Search

Your search keyword '"encrypted traffic"' showing total 195 results
Start Over Descriptor "encrypted traffic"
195 results on '"encrypted traffic"'

2. L-GraphSAGE: A Graph Neural Network-Based Approach for IoV Application Encrypted Traffic Identification.

Author

Zhang, Shihe, Chen, Ruidong, Chen, Jingxue, Zhu, Yukun, Hua, Manyuan, Yuan, Jiaying, and Xu, Fenghua

Subjects
GRAPH neural networks, COMPUTER network traffic, IN-vehicle entertainment equipment, GENERALIZATION, SECURITY systems
Abstract

Recently, with a crucial role in developing smart transportation systems, the Internet of Vehicles (IoV), with all kinds of in-vehicle devices, has undergone significant advancement for autonomous driving, in-vehicle infotainment, etc. With the development of these IoV devices, the complexity and volume of in-vehicle data flows within information communication have increased dramatically. To adapt these changes to secure and smart transportation, encrypted communication realization, real-time decision-making, traffic management enhancement, and overall transportation efficiency improvement are essential. However, the security of a traffic system under encrypted communication is still inadequate, as attackers can identify in-vehicle devices through fingerprinting attacks, causing potential privacy breaches. Nevertheless, existing IoV traffic application models for encrypted traffic identification are weak and often exhibit poor generalization in some dynamic scenarios, where route switching and TCP congestion occur frequently. In this paper, we propose LineGraph-GraphSAGE (L-GraphSAGE), a graph neural network (GNN) model designed to improve the generalization ability of the IoV application of traffic identification in these dynamic scenarios. L-GraphSAGE utilizes node features, including text attributes, node context information, and node degree, to learn hyperparameters that can be transferred to unknown nodes. Our model demonstrates promising results in both UNSW Sydney public datasets and real-world environments. In public IoV datasets, we achieve an accuracy of 94.23%(↑0.23%). Furthermore, our model achieves an F1 change rate of 0.20%(↑96.92%) in α train, β infer, and 0.60%(↑75.00%) in β train, α infer when evaluated on a dataset consisting of five classes of data collected from real-world environments. These results highlight the effectiveness of our proposed approach in enhancing IoV application identification in dynamic network scenarios. [ABSTRACT FROM AUTHOR]

Published
2024
Full Text
View/download PDF

3. STC-BERT (Satellite Traffic Classification-BERT): A Traffic Classification Model for Low-Earth-Orbit Satellite Internet Systems.

Author

Liu, Kexuan, Zhang, Yasheng, and Lu, Shan

Subjects
NETWORK performance, QUALITY of service, CONTEXTUAL learning, INTERNET, GENERALIZATION
Abstract

The low-Earth-orbit satellite internet supports the transmission of multiple business types. With increasing business volume and advancements in encryption technology, the quality of service faces challenges. Traditional models lack flexibility in optimizing network performance and ensuring service quality, particularly showing poor performance in identifying encrypted traffic. Therefore, designing a model that can accurately identify multiple business scenarios as well as encrypted traffic with strong generalization capabilities is a challenging issue to resolve. In this paper, addressing the characteristics of diverse low-Earth-orbit satellite traffic and encryption, the authors propose STC-BERT (satellite traffic classification-BERT). During the pretraining phase, this model learns contextual relationships of large-scale unlabeled traffic data, while in the fine-tuning phase, it utilizes a semantic-enhancement algorithm to highlight the significance of key tokens. Post semantic enhancement, a satellite traffic feature fusion module is introduced to integrate tokens into specific low-dimensional scales and achieve final classification in fully connected layers. The experimental results demonstrate our approach's outstanding performance compared to other models: achieving 99.31% (0.2%↑) in the USTC-TFC task, 99.49% in the ISCX-VPN task, 98.44% (0.9%↑) in the Cross-Platform task, and 98.19% (0.8%↑) in the CSTNET-TLS1.3 task. [ABSTRACT FROM AUTHOR]

Published
2024
Full Text
View/download PDF

4. Anomaly Detection in Imbalanced Encrypted Traffic with Few Packet Metadata-Based Feature Extraction.

Author

Kim, Min-Gyu and Kim, Hwankuk

Subjects
ARTIFICIAL intelligence, RECEIVER operating characteristic curves, ANOMALY detection (Computer security), VIRTUAL private networks, ENCRYPTION protocols
Abstract

In the IoT (Internet of Things) domain, the increased use of encryption protocols such as SSL/TLS, VPN (Virtual Private Network), and Tor has led to a rise in attacks leveraging encrypted traffic. While research on anomaly detection using AI (Artificial Intelligence) is actively progressing, the encrypted nature of the data poses challenges for labeling, resulting in data imbalance and biased feature extraction toward specific nodes. This study proposes a reconstruction error-based anomaly detection method using an autoencoder (AE) that utilizes packet metadata excluding specific node information. The proposed method omits biased packet metadata such as IP and Port and trains the detection model using only normal data, leveraging a small amount of packet metadata. This makes it well-suited for direct application in IoT environments due to its low resource consumption. In experiments comparing feature extraction methods for AE-based anomaly detection, we found that using flow-based features significantly improves accuracy, precision, F1 score, and AUC (Area Under the Receiver Operating Characteristic Curve) score compared to packet-based features. Additionally, for flow-based features, the proposed method showed a 30.17% increase in F1 score and improved false positive rates compared to Isolation Forest and OneClassSVM. Furthermore, the proposed method demonstrated a 32.43% higher AUC when using packet features and a 111.39% higher AUC when using flow features, compared to previously proposed oversampling methods. This study highlights the impact of feature extraction methods on attack detection in imbalanced, encrypted traffic environments and emphasizes that the one-class method using AE is more effective for attack detection and reducing false positives compared to traditional oversampling methods. [ABSTRACT FROM AUTHOR]

Published
2024
Full Text
View/download PDF

5. Encrypted traffic identification scheme based on sliding window and randomness features

Author

Jiachi LIU, Boyu KUANG, Mang SU, Yaqian XU, Anmin FU

Subjects
encrypted traffic, compressed traffic, random feature, sliding sampling, Electronic computers. Computer science, QA75.5-76.95
Abstract

With the development of information technology, network security has increasingly become a focal point for users and organizations, and encrypted data transmission has gradually become mainstream. This trend has driven the proportion of encrypted traffic on the Internet to rise continuously. However, data encryption, while ensuring privacy and security, has also become a means for illegal content to evade network supervision. To achieve the detection and analysis of encrypted traffic, it has become necessary to efficiently identify encrypted traffic. However, the presence of compressed traffic has significantly interfered with the identification of encrypted traffic. To address this issue, an encrypted traffic identification scheme based on sliding windows and randomness features was designed to efficiently and accurately identify encrypted traffic. Specifically, the scheme involved sampling the payloads of data packets in sessions using a sliding window mechanism to obtain data block sequences that reflect the information patterns of the original traffic. For each data block, randomness measurement algorithms were utilized to extract sample features and construct randomness features for the original payload. Additionally, a decision tree model based on the CART algorithm was designed, which significantly improved the accuracy of identifying encrypted and compressed traffic and greatly reduced the false negative rate for encrypted traffic identification. A balanced dataset was constructed by randomly sampling data from several authoritative websites, and experiments demonstrated the feasibility and efficiency of the proposed scheme.

Published
2024
Full Text
View/download PDF

6. ITC-Net-blend-60: a comprehensive dataset for robust network traffic classification in diverse environments

Author

Marziyeh Bayat, Javad Garshasbi, Mozhgan Mehdizadeh, Neda Nozari, Abolghasem Rezaei Khesal, Maryam Dokhaei, and Mehdi Teimouri

Subjects
Network traffic analysis, Traffic classification, Application identification, Mobile-app fingerprinting, Encrypted traffic, Android applications, Medicine, Biology (General), QH301-705.5, Science (General), Q1-390
Abstract

Abstract Objectives Recognition of mobile applications within encrypted network traffic holds considerable effects across multiple domains, encompassing network administration, security, and digital marketing. The creation of network traffic classifiers capable of adjusting to dynamic and unforeseeable real-world settings presents a tremendous challenge. Presently available datasets exclusively encompass traffic data obtained from a singular network environment, thereby restricting their utility in evaluating the robustness and compatibility of a given model. Data description This dataset was gathered from 60 popular Android applications in five different network scenarios, with the intention of overcoming the limitations of previous datasets. The scenarios were the same in the applications set but differed in terms of Internet service provider (ISP), geographic location, device, application version, and individual users. The traffic was generated through real human interactions on physical devices for 3–15 min. The method used to capture the traffic did not require root privileges on mobile phones and filtered out any background traffic. In total, the collected dataset comprises over 48 million packets, 450K bidirectional flows, and 36 GB of data.

Published
2024
Full Text
View/download PDF

7. 基于滑动窗口和随机性特征的加密流量识别方案.

Author

刘家池, 况博裕, 苏铓, 许亚倩, and 付安民

Abstract

Copyright of Chinese Journal of Network & Information Security is the property of Beijing Xintong Media Co., Ltd. and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)

Published
2024
Full Text
View/download PDF

8. Streaming traffic classification: a hybrid deep learning and big data approach.

Author

Seydali, Mehdi, Khunjush, Farshad, and Dogani, Javad

Subjects
*COMPUTER network traffic, *TRAFFIC patterns, *TRAFFIC congestion, *TRAFFIC speed, *DATA encryption, *DEEP learning
Abstract

Massive amounts of real-time streaming network data are generated quickly because of the exponential growth of applications. Analyzing patterns in generated flow traffic streaming offers benefits in reducing traffic congestion, enhancing network management, and improving the quality of service management. Processing massive volumes of generated traffic poses more challenges when data traffic encryption is raised. Classifying encrypted network traffic in real-time with deep learning networks has received attention because of their excellent performance. The substantial volume of incoming packets, characterized by high speed and wide variety, puts real-time traffic classification within the domain of big data problems. Classifying traffic with high speed and accuracy is a significant challenge in the era of big data. The real-time nature of traffic intensifies deep learning networks, necessitating a considerable number of parameters, layers, and resources for optimal network training. Until now, various datasets have been employed to evaluate the effectiveness of previous methods for classifying encrypted traffic. The primary objective has been to enhance accuracy, precision, and F1-measure. Presently, encrypted traffic classification performance depends on pre-existing datasets. The learning and testing phases are done offline, and more research is needed to investigate the feasibility of these methods in real-world scenarios. This paper examines the possibility of a tradeoff between evaluating the model's effectiveness, execution time, and utilization of processing resources when processing stream-based input data for traffic classification. We aim to explore the feasibility of establishing a tradeoff between these factors and determining optimal parameter settings. This paper used the ISCX VPN-Non VPN 2016 public dataset to evaluate the proposed method. All packets from the dataset were streamed continuously through Apache Kafka to the classification framework. Numerous experiments have been designed to demonstrate the efficacy of the proposed method. The experimental results show that the proposed method outperforms the baseline methods by 11% in the F1-measure when the number of workers is two and by 25% when the number of workers is equal to 32. [ABSTRACT FROM AUTHOR]

Published
2024
Full Text
View/download PDF

9. Classified VPN Network Traffic Flow Using Time Related to Artificial Neural Network.

Author

Mohamed, Saad Abdalla Agaili and Kurnaz, Sefer

Subjects
ARTIFICIAL neural networks, COMPUTER network traffic, COMPUTER network security, TRAFFIC flow, FEATURE extraction, VIRTUAL private networks
Abstract

VPNs are vital for safeguarding communication routes in the continually changing cybersecurity world. However, increasing network attack complexity and variety require increasingly advanced algorithms to recognize and categorize VPN network data. We present a novel VPN network traffic flow classification method utilizing Artificial Neural Networks (ANN). This paper aims to provide a reliable system that can identify a virtual private network (VPN) traffic from intrusion attempts, data exfiltration, and denial-of-service assaults. We compile a broad dataset of labeled VPN traffic flows from various apps and usage patterns. Next, we create an ANN architecture that can handle encrypted communication and distinguish benign from dangerous actions. To effectively process and categorize encrypted packets, the neural network model has input, hidden, and output layers. We use advanced feature extraction approaches to improve the ANN's classification accuracy by leveraging network traffic's statistical and behavioral properties. We also use cutting-edge optimization methods to optimize network characteristics and performance. The suggested ANN-based categorization method is extensively tested and analyzed. Results show the model effectively classifies VPN traffic types. We also show that our ANN-based technique outperforms other approaches in precision, recall, and F1-score with 98.79% accuracy. This study improves VPN security and protects against new cyberthreats. Classifying VPN traffic flows effectively helps enterprises protect sensitive data, maintain network integrity, and respond quickly to security problems. This study advances network security and lays the groundwork for ANN-based cybersecurity solutions. [ABSTRACT FROM AUTHOR]

Published
2024
Full Text
View/download PDF

10. Encrypted malware detection methodology without decryption using deep learning-based approaches.

Author

Singh, Abhay Pratap, Singh, Mahendra, Bhatia, Karamjit, and Pathak, Heman

Subjects
MALWARE, DEEP learning, ARTIFICIAL intelligence, ARTIFICIAL neural networks, CYBERTERRORISM
Abstract

The encrypted or https traffic on Internet accounts for the safe and secure communication between users and servers. However, cyber attackers are also exploiting https traffic to disguise their malignant activities. Detection of network threats in https traffic is a tiresome task for security experts owing to the convoluted nature of encrypted traffic on the web. Conventional detection techniques decrypt the network content, check it for threats, re-encrypt the network content, and then send it to the server. But this approach jeopardizes the secrecy of data and user. In recent time, deep learning (DL) has emerged as one of the most fruitful AI methods that diminishes the manual resolution of features to enhance classification accuracy. A DL based strategy is suggested for recognition of threat in encrypted communication without using decryption. The three DL algorithms, as used by the proposed approach are, multilayer perceptron (MLP), long short-term memory (LSTM) and 1-D convolutional neural network (1-D CNN), which are experimented on the CTU-13 malware dataset containing flow-based attributes of network traffic. The outcome of the experiment exhibits that MLP based approach performs better in comparison to 1-D CNN and LSTM based ones and other existing approaches. Thus, the secrecy of the data is maintained and the capability of identifying threats in encrypted communication is augmented. [ABSTRACT FROM AUTHOR]

Published
2024
Full Text
View/download PDF

11. ITC-Net-blend-60: a comprehensive dataset for robust network traffic classification in diverse environments.

Author

Bayat, Marziyeh, Garshasbi, Javad, Mehdizadeh, Mozhgan, Nozari, Neda, Rezaei Khesal, Abolghasem, Dokhaei, Maryam, and Teimouri, Mehdi

Subjects
*COMPUTER network traffic, *INTERNET service providers, *MOBILE apps, *SOCIAL interaction, *CLASSIFICATION
Abstract

Objectives: Recognition of mobile applications within encrypted network traffic holds considerable effects across multiple domains, encompassing network administration, security, and digital marketing. The creation of network traffic classifiers capable of adjusting to dynamic and unforeseeable real-world settings presents a tremendous challenge. Presently available datasets exclusively encompass traffic data obtained from a singular network environment, thereby restricting their utility in evaluating the robustness and compatibility of a given model. Data description: This dataset was gathered from 60 popular Android applications in five different network scenarios, with the intention of overcoming the limitations of previous datasets. The scenarios were the same in the applications set but differed in terms of Internet service provider (ISP), geographic location, device, application version, and individual users. The traffic was generated through real human interactions on physical devices for 3–15 min. The method used to capture the traffic did not require root privileges on mobile phones and filtered out any background traffic. In total, the collected dataset comprises over 48 million packets, 450K bidirectional flows, and 36 GB of data. [ABSTRACT FROM AUTHOR]

Published
2024
Full Text
View/download PDF

12. Deep Learning-Based Anomaly Detection in TLS Encrypted Traffic

Author

Ayano, Kehinde, Kacprzyk, Janusz, Series Editor, Gomide, Fernando, Advisory Editor, Kaynak, Okyay, Advisory Editor, Liu, Derong, Advisory Editor, Pedrycz, Witold, Advisory Editor, Polycarpou, Marios M., Advisory Editor, Rudas, Imre J., Advisory Editor, Wang, Jun, Advisory Editor, and Arai, Kohei, editor

Published
2024
Full Text
View/download PDF

14. FSAM Framework for Online CDN-Based Website Classification

Author

Zhan, Yulong, Cai, Yang, Xiong, Gang, Gou, Gaopeng, Li, Xiaoqian, Goos, Gerhard, Series Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Zhu, Tianqing, editor, and Li, Yannan, editor

Published
2024
Full Text
View/download PDF

15. Improvising Encrypted Traffic Analysis Using Stacking Ensemble Model

Author

Pavan, P., Saifulla, M. A., Anand, Nemalikanti, Kacprzyk, Janusz, Series Editor, Gomide, Fernando, Advisory Editor, Kaynak, Okyay, Advisory Editor, Liu, Derong, Advisory Editor, Pedrycz, Witold, Advisory Editor, Polycarpou, Marios M., Advisory Editor, Rudas, Imre J., Advisory Editor, Wang, Jun, Advisory Editor, Pati, Bibudhendu, editor, Panigrahi, Chhabi Rani, editor, Mohapatra, Prasant, editor, and Li, Kuan-Ching, editor

Published
2024
Full Text
View/download PDF

17. Multi-Task Scenario Encrypted Traffic Classification and Parameter Analysis.

Author

Wang, Guanyu and Gu, Yijun

Subjects
*DEEP learning, *CLASSIFICATION, *COMPUTER network security
Abstract

The widespread use of encrypted traffic poses challenges to network management and network security. Traditional machine learning-based methods for encrypted traffic classification no longer meet the demands of management and security. The application of deep learning technology in encrypted traffic classification significantly improves the accuracy of models. This study focuses primarily on encrypted traffic classification in the fields of network analysis and network security. To address the shortcomings of existing deep learning-based encrypted traffic classification methods in terms of computational memory consumption and interpretability, we introduce a Parameter-Efficient Fine-Tuning method for efficiently tuning the parameters of an encrypted traffic classification model. Experimentation is conducted on various classification scenarios, including Tor traffic service classification and malicious traffic classification, using multiple public datasets. Fair comparisons are made with state-of-the-art deep learning model architectures. The results indicate that the proposed method significantly reduces the scale of fine-tuning parameters and computational resource usage while achieving performance comparable to that of the existing best models. Furthermore, we interpret the learning mechanism of encrypted traffic representation in the pre-training model by analyzing the parameters and structure of the model. This comparison validates the hypothesis that the model exhibits hierarchical structure, clear organization, and distinct features. [ABSTRACT FROM AUTHOR]

Published
2024
Full Text
View/download PDF

18. FedETC: Encrypted traffic classification based on federated learning

Author

Zhiping Jin, Ke Duan, Changhui Chen, Meirong He, Shan Jiang, and Hanxiao Xue

Subjects
Network traffic classification, Federated learning, Encrypted traffic, Science (General), Q1-390, Social sciences (General), H1-99
Abstract

The current popular traffic classification methods based on feature engineering and machine learning are difficult to obtain suitable traffic feature sets for multiple traffic classification tasks. Besides, data privacy policies prohibit network operators from collecting and sharing traffic data that might compromise user privacy. To address these challenges, we propose FedETC, a federated learning framework that allows multiple participants to learn global traffic classifiers, while keeping locally encrypted traffic invisible to other participants. In addition, FedETC adopts one-dimensional convolutional neural network as the base model, which avoids manual traffic feature design. In the experiments, we evaluate the FedETC framework for the tasks of both application identification and traffic characterization in a publicly available real-world dataset. The results show that FedETC can achieve promising accuracy rates that are close to centralized learning schemes.

Published
2024
Full Text
View/download PDF

19. Active-Darknet: An Iterative Learning Approach for Darknet Traffic Detection and Categorization

Author

Sidra Abbas, Imen Bouazzi, Gabriel Avelino Sampedro, Shtwai Alsubai, Ahmad S. Almadhor, Abdullah Al Hejaili, and Natalia Kryvinska

Subjects
Active learning, darknet, anonymity, encrypted networks, encrypted traffic, machine learning, Electrical engineering. Electronics. Nuclear engineering, TK1-9971
Abstract

Darknet refers to a significant portion of the internet that is hidden and not indexed by traditional search engines. It is often associated with illicit activities such as the trafficking of illicit goods, such as drugs, weapons, and stolen data. To keep our online cyber spaces safe in this era of rapid technological advancement and global connectivity, we should analyse and recognise darknet traffic. Beyond cybersecurity, this attention to detail includes safeguarding intellectual property, stopping illegal activity, and following the law. In order to improve accuracy and precision in identifying illicit activities, this study presents a novel approach named Active-Darknet that uses an active learning-based machine learning model for detecting darknet traffic. In order to guarantee high-quality analysis, our methodology includes extensive data preprocessing, such as numerically encoding categorical labels and improving the representation of minority classes using data balancing. In addition to machine learning models, we also use Deep Neural Networks (DNN), Bidirectional Long Short-Term Memory (BI-LSTM) and Flattened-DNN for experimentation. The majority of models exhibited encouraging outcomes; however, the models that utilised active learning, specifically the Random Forest (RF) and Decision Tree (DT) models, attained promising accuracy levels of 87%, rendering them the most efficient in detecting darknet traffic. Large traffic analysis is greatly enhanced by this method, which also increases the detection process’s robustness and effectiveness.

Published
2024
Full Text
View/download PDF

20. AP-EH: An Encryption Hopping Method Based on Action Program Enabled SDN

Author

Zheng Zhao, Xiaoya Fan, Qian Mao, Haixiao Xue, and Qi Zhao

Subjects
Encrypted traffic, moving target defense, programmable data plane, sniffing attack, Electrical engineering. Electronics. Nuclear engineering, TK1-9971
Abstract

Sniffing attack is one of the typical passive network attack methods, which poses a serious threat to network communication security. Detecting and defending against sniffing attacks is challenging due to their stealthy nature. In this paper, we propose an encryption hopping method based on a programmable data plane named AP-EH to defend against sniffing attacks. By leveraging the concept of Moving Target Defense (MTD), AP-EH greatly elevates the complexity and cost for attackers to crack the communication data by dynamically modifying the encryption algorithm and key. Experimental results and analysis demonstrate the security and performance of the proposed method.

Published
2024
Full Text
View/download PDF

21. F3l: an automated and secure function-level low-overhead labeled encrypted traffic dataset construction method for IM in Android

Author

Keya Xu and Guang Cheng

Subjects
Encrypted traffic, Deep learning, Android, Labeled dataset, Computer engineering. Computer hardware, TK7885-7895, Electronic computers. Computer science, QA75.5-76.95
Abstract

Abstract Fine-grained function-level encrypted traffic classification is an essential approach to maintaining network security. Machine learning and deep learning have become mainstream methods to analyze traffic, and labeled dataset construction is the basis. Android occupies a huge share of the mobile operating system market. Instant Messaging (IM) applications are important tools for people communication. But such applications have complex functions which frequently switched, so it is difficult to obtain function-level labels. The existing function-level public datasets in Android are rare and noisy, leading to research stagnation. Most labeled samples are collected with WLAN devices, which cannot exclude the operating system background traffic. At the same time, other datasets need to obtain root permission or use scripts to simulate user behavior. These collecting methods either destroy the security of the mobile device or ignore the real operation features of users with coarse-grained. Previous work (Chen et al. in Appl Sci 12(22):11731, 2022) proposed a one-stop automated encrypted traffic labeled sample collection, construction, and correlation system, A3C, running at the application-level in Android. This paper analyzes the display characteristics of IM and proposes a function-level low-overhead labeled encrypted traffic datasets construction method for Android, F3L. The supplementary method to A3C monitors UI controls and layouts of the Android system in the foreground. It selects the feature fields of attributes of them for different in-app functions to build an in-app function label matching library for target applications and in-app functions. The deviation of timestamp between function invocation and label identification completion is calibrated to cut traffic samples and map them to corresponding labels. Experiments show that the method can match the correct label within 3 s after the user operation.

Published
2024
Full Text
View/download PDF

22. Explainable Deep-Learning Approaches for Packet-Level Traffic Prediction of Collaboration and Communication Mobile Apps

Author

Idio Guarino, Giuseppe Aceto, Domenico Ciuonzo, Antonio Montieri, Valerio Persico, and Antonio Pescape

Subjects
Communication apps, collaboration apps, COVID, deep learning, encrypted traffic, multitask approaches, Telecommunication, TK5101-6720, Transportation and communications, HE1-9990
Abstract

Significant in lifestyle have reshaped the Internet landscape, resulting in notable shifts in both the magnitude of Internet traffic and the diversity of apps utilized. The increased adoption of communication-and-collaboration apps, also fueled by lockdowns in the COVID pandemic years, has heavily impacted the management of network infrastructures and their traffic. A notable characteristic of these apps is their multi-activity nature, e.g., they can be used for chat and (interactive) audio/video in the same usage session: predicting and managing the traffic they generate is an important but especially challenging task. In this study, we focus on real data from four popular apps belonging to the aforementioned category: Skype, Teams, Webex, and Zoom. First, we collect traffic data from these apps, reliably label it with both the app and the specific user activity and analyze it from the perspective of traffic prediction. Second, we design data-driven models to predict this traffic at the finest granularity (i.e., at packet level) employing four advanced multitask deep learning architectures and investigating three different training strategies. The trade-off between performance and complexity is explored as well. We publish the dataset and release our code as open source to foster the replicability of our analysis. Third, we leverage the packet-level prediction approach to perform aggregate prediction at different timescales. Fourth, our study pioneers the trustworthiness analysis of these predictors via the application of eXplainable Artificial Intelligence to $(a)$ interpret their forecasting results and $(b)$ evaluate their reliability, highlighting the relative importance of different parts of observed traffic and thus offering insights for future analyses and applications. The insights gained from the analysis provided with this work have implications for various network management tasks, including monitoring, planning, resource allocation, and enforcing security policies.

Published
2024
Full Text
View/download PDF

23. MVDet: Encrypted malware traffic detection via multi-view analysis.

Author

Cui, Susu, Han, Xueying, Dong, Cong, Li, Yun, Liu, Song, Lu, Zhigang, and Liu, Yuling

Abstract

Detecting encrypted malware traffic promptly to halt the further propagation of an attack is critical. Currently, machine learning becomes a key technique for extracting encrypted malware traffic patterns. However, due to the dynamic nature of network environments and the frequent updates of malware, current methods face the challenges of detecting unknown malware traffic in open-world environment. To address the issue, we introduce MVDet, a novel method that employs machine learning to mine the behavioral features of malware traffic based on multi-view analysis. Unlike traditional methods, MVDet innovatively characterizes the behavioral features of malware traffic at 4-tuple flows from four views: statistical view, DNS view, TLS view, and business view, which is a more stable feature representation capable of handling complex network environments and malware updates. Additionally, we achieve a short-time behavioral features construction, significantly reducing the time cost for feature extraction and malware detection. As a result, we can detect malware behavior at an early stage promptly. Our evaluation demonstrates that MVDet can detect a wide variety of known malware traffic and exhibits efficient and robust detection in both open-world and unknown malware scenarios. MVDet outperforms state-of-the-art methods in closed-world known malware detection, open-world known malware detection, and open-world unknown malware detection. [ABSTRACT FROM AUTHOR]

Published
2024
Full Text
View/download PDF

24. Artificial Intelligence-Based Anomaly Detection Technology over Encrypted Traffic: A Systematic Literature Review.

Author

Ji, Il Hwan, Lee, Ju Hyeon, Kang, Min Ji, Park, Woo Jin, Jeon, Seung Ho, and Seo, Jung Taek

Subjects
*ARTIFICIAL intelligence, *ANOMALY detection (Computer security), *LITERATURE reviews, *DEEP packet inspection (Computer security), *COMPUTER network traffic, *FEATURE selection
Abstract

As cyber-attacks increase in unencrypted communication environments such as the traditional Internet, protected communication channels based on cryptographic protocols, such as transport layer security (TLS), have been introduced to the Internet. Accordingly, attackers have been carrying out cyber-attacks by hiding themselves in protected communication channels. However, the nature of channels protected by cryptographic protocols makes it difficult to distinguish between normal and malicious network traffic behaviors. This means that traditional anomaly detection models with features from packets extracted a deep packet inspection (DPI) have been neutralized. Recently, studies on anomaly detection using artificial intelligence (AI) and statistical characteristics of traffic have been proposed as an alternative. In this review, we provide a systematic review for AI-based anomaly detection techniques over encrypted traffic. We set several research questions on the review topic and collected research according to eligibility criteria. Through the screening process and quality assessment, 30 research articles were selected with high suitability to be included in the review from the collected literature. We reviewed the selected research in terms of dataset, feature extraction, feature selection, preprocessing, anomaly detection algorithm, and performance indicators. As a result of the literature review, it was confirmed that various techniques used for AI-based anomaly detection over encrypted traffic were used. Some techniques are similar to those used for AI-based anomaly detection over unencrypted traffic, but some technologies are different from those used for unencrypted traffic. [ABSTRACT FROM AUTHOR]

Published
2024
Full Text
View/download PDF

25. F3l: an automated and secure function-level low-overhead labeled encrypted traffic dataset construction method for IM in Android.

Author

Xu, Keya and Cheng, Guang

Subjects
MOBILE operating systems, INSTANT messaging, DEEP learning, MACHINE learning, COMPUTER network security
Abstract

Fine-grained function-level encrypted traffic classification is an essential approach to maintaining network security. Machine learning and deep learning have become mainstream methods to analyze traffic, and labeled dataset construction is the basis. Android occupies a huge share of the mobile operating system market. Instant Messaging (IM) applications are important tools for people communication. But such applications have complex functions which frequently switched, so it is difficult to obtain function-level labels. The existing function-level public datasets in Android are rare and noisy, leading to research stagnation. Most labeled samples are collected with WLAN devices, which cannot exclude the operating system background traffic. At the same time, other datasets need to obtain root permission or use scripts to simulate user behavior. These collecting methods either destroy the security of the mobile device or ignore the real operation features of users with coarse-grained. Previous work (Chen et al. in Appl Sci 12(22):11731, 2022) proposed a one-stop automated encrypted traffic labeled sample collection, construction, and correlation system, A3C, running at the application-level in Android. This paper analyzes the display characteristics of IM and proposes a function-level low-overhead labeled encrypted traffic datasets construction method for Android, F3L. The supplementary method to A3C monitors UI controls and layouts of the Android system in the foreground. It selects the feature fields of attributes of them for different in-app functions to build an in-app function label matching library for target applications and in-app functions. The deviation of timestamp between function invocation and label identification completion is calibrated to cut traffic samples and map them to corresponding labels. Experiments show that the method can match the correct label within 3 s after the user operation. [ABSTRACT FROM AUTHOR]

Published
2024
Full Text
View/download PDF

27. TLS-MHSA: An Efficient Detection Model for Encrypted Malicious Traffic based on Multi-Head Self-Attention Mechanism.

Author

JINFU CHEN, LUO SONG, SAIHUA CAI, HAODI XIE, SHANG YIN, and AHMAD, BILAL

Subjects
DEEP learning, TRAFFIC surveys, TRAFFIC monitoring, COMPUTER network security, INFORMATION retrieval
Abstract

In recent years, the use of TLS (Transport Layer Security) protocol to protect communication information has become increasingly popular as users are more aware of network security. However, hackers have also exploited the salient features of the TLS protocol to carry out covert malicious attacks, which threaten the security of network space. Currently, the commonly used traffic detection methods are not always reliable when applied to the problem of encrypted malicious traffic detection due to their limitations. The most significant problem is that these methods do not focus on the key features of encrypted traffic. To address this problem, this study proposes an efficient detection model for encrypted malicious traffic based on transport layer security protocol and a multi-head self-attention mechanism called TLS-MHSA. Firstly, we extract the features of TLS traffic during pre-processing and perform traffic statistics to filter redundant features. Then, we use a multi-head self-attention mechanism to focus on learning key features as well as generate the most important combined features to construct the detection model, thereby detecting the encrypted malicious traffic. Finally, we use a public dataset to verify the effectiveness and efficiency of the TLS-MHSA model, and the experimental results show that the proposed TLS-MHSA model has high precision, recall, F1-measure, AUC-ROC as well as higher stability than seven state-of-the-art detection models. [ABSTRACT FROM AUTHOR]

Published
2023
Full Text
View/download PDF

28. Multi-Task Scenario Encrypted Traffic Classification and Parameter Analysis

Author

Guanyu Wang and Yijun Gu

Subjects
encrypted traffic, network management, interpretability analysis, fine-tuning, Chemical technology, TP1-1185
Abstract

The widespread use of encrypted traffic poses challenges to network management and network security. Traditional machine learning-based methods for encrypted traffic classification no longer meet the demands of management and security. The application of deep learning technology in encrypted traffic classification significantly improves the accuracy of models. This study focuses primarily on encrypted traffic classification in the fields of network analysis and network security. To address the shortcomings of existing deep learning-based encrypted traffic classification methods in terms of computational memory consumption and interpretability, we introduce a Parameter-Efficient Fine-Tuning method for efficiently tuning the parameters of an encrypted traffic classification model. Experimentation is conducted on various classification scenarios, including Tor traffic service classification and malicious traffic classification, using multiple public datasets. Fair comparisons are made with state-of-the-art deep learning model architectures. The results indicate that the proposed method significantly reduces the scale of fine-tuning parameters and computational resource usage while achieving performance comparable to that of the existing best models. Furthermore, we interpret the learning mechanism of encrypted traffic representation in the pre-training model by analyzing the parameters and structure of the model. This comparison validates the hypothesis that the model exhibits hierarchical structure, clear organization, and distinct features.

Published
2024
Full Text
View/download PDF

29. CBSeq: A Channel-Level Behavior Sequence for Encrypted Malware Traffic Detection.

Author

Cui, Susu, Dong, Cong, Shen, Meng, Liu, Yuling, Jiang, Bo, and Lu, Zhigang

Abstract

Machine learning and neural networks have become increasingly popular solutions for encrypted malware traffic detection. They mine and learn complex traffic patterns, enabling detection by fitting boundaries between malware traffic and benign traffic. Compared with signature-based methods, they have higher scalability and flexibility. However, affected by the frequent variants and updates of malware, current methods suffer from a high false positive rate and do not work well for unknown malware traffic detection. It remains a critical task to achieve effective malware traffic detection. In this paper, we introduce CBSeq to address the above problems. CBSeq is a method that constructs a stable traffic representation, behavior sequence, to characterize attacking intent and achieve malware traffic detection. We novelly propose the channels with similar behavior as the detection object and extract side-channel content to construct behavior sequence. Unlike benign activities, the behavior sequences of malware and its variant’s traffic exhibit solid internal correlations. Moreover, we design the MSFormer, a powerful Transformer-based multi-sequence fusion classifier. It captures the internal similarity of behavior sequence, thereby distinguishing malware traffic from benign traffic. Our evaluations demonstrate that CBSeq performs effectively in various known malware traffic detection and exhibits superior performance in unknown malware traffic detection, outperforming state-of-the-art methods. [ABSTRACT FROM AUTHOR]

Published
2023
Full Text
View/download PDF

30. CBS: A Deep Learning Approach for Encrypted Traffic Classification With Mixed Spatio-Temporal and Statistical Features

Author

Mehdi Seydali, Farshad Khunjush, Behzad Akbari, and Javad Dogani

Subjects
Deep learning, encrypted traffic, imbalanced data, packet features, traffic classification, Electrical engineering. Electronics. Nuclear engineering, TK1-9971
Abstract

With the rapid advancement of the internet and online applications, traffic classification has become an increasingly significant topic in computer networks. Managing network resources, improving service quality, and enhancing cybersecurity are critical. Due to traffic encryption techniques, traditional traffic classification approaches have become ineffective and inaccurate. Therefore, the scientific community considers deep learning a high-performance approach for classifying encrypted traffic. This paper proposes an encrypted traffic classification approach, CBS, based on a deep learning technique. CBS can classify encrypted traffic at two levels using 1D-CNN, attention-based Bi-LSTM, and SAE deep network models. The proposed model classifies traffic types and applications based on a comprehensive set of session and packet-level features. CBS accurately distinguishes traffic classes using spatial, temporal, and statistical features extracted from packet content relationships, temporal relationships between packets in a session, and statistical characteristics of a work session. A traffic data augmentation technique based on a GAN network is employed to mitigate the impact of data imbalance on traffic classes. The proposed platform’s performance is evaluated on the public ISCX VPN-Non VPN 2016 dataset. The results demonstrate that the platform accurately and efficiently identifies applications and classifies encrypted traffic. Compared to state-of-the-art methods, the proposed traffic classification model improves precision by 21.3%, accuracy by 13.1%, recall by 18.11%, and F1 score by 19.79%.

Published
2023
Full Text
View/download PDF

31. Detection of Android Malware Based on Deep Forest and Feature Enhancement

Author

Xueqin Zhang, Jiyuan Wang, Jinyu Xu, and Chunhua Gu

Subjects
Android malware, anomaly detection, encrypted traffic, feature enhancement, deep forest, Electrical engineering. Electronics. Nuclear engineering, TK1-9971
Abstract

Detecting Android malware in its spread or download stage is a challenging work, which can realize early detection of malware before it reaches user side. In this paper, we propose a two-stage detection framework based on feature enhancement and cascade deep forest. This method can detect the traffic generated in the encrypted transmission process of Android malware. The first stage realizes the binary classification of benign and malicious software. The second stage realizes the multi-classification of different categories of malware. To enhance data representation, convolutional neural networks is used to extract benign and malicious features in the first stage, and the principal component analysis method is used to extract the malicious features in the second stage. Theses extracted features are spliced with the payload part of the traffic to form fusion features for classification task. In order to adapt to different scale of samples, especially for the small-scale sample, cascaded deep forest method is proposed to construct the classification model. In this model, many layers that consist of base classifiers are cascaded and the number of layers can be automatically adjusted according to the scale of the samples. With different combinations of base classifiers in each layer, the optima detection accuracy is archived in the two stages. The experimental results on several datasets prove that the proposed method is effective for encrypted transmission detection of Android malware. It is also suitable for the detection of unknown attacks.

Published
2023
Full Text
View/download PDF

32. Encrypted traffic classification method based on convolutional neural network

Author

Rongna XIE, Zhuhong MA, Zongyu LI, and Ye TIAN

Subjects
encrypted traffic, convolution neural network, deep learning, feature fusion, model optimization, Electronic computers. Computer science, QA75.5-76.95
Abstract

Aiming at the problems of low accuracy, weak generality, and easy privacy violation of traditional encrypted network traffic classification methods, an encrypted traffic classification method based on convolutional neural network was proposed, which avoided relying on original traffic data and prevented overfitting of specific byte structure of the application.According to the data packet size and arrival time information of network traffic, a method to convert the original traffic into a two-dimensional picture was designed.Each cell in the histogram represented the number of packets with corresponding size that arrive at the corresponding time interval, avoiding reliance on packet payloads and privacy violations.The LeNet-5 convolutional neural network model was optimized to improve the classification accuracy.The inception module was embedded for multi-dimensional feature extraction and feature fusion.And the 1*1 convolution was used to control the feature dimension of the output.Besides, the average pooling layer and the convolutional layer were used to replace the fully connected layer to increase the calculation speed and avoid overfitting.The sliding window method was used in the object detection task, and each network unidirectional flow was divided into equal-sized blocks, ensuring that the blocks in the training set and the blocks in the test set in a single session do not overlap and expanding the dataset samples.The classification experiment results on the ISCX dataset show that for the application traffic classification task, the average accuracy rate reaches more than 95%.The comparative experimental results show that the traditional classification method has a significant decrease in accuracy or even fails when the types of training set and test set are different.However, the accuracy rate of the proposed method still reaches 89.2%, which proves that the method is universally suitable for encrypted traffic and non-encrypted traffic.All experiments are based on imbalanced datasets, and the experimental results may be further improved if balanced processing is performed.

Published
2022
Full Text
View/download PDF

33. Classification of Virtual Private networks encrypted traffic using ensemble learning algorithms

Author

Ammar Almomani

Subjects
Ensemble Learning, Machine learning, (VPN (and Non-VPN traffic analysis, Encrypted traffic, Electronic computers. Computer science, QA75.5-76.95
Abstract

Virtual Private Networks (VPNs) are one example of encrypted communication services commonly used to bypass censorship and access geographically locked services. This study performed VPN and non-VPN traffic analysis and developed a classification system based on the new techniques of machine learning classifiers known as stacking ensemble learning. The methods used for VPN and Non-VPN classification use three machine learning techniques: random forest, neural network, and support vector machine. To assess the proposed method's performance, we tested it on a dataset containing 61 features. The experiment results accurately prove the study's classifiers to differentiate between VPN and Non-VPN traffic. The accuracy level was approximately 99% in the training and testing phase. The study's classifiers also show the best standard deviation, with a 100% accuracy rate compared to other A.I. classifier methods.

Published
2022
Full Text
View/download PDF

34. VT-GAT: A Novel VPN Encrypted Traffic Classification Model Based on Graph Attention Neural Network

Author

Xu, Hongbo, Li, Shuhao, Cheng, Zhenyu, Qin, Rui, Xie, Jiang, Sun, Peishuai, Akan, Ozgur, Editorial Board Member, Bellavista, Paolo, Editorial Board Member, Cao, Jiannong, Editorial Board Member, Coulson, Geoffrey, Editorial Board Member, Dressler, Falko, Editorial Board Member, Ferrari, Domenico, Editorial Board Member, Gerla, Mario, Editorial Board Member, Kobayashi, Hisashi, Editorial Board Member, Palazzo, Sergio, Editorial Board Member, Sahni, Sartaj, Editorial Board Member, Shen, Xuemin, Editorial Board Member, Stan, Mircea, Editorial Board Member, Jia, Xiaohua, Editorial Board Member, Zomaya, Albert Y., Editorial Board Member, Gao, Honghao, editor, Wang, Xinheng, editor, Wei, Wei, editor, and Dagiuklas, Tasos, editor

Published
2022
Full Text
View/download PDF

35. DTLF: Deep Transfer Learning for Website Fingerprinting

Author

Li, Zhanbo, Song, Qiyu, Mao, Baolei, Zhu, Zhenyan, Angrisani, Leopoldo, Series Editor, Arteaga, Marco, Series Editor, Panigrahi, Bijaya Ketan, Series Editor, Chakraborty, Samarjit, Series Editor, Chen, Jiming, Series Editor, Chen, Shanben, Series Editor, Chen, Tan Kay, Series Editor, Dillmann, Rüdiger, Series Editor, Duan, Haibin, Series Editor, Ferrari, Gianluigi, Series Editor, Ferre, Manuel, Series Editor, Hirche, Sandra, Series Editor, Jabbari, Faryar, Series Editor, Jia, Limin, Series Editor, Kacprzyk, Janusz, Series Editor, Khamis, Alaa, Series Editor, Kroeger, Torsten, Series Editor, Li, Yong, Series Editor, Liang, Qilian, Series Editor, Martín, Ferran, Series Editor, Ming, Tan Cher, Series Editor, Minker, Wolfgang, Series Editor, Misra, Pradeep, Series Editor, Möller, Sebastian, Series Editor, Mukhopadhyay, Subhas, Series Editor, Ning, Cun-Zheng, Series Editor, Nishida, Toyoaki, Series Editor, Oneto, Luca, Series Editor, Pascucci, Federica, Series Editor, Qin, Yong, Series Editor, Seng, Gan Woon, Series Editor, Speidel, Joachim, Series Editor, Veiga, Germano, Series Editor, Wu, Haitao, Series Editor, Zamboni, Walter, Series Editor, Zhang, Junjie James, Series Editor, Liu, Qi, editor, Liu, Xiaodong, editor, Cheng, Jieren, editor, Shen, Tao, editor, and Tian, Yuan, editor

Published
2022
Full Text
View/download PDF

37. MEMTD: Encrypted Malware Traffic Detection Using Multimodal Deep Learning

Author

Zhang, Xiaotian, Lu, Jintian, Sun, Jiakun, Xiao, Ruizhi, Jin, Shuyuan, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Di Noia, Tommaso, editor, Ko, In-Young, editor, Schedl, Markus, editor, and Ardito, Carmelo, editor

Published
2022
Full Text
View/download PDF

38. Encrypted Malicious Traffic Detection Based on Ensemble Learning

Author

Xiao, Fengrui, Yang, Feng, Chen, Shuangwu, Yang, Jian, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Meng, Weizhi, editor, and Conti, Mauro, editor

Published
2022
Full Text
View/download PDF

39. A Mobile Application-Classifying Method Based on a Graph Attention Network from Encrypted Network Traffic.

Author

Xu, Guoliang, Xu, Ming, Chen, Yunzhi, and Zhao, Jiaqi

Subjects
DEEP learning, MOBILE apps, COMPUTER network security, FLOWGRAPHS, SECURITY management
Abstract

Classifying mobile applications from encrypted network traffic is a common and basic requirement in network security and network management. Existing works classify mobile applications from flows, based on which application fingerprints and classifiers are created. However, mobile applications often generate concurrent flows with varying degrees of ties, such as low discriminative flows across applications and application-specific flows. So flow-based methods suffer from low accuracy. In this paper, a novel mobile application-classifying method is proposed, capturing relationships between flows and paying attention to their importance. To capture the inter-flow relationships, the proposed method slices raw mobile traffic into traffic chunks to represent flows as nodes, embeds statistical features into nodes, and adds edges according to cross-correlations between the nodes. To pay different attention to the various flows, the proposed method builds a deep learning model based on graph attention networks, implicitly assigning importance values to flows via graph attention layers. Compared to recently developed techniques on a large dataset with 101 popular apps using the Android platform, the proposed method improved by 4–20% for accuracy, precision, recall, and F1 score, and spent much less time training. [ABSTRACT FROM AUTHOR]

Published
2023
Full Text
View/download PDF

40. Dark-Forest: Analysis on the Behavior of Dark Web Traffic via DeepForest and PSO Algorithm.

Author

Xin Tong, Changlin Zhang, Jingya Wang, Zhiyan Zhao, and Zhuoxian Liu

Subjects
DEEP learning, DARKNETS (File sharing), INTERNET traffic, BEHAVIORAL assessment, ALGORITHMS, PARTICLE swarm optimization
Abstract

The dark web is a shadow area hidden in the depths of the Internet, which is difficult to access through common search engines. Because of its anonymity, the dark web has gradually become a hotbed for a variety of cyber-crimes. Although some research based on machine learning or deep learning has been shown to be effective in the task of analyzing dark web traffic in recent years, there are still pain points such as low accuracy, insufficient real-time performance, and limited application scenarios. Aiming at the difficulties faced by the existing automated dark web traffic analysis methods, a novel method named Dark-Forest to analyze the behavior of dark web traffic is proposed. In this method, firstly, particle swarm optimization algorithm is used to filter the redundant features of dark web traffic data, which can effectively shorten the training and inference time of the model to meet the real-time requirements of dark web detection task. Then, the selected features of traffic are analyzed and classified using the DeepForest model as a backbone classifier. The comparison experiment with the current mainstream methods shows that Dark-Forest takes into account the advantages of statistical machine learning and deep learning, and achieves an accuracy rate of 87.84%. This method not only outperforms baseline methods such as Random Forest, MLP, CNN, and the original DeepForest in both large-scale and small-scale dataset based learning tasks, but also can detect normal network traffic, tunnel network traffic and anonymous network traffic, which may close the gap between different network traffic analysis tasks. Thus, it has a wider application scenario and higher practical value. [ABSTRACT FROM AUTHOR]

Published
2023
Full Text
View/download PDF

41. Botnet Detection Model in Encrypted Traffics Software-Defined Network (SDN) Using Deep Neural Network (DNN).

Author

Suneth, Rio, Sukoco, Heru, and Neyman, Shelvie Nidya

Subjects
BOTNETS, SOFTWARE-defined networking, INFRASTRUCTURE (Economics), ENCRYPTION protocols, COMMUNICATION infrastructure, COMPUTER network security
Abstract

The presence of network technology eliminates regional boundaries that become obstacles in communicating and exchanging data and information to the public. The wider the zone of a network, the network infrastructure will increase in size. The bigger the network infrastructure, the higher the level of management complexity. The Software Defined Network (SDN) concept is a new network concept that provides a solution for managing large infrastructure networks and has a wide service zone. SDN architecture is different from traditional networks. The SDN architecture is divided into three: the data plane, control plane, and application plane. Whereas in the traditional network architecture, the three are combined into one. Besides, in maintaining network security. SDN offers a security system, namely the OpenFlow Protocol. The OpenFlow Protocol security system works to regulate the packet traffic that passes. Forwards registered packet data traffic and performs down the action for unknown packet traffic. The weakness is that the OpenFlow Protocol must always be updated with SDN network packet traffic, and the system cannot detect the threat of attacks on encryption traffic. Nowadays, the frequency of attacks on network traffic is relatively high. The attack techniques used also evolved. The techniques used are also evolving. Botnets have been able to use several encryption protocols such as TLS / HTTPS, Tor, and P2P as loopholes to attack a network. SDN's presence as a management solution for large infrastructure networks is not directly proportional to its security system that undoubtedly have a bad impact on SDN network users. Therefore, this study aims to develop an SDN Network Intrusion Detection System (IDS) model to detect botnets in encryption traffic. The model was developed using the Deep Neural Network (DNN) approach. The SDN network botnet detection model developed can detect encryption traffic botnets with an accuracy rate of 94.78%, 93.28% precision, and a recall of 99.11%. [ABSTRACT FROM AUTHOR]

Published
2023
Full Text
View/download PDF

42. Artificial Intelligence-Based Anomaly Detection Technology over Encrypted Traffic: A Systematic Literature Review

Author

Il Hwan Ji, Ju Hyeon Lee, Min Ji Kang, Woo Jin Park, Seung Ho Jeon, and Jung Taek Seo

Subjects
cyber security, anomaly detection, encrypted traffic, Chemical technology, TP1-1185
Abstract

As cyber-attacks increase in unencrypted communication environments such as the traditional Internet, protected communication channels based on cryptographic protocols, such as transport layer security (TLS), have been introduced to the Internet. Accordingly, attackers have been carrying out cyber-attacks by hiding themselves in protected communication channels. However, the nature of channels protected by cryptographic protocols makes it difficult to distinguish between normal and malicious network traffic behaviors. This means that traditional anomaly detection models with features from packets extracted a deep packet inspection (DPI) have been neutralized. Recently, studies on anomaly detection using artificial intelligence (AI) and statistical characteristics of traffic have been proposed as an alternative. In this review, we provide a systematic review for AI-based anomaly detection techniques over encrypted traffic. We set several research questions on the review topic and collected research according to eligibility criteria. Through the screening process and quality assessment, 30 research articles were selected with high suitability to be included in the review from the collected literature. We reviewed the selected research in terms of dataset, feature extraction, feature selection, preprocessing, anomaly detection algorithm, and performance indicators. As a result of the literature review, it was confirmed that various techniques used for AI-based anomaly detection over encrypted traffic were used. Some techniques are similar to those used for AI-based anomaly detection over unencrypted traffic, but some technologies are different from those used for unencrypted traffic.

Published
2024
Full Text
View/download PDF

43. Classification of Virtual Private networks encrypted traffic using ensemble learning algorithms.

Author

Almomani, Ammar

Subjects
MACHINE learning, VIRTUAL private networks, SUPPORT vector machines, RANDOM forest algorithms
Abstract

Virtual Private Networks (VPNs) are one example of encrypted communication services commonly used to bypass censorship and access geographically locked services. This study performed VPN and non-VPN traffic analysis and developed a classification system based on the new techniques of machine learning classifiers known as stacking ensemble learning. The methods used for VPN and Non-VPN classification use three machine learning techniques: random forest, neural network, and support vector machine. To assess the proposed method's performance, we tested it on a dataset containing 61 features. The experiment results accurately prove the study's classifiers to differentiate between VPN and Non-VPN traffic. The accuracy level was approximately 99% in the training and testing phase. The study's classifiers also show the best standard deviation, with a 100% accuracy rate compared to other A.I. classifier methods. [ABSTRACT FROM AUTHOR]

Published
2022
Full Text
View/download PDF

44. 基于卷积神经网络的加密流量分类方法.

Author

谢绒娜, 马铸鸿, 李宗俞, and 田野

Abstract

Copyright of Chinese Journal of Network & Information Security is the property of Beijing Xintong Media Co., Ltd. and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)

Published
2022
Full Text
View/download PDF

45. A novel approach for classification of Tor and non-Tor traffic using efficient feature selection methods.

Author

Gudla, Raju, Vollala, Satyanarayana, K.G., Srinivasa, and Amin, Ruhul

Subjects
*ARTIFICIAL neural networks, *FEATURE selection, *MACHINE learning, *COMPUTER network traffic, *PRINCIPAL components analysis
Abstract

In the dynamic realm of encrypted communications, traffic analysis and its classification are crucial for efficient resource utilization and network management. The prevalence of encryption technologies, The Onion Router (Tor) a globally recognized privacy-preserving network, poses a challenge for the task at hand by introducing complexity through its innovative onion routing mechanism. To overcome Tor's limitations not only in terms of achieving better accuracy but also in performing classification in time-constrained scenarios, we propose a classification approach for Tor and non-Tor traffic classification, utilizing multiple models to enhance categorization and application identification. Leveraging the University of New Brunswick (UNB) Tor and non-Tor dataset, initially in a packet capture format, the preprocessing is done by transforming through CICFlowmeter. To expedite classification, we applied feature selection techniques like Principal Component Analysis (PCA) and t-Distributed Stochastic Neighbor Embedding (tSNE). Machine learning algorithms like support vector machine (SVM), Gradient Boosting, Random Forest, and Artificial Neural Network (ANN) are applied. Our approach achieves a remarkable recall score ratio of 1.00, demonstrating high accuracy in Tor traffic identification. Notably, efficient feature selection has significantly reduced classification time. This work also contributes to effective Tor and non-Tor network traffic analysis, offering an efficient model for enhanced security and management. • Encrypted anonymity tools like ToR expose network management, security, and internet issues. • ToR traffic considered in proposed ML model for efficient classification. • Binary and multiclass classification on ToR traffic using feature selection methods. [ABSTRACT FROM AUTHOR]

Published
2024
Full Text
View/download PDF

46. Multi-scene Classification of Blockchain Encrypted Traffic

Author

Wang, Yu, Wang, Chencheng, Xiong, Gang, Li, Zhen, Filipe, Joaquim, Editorial Board Member, Ghosh, Ashish, Editorial Board Member, Prates, Raquel Oliveira, Editorial Board Member, Zhou, Lizhu, Editorial Board Member, Dai, Hong-Ning, editor, Liu, Xuanzhe, editor, Luo, Daniel Xiapu, editor, Xiao, Jiang, editor, and Chen, Xiangping, editor

Published
2021
Full Text
View/download PDF

47. Multi-granularity Mobile Encrypted Traffic Classification Based on Fusion Features

Author

Zhang, Hui, Gou, Gaopeng, Xiong, Gang, Liu, Chang, Tan, Yuewen, Ye, Ke, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Lu, Wenlian, editor, Sun, Kun, editor, and Liu, Feng, editor

Published
2021
Full Text
View/download PDF

48. Fast Application Activity Recognition with Encrypted Traffic

Author

Liu, Xue, Zhang, Shigeng, Li, Huihui, Wang, Weiping, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Liu, Zhe, editor, Wu, Fan, editor, and Das, Sajal K., editor

Published
2021
Full Text
View/download PDF

49. Dual Generative Adversarial Networks Based Unknown Encryption Ransomware Attack Detection

Author

Xueqin Zhang, Jiyuan Wang, and Shinan Zhu

Subjects
Ransomware, encrypted traffic, anomaly detection, GAN, transfer learning, Electrical engineering. Electronics. Nuclear engineering, TK1-9971
Abstract

Aiming at unknown or variant ransomware attack encrypted with SSL (Secure Sockets Layer)/ TLS (Transport Layer Security) protocol, a detection framework named TGAN-IDS (Transferred Generating Adversarial Network-Intrusion Detection System) based on dual generative adversarial networks is presented in this paper. In this framework, DCGAN (Deep Convolutional Generative Adversarial Network) is adopted to train a generator which has good performance to generate adversarial sample, and is transferred to the generator of TGAN. A pre-training model named PreD is built based on CNN (Convolutional Neural Network), which has good performance to do binary classification, and is transferred to the discriminator of TGAN. The generator and discriminator of TGAN play games in training process until the discriminator has a strong ability to detection unknown attack, and then it is output as an anomaly detector. In order to suppress the deterioration of normal sample detection ability during adversarial training of TGAN, a reconstruction loss function is introduced into the target function of TGAN. Experiments on a mixed dataset which is constructed by CICIDS2017 and other ransomware datasets show comparing with other deep learning network, such as AlexNet, ResNet and DenseNet etc., TGAN-IDS performs well in the indicators of detection accuracy, recall or F1-score etc. Also experiments on KDD99, SWaT and WADI datasets show that TGAN-IDS is suitable for other unencrypted unknown network attack detection.

Published
2022
Full Text
View/download PDF

50. CESNET-QUIC22: A large one-month QUIC network traffic dataset from backbone lines

Author

Jan Luxemburk, Karel Hynek, Tomáš Čejka, Andrej Lukačovič, and Pavel Šiška

Subjects
Network monitoring, Traffic classification, Encrypted traffic, QUIC, Computer applications to medicine. Medical informatics, R858-859.7, Science (General), Q1-390
Abstract

The QUIC (Quick UDP Internet Connection) protocol has the potential to replace TLS over TCP, which is the standard choice for reliable and secure Internet communication. Due to its design that makes the inspection of QUIC handshakes challenging and its usage in HTTP/3, there is an increasing demand for research in QUIC traffic analysis. This dataset contains one month of QUIC traffic collected in an ISP backbone network, which connects 500 large institutions and serves around half a million people. The data are delivered as enriched flows that can be useful for various network monitoring tasks. The provided server names and packet-level information allow research in the encrypted traffic classification area. Moreover, included QUIC versions and user agents (smartphone, web browser, and operating system identifiers) provide information for large-scale QUIC deployment studies.

Published
2023
Full Text
View/download PDF

Catalog

Books, media, physical & digital resources
See catalog results