracy of 99.839% and 97.186% in two public available datasets, namely USTC-TFC2016 and ISCX VPN-nonVPN2016, respectively. It outperforms the state-of-the-art models in terms of classification performance, which suggests that the model has the potential to be a valuable tool in various applications that require high accuracy.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Wenxiong Chen,Feng Lyu,Fan Wu,Peng Yang,Guangtao Xue,Minglu Li

DOI: https://doi.org/10.1109/tvt.2021.3063738

IF: 6.8

2021-01-01

IEEE Transactions on Vehicular Technology

Abstract:Classifying Internet traffic is critical to many network management tasks, including malicious attack detection, usage monitoring, load balancing, etc. As current traffic packets are often transmitted with encryption, at randomized port numbers, and under highly dynamic network conditions, traditional approaches such as port mapping, deep packet inspection, and statistical analysis are no longer effective. In this paper, we first collect extensive traffic flows at the exit router of a university and label them into various source applications. After extracting the message (consisting of multiple consecutive TCP packets) sequence for all collected traffic flows, we find that each application type has distinct sequential message features. By leveraging the message sequential feature, we develop a system, named SMC (Sequential Message Characterization), which can perform online traffic classification with the sequential size information of a few message segments. In SMC, after confirming the long-term dependency among message segments, we create a Long Short-Term Memory (LSTM) neural network to conduct deep learning on message size sequence, and then build a multi-classifier to classify traffic types based on the probability profiles output by deep LSTM models. Extensive experiments are conducted and results demonstrate that the proposed SMC can achieve 97% of classification accuracy on average. Meanwhile, with as few as 6 pieces of message size information as input, SMC enables early online traffic classification especially for heavy-traffic flows with over 35 message segments in median.