Pengcheng Luo,Jian Chu,Genke Yang

DOI: https://doi.org/10.1016/j.jisa.2023.103519

IF: 4.96

2023-01-01

Journal of Information Security and Applications

Abstract:As the importance of personal data privacy increases, traffic encryption has become an important topic in network communication. In the field of network security and management, the development of encrypted traffic classification technology has drawn attention to deep learning methods. For raw encrypted traffic, deep learning models can realize end-to-end classification with high accuracy. However, deep learning methods do not explain which part of the encrypted traffic is critical to classification, and that will limit their application in some cyber security scenarios that demand high interpretability. The approach proposed in this paper features a novel feature engineering method named "BITization"to determine the encoding method of features and a sliding window technique to explore which bytes contribute the most to the classification. The accuracy of classical machine learning methods in encrypted traffic is improved by at least 14.1% through the proposed feature engineering approach. In the experiments, the enhanced methods achieve a 98.6% average accuracy and a 98.5% average F1-score on the ISCX-VPN-Service, Cross-Platform-IOS, Cross-Platform-Android, and USTC-TFC2016 datasets, from which we believe a state-of-the-art performance is achieved.

Haitao Zhang,Lei Luo,Yun Li,Lirong Chen,Xiaobo Wu

DOI: https://doi.org/10.1109/dsc55868.2022.00076

2022-01-01

Abstract:More and more data is transferred in encrypted ways, especially over HTTPS. As a result, network attackers often use encryption algorithms to transmit control commands to avoid detection. Malware or unidentified users may use unauthorized encrypted proxy to communicate and access malicious websites. Confirming the details of these behaviors facilitates the analysis of suspicious events, but intercepted encrypted traffic cannot be parsed. Since the payload of encrypted traffic is not observable, machine learning algorithm combined with domain knowledge is the mainstream method to detect malicious encrypted traffic. Considering the complexity of decrypting traffic, we start from host level and flow level, exploit packet length histogram, sequence features and statistical features to describe traffic. In particular, we use Word2Vec algorithm to represent packet length sequence. In experiment, we collect the encrypted traffic generated by malware communicating with multiple websites through encrypted proxy. Experiment result shows the effectiveness of our framework and achieve 96.2% Accuracy.

Guang-Lu Sun,Yibo Xue,Yingfei Dong,Dongsheng Wang,Chenglong Li

DOI: https://doi.org/10.1109/GLOCOM.2010.5683649

2010-01-01

Abstract:Classifying encrypted traffic is critical to effective network analysis and management. While traditional payload- based methods are powerless to deal with encrypted traffic, machine learning methods have been proposed to address this issue. However, these methods often bring heavy overhead into the system. In this paper, we propose a hybrid method that combines signature-based methods and statistical analysis methods to address this issue. We first identify SSL/TLS traffic with signature matching methods, and then apply statistical analysis to determine concrete application protocols. Our experimental results show that the proposed method is able to recognize over 99% of SSL/TLS traffic and achieve 94.52% in F-score for protocols identification.

VishnuPriya. A,Hiran Kumar Singh,SivaChaitanyaPrasad. M,JaiSivaSai. G

DOI: https://doi.org/10.1080/23335777.2021.1924284

2021-05-24

Abstract:<span>Tor is an anonymous browser software running on an overlay network. Due to the nature of the end-to-end encryption channel, it is hard to analyse the network traffic. Thus, intruders prefer the Tor browser to hide their identity and access the offensive content. Tor relays are secure from network monitoring, tracking and surveillance. There are so many research contributions for tracking the network traffic and classifying it based on various features and attributes. In this paper, we explained RNN-LSTM-based deep learning model to classify the network traffic based on their nature Tor/non-Tor. We have tested the model with open data sets ISCXTor2016 data sets and samples retrieved in our environment using CIC-flowmeter-4.0. The binary classification model using RNN-LSTM classifies the network traffic with better accuracy and precision. The same experiment conducted in the traditional deep neural network model provides large false positives and false negatives. Here we also present a detailed study and analysis of the model compare with ANN classifiers and genetic-based feature selection method.</span>

Meng Shen,Jinpeng Zhang,Siqi Chen,Yiting Liu,Liehuang Zhu

DOI: https://doi.org/10.1109/globecom38437.2019.9013272

2019-01-01

Abstract:Encrypted traffic classification plays an important role in network management. In this paper, we take as an example of the web browsing application, and propose a machine learning classification scheme, Bali, that can identify the encrypted traffic from various websites. We employ packet length statistics as discriminative features of encrypted traffic. In order to further investigate the differences among encrypted traffic from various websites, we develop a clustering method based on an observation that the first outgoing and incoming packets with specific flags from the same website have similar features. The above two techniques can be incorporated into typical machine learning models (e.g., random forests, SVM, kNN) for traffic classification. Experiment results using real-world datasets demonstrate that the proposed method outperforms the state-of-the-art methods.

Jia Lingyu,Liu Yang,Wang Bailing,Liu Hongri,Xin Guodong

DOI: https://doi.org/10.1109/iccsn.2017.8230113

2017-01-01

Abstract:Tor is an anonymous communication system that can protect our privacy, but it also provides a haven for criminals to avoid network tracing. Therefore, anonymous traffic analysis and classification is an important part of maintaining network security. Existing Tor traffic classification methods require a large number of labeled data, and the classification accuracy rate is not satisfied for practical using. This paper presents a hierarchical classification approach for Tor anonymous traffic. An improved decision tree algorithm (Tor-IDT) is used to identify the Tor anonymous traffic from the mixed traffic, and then the Tri-Training algorithm is used to segment the identified anonymous traffic at the application level. Experiments show that the recognition rate of Tor anonymous traffic is more than 99%, the accuracy of classification can reach 94%, and less labeled data is needed, which proves that this hierarchical classification algorithm has wider applicability and higher classification accuracy.

Ishan Karunanayake,Mashael AlSabah,Nadeem Ahmed,Sanjay Jha

2024-09-25

Abstract:Despite being the most popular privacy-enhancing network, Tor is increasingly adopted by cybercriminals to obfuscate malicious traffic, hindering the identification of malware-related communications between compromised devices and Command and Control (C&C) servers. This malicious traffic can induce congestion and reduce Tor's performance, while encouraging network administrators to block Tor traffic. Recent research, however, demonstrates the potential for accurately classifying captured Tor traffic as malicious or benign. While existing efforts have addressed malware class identification, their performance remains limited, with micro-average precision and recall values around 70%. Accurately classifying specific malware classes is crucial for effective attack prevention and mitigation. Furthermore, understanding the unique patterns and attack vectors employed by different malware classes helps the development of robust and adaptable defence mechanisms. We utilise a multi-label classification technique based on Message-Passing Neural Networks, demonstrating its superiority over previous approaches such as Binary Relevance, Classifier Chains, and Label Powerset, by achieving micro-average precision (MAP) and recall (MAR) exceeding 90%. Compared to previous work, we significantly improve performance by 19.98%, 10.15%, and 59.21% in MAP, MAR, and Hamming Loss, respectively. Next, we employ Explainable Artificial Intelligence (XAI) techniques to interpret the decision-making process within these models. Finally, we assess the robustness of all techniques by crafting adversarial perturbations capable of manipulating classifier predictions and generating false positives and negatives.

Cryptography and Security,Machine Learning

Meng Shen,Mingwei Wei,Liehuang Zhu,Mingzhong Wang

DOI: https://doi.org/10.1109/tifs.2017.2692682

IF: 7.231

2017-01-01

IEEE Transactions on Information Forensics and Security

Abstract:With a profusion of network applications, traffic classification plays a crucial role in network management and policy-based security control. The widely used encryption transmission protocols, such as the secure socket layer/transport layer security (SSL/TLS) protocols, lead to the failure of traditional payload-based classification methods. Existing methods for encrypted traffic classification cannot achieve high discrimination accuracy for applications with similar fingerprints. In this paper, we propose an attribute-aware encrypted traffic classification method based on the second-order Markov Chains. We start by exploring approaches that can further improve the performance of existing methods in terms of discrimination accuracy, and make promising observations that the application attribute bigram, which consists of the certificate packet length and the first application data size in SSL/TLS sessions, contributes to application discrimination. To increase the diversity of application fingerprints, we develop a new method by incorporating the attribute bigrams into the second-order homogeneous Markov chains. Extensive evaluation results show that the proposed method can improve the classification accuracy by 29% on the average compared with the state-of-the-art Markov-based method.

Ibrahim A. Alwhbi,Cliff C. Zou,Reem N. Alharbi

DOI: https://doi.org/10.3390/s24113509

IF: 3.9

2024-05-31

Sensors

Abstract:Encryption is a fundamental security measure to safeguard data during transmission to ensure confidentiality while at the same time posing a great challenge for traditional packet and traffic inspection. In response to the proliferation of diverse network traffic patterns from Internet-of-Things devices, websites, and mobile applications, understanding and classifying encrypted traffic are crucial for network administrators, cybersecurity professionals, and policy enforcement entities. This paper presents a comprehensive survey of recent advancements in machine-learning-driven encrypted traffic analysis and classification. The primary goals of our survey are two-fold: First, we present the overall procedure and provide a detailed explanation of utilizing machine learning in analyzing and classifying encrypted network traffic. Second, we review state-of-the-art techniques and methodologies in traffic analysis. Our aim is to provide insights into current practices and future directions in encrypted traffic analysis and classification, especially machine-learning-based analysis.

engineering, electrical & electronic,instruments & instrumentation,chemistry, analytical

Gaofeng He,Ming Yang,Junzhou Luo,Xiaodan Gu

DOI: https://doi.org/10.1002/cpe.3593

2015-01-01

Abstract:Summary Tor is a famous anonymous communication system for preserving users' online privacy. It supports TCP applications and packs upper‐layer application data into encrypted equal‐sized cells with onion routing to hide private information of users. However, we note that the current Tor design cannot conceal certain application behaviors. For example, P2P applications usually upload and download files simultaneously, and this behavioral feature is also kept in Tor traffic. Motivated by this observation, we investigate a new attack against Tor, application classification attack, which can recognize application types from Tor traffic. An attacker first carefully selects some flow features such as burst volumes and directions to represent the application behaviors and takes advantage of some efficient machine‐learning algorithm (e.g., Profile Hidden Markov Model) to model different types of applications. Then he or she can use these established models to classify target's Tor traffic and infer its application type. We have implemented the application classification attack on Tor using parallel computing, and our experiments validate the feasibility and effectiveness of the attack. We argue that the disclosure of application type information is a serious threat to Tor users' anonymity because it can be used to reduce the anonymity set and facilitate other attacks. We also present guidelines to defend against application classification attack. Copyright © 2015 John Wiley & Sons, Ltd.

Mohammad Lotfollahi,Ramin Shirali Hossein Zade,Mahdi Jafari Siavoshani,Mohammdsadegh Saberian

DOI: https://doi.org/10.48550/arXiv.1709.02656

2018-07-04

Abstract:Internet traffic classification has become more important with rapid growth of current Internet network and online applications. There have been numerous studies on this topic which have led to many different approaches. Most of these approaches use predefined features extracted by an expert in order to classify network traffic. In contrast, in this study, we propose a \emph{deep learning} based approach which integrates both feature extraction and classification phases into one system. Our proposed scheme, called "Deep Packet," can handle both \emph{traffic characterization} in which the network traffic is categorized into major classes (\eg, FTP and P2P) and application identification in which end-user applications (\eg, BitTorrent and Skype) identification is desired. Contrary to most of the current methods, Deep Packet can identify encrypted traffic and also distinguishes between VPN and non-VPN network traffic. After an initial pre-processing phase on data, packets are fed into Deep Packet framework that embeds stacked autoencoder and convolution neural network in order to classify network traffic. Deep packet with CNN as its classification model achieved recall of $0.98$ in application identification task and $0.94$ in traffic categorization task. To the best of our knowledge, Deep Packet outperforms all of the proposed classification methods on UNB ISCX VPN-nonVPN dataset.

Machine Learning,Cryptography and Security,Networking and Internet Architecture

Pitpimon Choorod,Tobias J. Bauer,Andreas Aßmuth

2024-05-15

Abstract:For journalists reporting from a totalitarian regime, whistleblowers and resistance fighters, the anonymous use of cloud services on the Internet can be vital for survival. The Tor network provides a free and widely used anonymization service for everyone. However, there are different approaches to distinguishing Tor from non-Tor encrypted network traffic, most recently only due to the (relative) frequencies of hex digits in a single encrypted payload packet. While conventional data traffic is usually encrypted once, but at least three times in the case of Tor due to the structure and principle of the Tor network, we have examined to what extent the number of encryptions contributes to being able to distinguish Tor from non-Tor encrypted data traffic.

Cryptography and Security,Machine Learning,Networking and Internet Architecture

Yu Wang,Yang Xiang,Shunzheng Yu

DOI: https://doi.org/10.1109/cse.2011.58

2011-01-01

Abstract:Due to the increasing unreliability of traditional port-based methods, Internet traffic classification has attracted a lot of research efforts in recent years. Quite a lot of previous papers have focused on using statistical characteristics as discriminators and applying machine learning techniques to classify the traffic flows. In this paper, we propose a novel machine learning based approach where the features are extracted from packet payload instead of flow statistics. Specifically, every flow is represented by a feature vector, in which each item indicates the occurrence of a particular token, i.e., a common substring, in the payload. We have applied various machine learning algorithms to evaluate the idea and used different feature selection schemes to identify the critical tokens. Experimental result based on a real-world traffic data set shows that the approach can achieve high accuracy with low overhead.

Hongyu Liu,Bo Lang

DOI: https://doi.org/10.1109/lcn52139.2021.9525009

2021-01-01

Abstract:At present, private protocols are widely used on the Internet. As a result, traditional traffic classification methods including port-based and DPI methods have become restricted. Existing machine learning-based methods depend on feature engineering, which makes feature design difficult. In addition, classification models can only classify data as predefined categories, which restricts the models when they are used to detect unknown protocol traffic. To address the above problems, we propose a two-stage traffic classification method combining a CNN model and a density-based clustering algorithm, which can classify known protocol traffic and detect arbitrary kinds of unknown protocol traffic simultaneously. We conducted sufficient experiments on the Information Security Centre of Excellence (ISCX) VPN-nonVPN and Defense Advanced Research Projects Agency (DARPA) 1998 datasets, and the accuracies on the test sets containing known and unknown protocol traffic achieved 97.03% and 98.50%, respectively, which are superior to other studies.

Jun Li,Shunyi Zhang,Yanqing Lu,Junrong Yan

DOI: https://doi.org/10.1007/s11767-007-0110-4

2009-01-01

Abstract:Accurate and real-time classification of network traffic is significant to network operation and management such as QoS differentiation, traffic shaping and security surveillance. However, with many newly emerged P2P applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, traditional classification approaches turn to be ineffective. In this paper, we present a layered hybrid system to classify current Internet traffic, motivated by variety of network activities and their requirements of traffic classification. The proposed method could achieve fast and accurate traffic classification with low overheads and robustness to accommodate both known and unknown/encrypted applications. Furthermore, it is feasible to be used in the context of real-time traffic classification. Our experimental results show the distinct advantages of the proposed classification system, compared with the one-step Machine Learning (ML) approach.

Yu Chen,Xiayu Ping,Tao Wei

DOI: https://doi.org/10.1109/ICITIS.2010.5689522

2010-01-01

Abstract:The principal technique employed in application traffic classification, a task of identifying the applications underlying network traffic, has evolved from based on port number to deep packet inspection to payload-independent classification. We propose a novel approach in the last category. The principal idea of our method is that we associate an application with temporal patterns of the command exchange modes (subsequences of packets) of TCP flows generated by the application. Since these patterns are local by nature, our approach might be able to identify an application even if only a portion of a full flow is observable. We have applied such method to classify a number of popular P2P applications and to detect suspicious botnet traffic. To identify these kinds of traffic, we not only utilize flow patterns, but also incorporate some statistics on multi-flow and host levels. We have tested our algorithm on P2P traffic collected from our institute's computer network and on botnet traffic collected from a national-wide distributed honeynet. The early results are quite encouraging. © 2010 IEEE.

Tangda Yu,Futai Zou,Linsen Li,Ping Yi

DOI: https://doi.org/10.1109/cyberc.2019.00020

2019-01-01

Abstract:In recent years, with the widespread use of encrypted traffic communication technology, network traffic encryption has been gradually becoming a standard of communication. This phenomenon has a great impact on traditional traffic detection methods, especially on anomaly detection methods, which are highly dependent on the type of network protocol types and traffic data. By surveying the existing encrypted traffic classification and analyzing these methods, we found that there are two main methods for detection: payload-based detection and feature-based detection. On this basis, this paper puts forward an Encrypted Malicious Traffic Detection System which is based on multi-AEs(Autoencoder). We use malicious sandbox for traffic data collection, mark malicious flow and normal flow with labels. After that, we use multilayer networks of AEs for feature extraction and training classifier model. Our system analyzes the feature of cryptographic protocol from handshake phase to Authentication phase on the basis of existing research, and we extract the traffic feature for a better classification by further expanding flow feature vector to the higher dimensions. In addition, we compared the performance of our model with the traditional learning model under the same environment. The experimental results showed that our system had higher detection accuracy and lower loss rate. We also studied the influence of dataset imbalance on results in the detection of encrypted traffic by several experiments. According to the experimental evaluation, dataset imbalance will lead to the decrease of positive rate.

Meng Shen,Mingwei Wei,Liehuang Zhu,Mingzhong Wang,Fuliang Li

DOI: https://doi.org/10.1109/iwqos.2016.7590451

2016-01-01

Abstract:With the prosperity of network applications, traffic classification serves as a crucial role in network management and malicious attack detection. The widely used encryption transmission protocols, such as the Secure Socket Layer/Transport Layer Security (SSL/TLS) protocols, leads to the failure of traditional payload-based classification methods. Existing methods for encrypted traffic classification suffer from low accuracy. In this paper, we propose a certificate-aware encrypted traffic classification method based on the Second-Order Markov Chain. We start by exploring reasons why existing methods not perform well, and make a novel observation that certificate packet length in SSL/TLS sessions contributes to application discrimination. To increase the diversity of application fingerprints, we develop a new model by incorporating the certificate packet length clustering into the Second-Order homogeneous Markov chains. Extensive evaluation results show that the proposed method lead to a 30% improvement on average compared with the state-of-the-art method, in terms of classification accuracy.

Shi-Jie Xu,Guang-Gang Geng,Xiao-Bo Jin,Dong-Jie Liu,Jian Weng

DOI: https://doi.org/10.1109/tifs.2022.3179955

IF: 7.231

2022-06-22

IEEE Transactions on Information Forensics and Security

Abstract:Although many network traffic protection methods have been developed to protect user privacy, encrypted traffic can still reveal sensitive user information with sophisticated analysis. In this paper, we propose ETC-PS, a novel encrypted traffic classification method with path signature. We first construct the traffic path with a session packet length sequence to represent the interactions between the client and the server. Then, path transformations are conducted to exhibit its structure and obtain different information. A multiscale path signature is finally computed as a kind of distinctive feature to train the traditional machine learning classifier, which achieves highly robust accuracy and low training overhead. Six publicly available datasets with different traffic types of HTTPS/1, HTTPS/2, QUIC, VPN, non-VPN, Tor, and non-Tor are used to conduct closed-world and open-world evaluations to verify the effectiveness of ETC-PS. The experimental results demonstrate that ETC-PS is superior to the state-of-the-art methods in terms of accuracy, score, time complexity, and stability.

computer science, theory & methods,engineering, electrical & electronic

Anish Singh Shekhawat,Fabio Di Troia,Mark Stamp

DOI: https://doi.org/10.48550/arXiv.2312.04596

2023-12-06

Abstract:In recent years there has been a dramatic increase in the number of malware attacks that use encrypted HTTP traffic for self-propagation or communication. Antivirus software and firewalls typically will not have access to encryption keys, and therefore direct detection of malicious encrypted data is unlikely to succeed. However, previous work has shown that traffic analysis can provide indications of malicious intent, even in cases where the underlying data remains encrypted. In this paper, we apply three machine learning techniques to the problem of distinguishing malicious encrypted HTTP traffic from benign encrypted traffic and obtain results comparable to previous work. We then consider the problem of feature analysis in some detail. Previous work has often relied on human expertise to determine the most useful and informative features in this problem domain. We demonstrate that such feature-related information can be obtained directly from machine learning models themselves. We argue that such a machine learning based approach to feature analysis is preferable, as it is more reliable, and we can, for example, uncover relatively unintuitive interactions between features.

Cryptography and Security,Machine Learning