Search Results (44)

With the increasing sophistication of network attacks, machine learning (ML)-based methods have showcased promising performance in attack detection. However, ML-based methods often suffer from high false rates when tackling encrypted malicious traffic. To break through these bottlenecks, we propose EFTransformer, an encrypted flow transformer framework which inherits semantic perception and multi-scale feature fusion, can robustly and efficiently detect encrypted malicious traffic, and make up for the shortcomings of ML in the context of modeling ability and feature adequacy. EFTransformer introduces a channel-level extraction mechanism based on quintuples and a noise-aware clustering strategy to enhance the recognition ability of traffic patterns; adopts a dual-channel embedding method, using Word2Vec and FastText to capture global semantics and subword-level changes; and uses a Transformer-based classifier and attention pooling module to achieve dynamic feature-weighted fusion, thereby improving the robustness and accuracy of malicious traffic detection. Our systematic experiments on the ISCX2012 dataset demonstrate that EFTransformer achieves the best detection performance, with an accuracy of up to 95.26%, a false positive rate (FPR) of 6.19%, and a false negative rate (FNR) of only 5.85%. These results show that EFTransformer achieves high detection performance against encrypted malicious traffic. Full article

The development of Vehicle AD Hoc Networks (VANETs) has significantly enhanced the efficiency of intelligent transportation systems. Through real-time communication between vehicles and roadside units (RSUs), the immediate sharing of traffic information has been achieved. However, challenges such as network congestion, data privacy, and low computing efficiency still exist. Data privacy is at risk of leakage due to the sensitivity of vehicle information, especially in a resource-constrained vehicle environment, where computing efficiency becomes a bottleneck restricting the development of VANETs. To address these challenges, this paper proposes a certificateless aggregated signcryption scheme based on edge computing. This scheme integrates online/offline encryption (OOE) technology and a pseudonym mechanism. It not only solves the problem of key escrow, generating part of the private key through collaboration between the user and the Key Generation Center (KGC), but also uses pseudonyms to protect the real identities of the vehicle and RSU, effectively preventing privacy leakage. This scheme eliminates bilinear pairing operations, significantly improves efficiency, and supports conditional traceability and revocation of malicious vehicles while maintaining anonymity. The completeness analysis shows that under the assumptions of calculating the Diffie–Hellman (CDH) and elliptic curve discrete logarithm problem (ECDLP), this scheme can meet the requirements of IND-CCA2 confidentiality and EUF-CMA non-forgeability. The performance evaluation further confirmed that, compared with the existing schemes, this scheme performed well in both computing and communication costs and was highly suitable for the resource-constrained VANET environment. Full article

DNS over HTTPS (DoH) is an advanced version of the traditional DNS protocol that prevents eavesdropping and man-in-the-middle attacks by encrypting queries and responses. However, it introduces new challenges such as encrypted traffic communication, masking malicious activity, tunneling attacks, and complicating intrusion detection system (IDS) packet inspection. In contrast, unencrypted packets in the traditional Non-DoH version remain vulnerable to eavesdropping, privacy breaches, and spoofing. To address these challenges, an optimized dual-path feature selection approach is designed to select the most efficient packet features for binary class (DoH-Normal, DoH-Malicious) and multiclass (Non-DoH, DoH-Normal, DoH-Malicious) classification. Ant Colony Optimization (ACO) is integrated with machine learning algorithms such as XGBoost, K-Nearest Neighbors (KNN), Random Forest (RF), and Convolutional Neural Networks (CNNs) using CIRA-CIC-DoHBrw-2020 as the benchmark dataset. Experimental results show that the proposed model selects the most effective features for both scenarios, achieving the highest detection and outperforming previous studies in IDS. The highest accuracy obtained for binary and multiclass classifications was 0.9999 and 0.9955, respectively. The optimized feature set contributed significantly to reducing computational costs and processing time across all utilized classifiers. The results provide a robust, fast, and accurate solution to challenges associated with encrypted DNS packets. Full article

The identification and classification of network traffic are crucial for maintaining network security, optimizing network management, and ensuring reliable service quality. These functions help prevent malicious activities, such as network attacks and illegal intrusions, while supporting the efficient allocation of network resources and enhancing user experience. However, the widespread use of traffic encryption technology, while improving data transmission security, also obscures the content of traffic, making it challenging to accurately classify and identify encrypted traffic. This limitation hampers both network security maintenance and further improvements in service quality. Therefore, there is an urgent need to develop an efficient and accurate encryption traffic identification method. This study addresses three key challenges: First, existing methods fail to explore the potential relationship between flow load features and sequence features during feature extraction. Second, there is a need for approaches that can adapt to the diverse characteristics of different protocols, ensuring the accuracy and robustness of encrypted traffic identification. Third, traditional deep learning models need large amounts of labeled data, which are expensive to acquire. To overcome these challenges, we propose an encrypted traffic recognition method based on a CLSTM model (a combination of 2-conv CNN and BiLSTM) and Mean Teacher collaborative learning. This approach detects and integrates traffic load features with sequence features to improve the accuracy and robustness of encrypted traffic identification while reducing the model’s reliance on labeled data through the consistency constraint of unlabeled data using Mean Teacher. Experimental results demonstrate that the CLSTM-MT collaborative learning method outperforms traditional methods in encrypted traffic identification and classification, achieving superior performance even with limited labeled data, thus addressing the high cost of data labeling. Full article

The adoption of DNS over HTTPS (DoH) has significantly enhanced user privacy and security by encrypting DNS queries. However, it also presents new challenges for detecting malicious activities, such as DNS tunneling, within encrypted traffic. In this study, we propose MTL-DoHTA, a multi-task learning-based framework designed to analyze DoH traffic and classify it into three tasks: (1) DoH vs. non-DoH traffic, (2) benign vs. malicious DoH traffic, and (3) the identification of DNS tunneling tools (e.g., dns2tcp, dnscat2, iodine). Leveraging statistical features derived from network traffic and a 2D-CNN architecture enhanced with GradNorm and attention mechanisms, MTL-DoHTA achieves a macro-averaging F1-score of 0.9905 on the CIRA-CIC-DoHBrw-2020 dataset. Furthermore, the model effectively handles class imbalance and mitigates overfitting using downsampling techniques while maintaining high classification performance. The proposed framework can serve as a reliable tool for monitoring and securing sensor-based network systems against sophisticated threats, while also demonstrating its potential to enhance multi-tasking capabilities in resource-constrained sensor environments. Full article

Conventional supervised machine learning is widely used for intrusion detection without packet payload inspection, showing good accuracy in detecting known attacks. However, these methods require large labeled datasets, which are scarce due to privacy concerns, and struggle with generalizing to real-world traffic and adapting to domain shifts. Additionally, they are ineffective against zero-day attacks and need frequent retraining, making them difficult to maintain in dynamic network environments. To overcome the limitations of traditional machine learning methods, we propose novel Deterministic (DetMKTL) and Stochastic Multiple-Kernel Transfer Learning (StoMKTL) algorithms that are based on transfer learning. These algorithms leverage multiple kernel functions to capture complex, non-linear relationships in network traffic, enhancing adaptability and accuracy while reducing dependence on large labeled datasets. The proposed algorithms demonstrated good accuracy, particularly in cross-domain evaluations, achieving accuracy rates exceeding 90%. This highlights the robustness of the models in handling diverse network environments and varying data distributions. Moreover, our models exhibited superior performance in detecting multiple types of cyber attacks, including zero-day threats. Specifically, the detection rates reached up to 87% for known attacks and approximately 75% for unseen attacks or their variants. This emphasizes the ability of our algorithms to generalize well to novel and evolving threat scenarios, which are often overlooked by traditional systems. Additionally, the proposed algorithms performed effectively in encrypted traffic analysis, achieving an accuracy of 86%. This result demonstrates the possibility of our models to identify malicious activities within encrypted communications without compromising data privacy. Full article

With the development and widespread application of network information, new technologies led by 5G are emerging, resulting in an increasingly complex network security environment and more diverse attack methods. Unlike traditional networks, 5G networks feature higher connection density, faster data transmission speeds, and lower latency, which are widely applied in scenarios such as smart cities, the Internet of Things, and autonomous driving. The vast amounts of sensitive data generated by these applications become primary targets during the processes of collection and secure sharing, and unauthorized access or tampering could lead to severe data breaches and integrity issues. However, as 5G networks extensively employ encryption technologies to protect data transmission, attackers can hide malicious content within encrypted communication, rendering traditional content-based traffic detection methods ineffective for identifying malicious encrypted traffic. To address this challenge, this paper proposes a malicious encrypted traffic detection method based on reconstructive domain adaptation and adversarial hybrid neural networks. The proposed method integrates generative adversarial networks with ResNet, ResNeXt, and DenseNet to construct an adversarial hybrid neural network, aiming to tackle the challenges of encrypted traffic detection. On this basis, a reconstructive domain adaptation module is introduced to reduce the distribution discrepancy between the source domain and the target domain, thereby enhancing cross-domain detection capabilities. By preprocessing traffic data from public datasets, the proposed method is capable of extracting deep features from encrypted traffic without the need for decryption. The generator utilizes the adversarial hybrid neural network module to generate realistic malicious encrypted traffic samples, while the discriminator achieves sample classification through high-dimensional feature extraction. Additionally, the domain classifier within the reconstructive domain adaptation module further improves the model’s stability and generalization across different network environments and time periods. Experimental results demonstrate that the proposed method significantly improves the accuracy and efficiency of malicious encrypted traffic detection in 5G network environments, effectively enhancing the detection performance of malicious traffic in 5G networks. Full article

While encryption enhances data security, it also presents significant challenges for network traffic analysis, especially in detecting malicious activities. To tackle this challenge, this paper introduces combined Attention-aware Feature Fusion and Communication Graph Embedding Learning (AFF_CGE), an advanced representation learning framework designed for detecting encrypted malicious traffic. By leveraging an attention mechanism and graph neural networks, AFF_CGE extracts rich semantic information from encrypted traffic and captures complex relations between communicating nodes. Experimental results reveal that AFF_CGE substantially outperforms traditional methods, improving F1-scores by 5.3% through 22.8%. The framework achieves F1-scores ranging from 0.903 to 0.929 across various classifiers, exceeding the performance of state-of-the-art techniques. These results underscore the effectiveness and robustness of AFF_CGE in detecting encrypted malicious traffic, demonstrating its superior performance. Full article

The exponential growth of encrypted network traffic poses significant challenges for detecting malicious activities online. The scale of emerging malicious traffic is significantly smaller than that of normal traffic, and the imbalanced data distribution poses challenges for detection. However, most existing methods rely on single-category features for classification, which struggle to detect covert malicious traffic behaviors. In this paper, we introduce a novel semi-supervised approach to identify malicious traffic by leveraging multimodal traffic characteristics. By integrating the sequence and topological information inherent in the traffic, we achieve a multifaceted representation of encrypted traffic. We design two independent neural networks to learn the corresponding sequence and topological features from the traffic. This dual-feature extraction enhances the model’s robustness in detecting anomalies within encrypted traffic. The model is trained using a joint strategy that minimizes both the reconstruction error from the autoencoder and the classification loss, allowing it to effectively utilize limited labeled data alongside a large amount of unlabeled data. A confidence-estimation module enhances the classifier’s ability to detect unknown attacks. Finally, our method is evaluated on two benchmark datasets, UNSW-NB15 and CICIDS2017, under various scenarios, including different training set label ratios and the presence of unknown attacks. Our model outperforms other models by 3.49% and 5.69% in F1 score at labeling rates of 1% and 0.1%, respectively. Full article

The advent of 5G heralds unprecedented connectivity with high throughput and low latency for network users. Software-defined networking (SDN) plays a significant role in fulfilling these requirements. However, it poses substantial security challenges due to its inherent centralized management strategy. Moreover, SDN confronts limitations in handling malicious traffic under 5G’s extensive data flow. To deal with these issues, this paper presents a novel intrusion detection system (IDS) designed for 5G SDN networks, leveraging the advanced capabilities of binarized deep spiking capsule fire hawk neural networks (BSHNN) and blockchain technology, which operates across multiple layers. Initially, the lightweight encryption algorithm (LEA) is used at the data acquisition layer to authenticate mobile users via trusted third parties. Followed by optimal switch selection using the mud-ring algorithm in the switch layer, and the data flow rules are secured by employing blockchain technology incorporating searchable encryption algorithms within the blockchain plane. The domain controller layer utilizes binarized deep spiking capsule fire hawk neural network (BSHNN) for real-time data packet classification, while the smart controller layer uses enhanced adapting hidden attribute-weighted naive bayes (EAWNB) to identify suspicious packets during data transmission. The experimental results show that the proposed technique outperforms the state-of-the-art approaches in terms of accuracy (98.02%), precision (96.40%), detection rate (96.41%), authentication time (16.2 s), throughput, delay, and packet loss ratio. Full article

As industries develop and informatization accelerates, enterprise collaboration is increasing. However, current architectures face malicious attacks, data tampering, privacy issues, and security and efficiency problems in information exchange and enterprise credibility. Additionally, the complexity of cyber threats requires integrating intelligent security measures to proactively defend against sophisticated attacks. To address these challenges, this paper introduces an intelligent and secure cloud–edge collaborative industrial information encryption strategy based on credibility assessment. The proposed strategy incorporates adaptive encryption specifically designed for cloud–edge and edge–edge architectures and utilizes attribute encryption to control access to user-downloaded data, ensuring secure information exchange. A mechanism for assessing enterprise credibility over a defined period helps maintain a trusted collaborative environment, crucial for identifying and mitigating risks from potentially malicious or unreliable entities. Furthermore, integrating intelligent threat detection and response systems enhances overall security by continuously monitoring and analyzing network traffic for anomalies. Experimental analysis evaluates the security of communication paths and examines how enterprise integrity influences collaboration outcomes. Simulation results show that this approach enhances enterprise integrity, reduces losses caused by harmful actors, and promotes efficient collaboration without compromising security. This intelligent and secure strategy not only safeguards sensitive data but also ensures the resilience and trustworthiness of the collaborative network. Full article

Vehicular ad-hoc networks (VANETs) can significantly improve the level of urban traffic management. However, the sender unlinkability has become an intricate issue in the field of VANETs’ encryption. As the sender signcrypts a message, the receiver has to use the sender’s identity or public key to decrypt it. Consequently, the sender can be traced using the same identity or public key, which poses some security risks to the sender. To address this issue, we present an unlinkable and revocable signcryption scheme (URSCS), where an efficient and powerful signcryption mechanism is adopted for communication. The sender constructs a polynomial to generate a unique session key for each communication, which is then transmitted to a group of receivers, enabling the same secret message to be sent to multiple receivers. Each time a secret message is sent, a new key pair is generated, and an anonymization mechanism is introduced to conceal the true identity of the vehicle, thus preventing malicious attackers from tracing the sender through the public key or the real identity. With the introduction of the identification public key, this scheme supports either multiple receivers or a single receiver, where the receiver can be either road side units (RSUs) or vehicles. Additionally, a complete revocation mechanism is constructed with extremely low communication overhead, utilizing the Chinese remainder theorem (CRT). Formal and informal security analyses demonstrate that our URSCS scheme meets the expected security and privacy requirements of VANETs. The performance analysis shows that our URSCS scheme outperforms other represented schemes. Full article

With the continuously growing requirement for encryption in network environments, web browsers are increasingly employing hypertext transfer protocol security. Despite the increase in encrypted malicious network traffic, the encryption itself limits the data accessible for analyzing such behavior. To mitigate this, several studies have examined encrypted network traffic by analyzing metadata and payload bytes. Recent studies have furthered this approach, utilizing graph neural networks to analyze the structural data patterns within malicious encrypted traffic. This study proposed an enhanced encrypted traffic analysis leveraging graph neural networks which can model the symmetric or asymmetric spatial relations between nodes in the traffic network and optimized feature dimensionality reduction. It classified malicious network traffic by leveraging key features, including the IP address, port, CipherSuite, MessageLen, and JA3 features within the transport-layer-security session data, and then analyzed the correlation between normal and malicious network traffic data. The proposed approach outperformed previous models in terms of efficiency, using fewer features while maintaining a high accuracy rate of 99.5%. This demonstrates its research value as it can classify malicious network traffic with a high accuracy based on fewer features. Full article

The widespread use of encrypted traffic poses challenges to network management and network security. Traditional machine learning-based methods for encrypted traffic classification no longer meet the demands of management and security. The application of deep learning technology in encrypted traffic classification significantly improves the accuracy of models. This study focuses primarily on encrypted traffic classification in the fields of network analysis and network security. To address the shortcomings of existing deep learning-based encrypted traffic classification methods in terms of computational memory consumption and interpretability, we introduce a Parameter-Efficient Fine-Tuning method for efficiently tuning the parameters of an encrypted traffic classification model. Experimentation is conducted on various classification scenarios, including Tor traffic service classification and malicious traffic classification, using multiple public datasets. Fair comparisons are made with state-of-the-art deep learning model architectures. The results indicate that the proposed method significantly reduces the scale of fine-tuning parameters and computational resource usage while achieving performance comparable to that of the existing best models. Furthermore, we interpret the learning mechanism of encrypted traffic representation in the pre-training model by analyzing the parameters and structure of the model. This comparison validates the hypothesis that the model exhibits hierarchical structure, clear organization, and distinct features. Full article

The widespread use of UAVs in smart cities for tasks like traffic monitoring and environmental data collection creates significant privacy and security concerns due to the transmission of sensitive data. Traditional UAV-MEC systems with centralized data processing expose this data to risks like breaches and manipulation, potentially hindering the adoption of these valuable technologies. To address this critical challenge, we propose UBFL, a novel privacy-preserving federated learning mechanism that integrates blockchain technology for secure and efficient data sharing. Unlike traditional methods relying on differential privacy (DP), UBFL employs an adaptive nonlinear encryption function to safeguard the privacy of UAV model updates while maintaining data integrity and accuracy. This innovative approach enables rapid convergence, allowing the base station to efficiently identify and filter out severely compromised UAVs attempting to inject malicious data. Additionally, UBFL incorporates the Random Cut Forest (RCF) anomaly detection algorithm to actively identify and mitigate poisoning data attacks. Extensive comparative experiments on benchmark datasets CIFAR10 and Mnist demonstrably showcase UBFL’s effectiveness. Compared to DP-based methods, UBFL achieves accuracy (99.98%), precision (99.93%), recall (99.92%), and F-Score (99.92%) in privacy preservation while maintaining superior accuracy. Notably, under data pollution scenarios with varying attack sample rates (10%, 20%, and 30%), UBFL exhibits exceptional resilience, highlighting its robust capabilities in securing UAV gradients within MEC environments. Full article