Sign in to use this feature.

Years

Between: -

Subjects

remove_circle_outline
remove_circle_outline
remove_circle_outline
remove_circle_outline
remove_circle_outline
remove_circle_outline

Journals

Article Types

Countries / Regions

Search Results (51)

Search Parameters:
Keywords = encrypted malicious traffic

Order results
Result details
Results per page
Select all
Export citation of selected articles as:
36 pages, 5057 KB  
Article
IID-DAKD: An Incremental Intrusion Detection Method for Encrypted Traffic Based on Dual Augmentation and Fusion Knowledge Distillation
by Liangchen Chen, Deyin Fu, Shu Gao, Shuo Zhang and Baoxu Liu
Symmetry 2026, 18(5), 855; https://doi.org/10.3390/sym18050855 - 18 May 2026
Viewed by 244
Abstract
To address the pronounced degradation in detection accuracy of encrypted traffic intrusion models after incremental updates, which is primarily caused by catastrophic forgetting and task-level overfitting during incremental learning, this paper proposes a novel incremental intrusion detection method for encrypted traffic based on [...] Read more.
To address the pronounced degradation in detection accuracy of encrypted traffic intrusion models after incremental updates, which is primarily caused by catastrophic forgetting and task-level overfitting during incremental learning, this paper proposes a novel incremental intrusion detection method for encrypted traffic based on dual augmentation and fusion knowledge distillation, termed IID-DAKD. First, both known and previously unseen attacks identified during detection are leveraged to update a representative sample set. An encrypted traffic representative sample augmentation strategy based on Gaussian noise is then devised to reduce storage requirements and classifier bias, thereby effectively mitigating catastrophic forgetting. Second, a self-supervised learning framework driven by encrypted traffic class augmentation is constructed to alleviate representation bias and suppress task-level overfitting. Finally, three complementary knowledge distillation strategies are jointly employed to extract and transfer attack classification knowledge from the old model to the updated model, further improving detection accuracy and robustness while enhancing training efficiency. Extensive experimental results demonstrate that the proposed IID-DAKD approach alleviates catastrophic forgetting and task-level overfitting while maintaining symmetrical knowledge transfer during incremental learning, enabling efficient model updates and high detection accuracy for encrypted traffic intrusion detection. Full article
(This article belongs to the Section Computer)
Show Figures

Figure 1

28 pages, 1067 KB  
Article
A Lightweight Cascade-Based Farmework for Real-Time Zero-Day Attack Detection
by Alpamis Kutlimuratov, Furkat Rakhmatov, Jamshid Khamzaev, Islambek Saymanov, Piratdin Allayarov, Gamzatdin Bekbaev, Shavkat Otamurodov and Fazliddin Makhmudov
Computers 2026, 15(3), 174; https://doi.org/10.3390/computers15030174 - 8 Mar 2026
Cited by 1 | Viewed by 1113
Abstract
Zero-day intrusion detection is still a difficult task because of the difference between high laboratory precision and real-time deployability under strict operational constraints. This paper proposes a lightweight two-stage cascade architecture that is specifically designed for CPU-only environments and strict zero-day evaluation. The [...] Read more.
Zero-day intrusion detection is still a difficult task because of the difference between high laboratory precision and real-time deployability under strict operational constraints. This paper proposes a lightweight two-stage cascade architecture that is specifically designed for CPU-only environments and strict zero-day evaluation. The proposed architecture only uses statistical and flow-level metadata attributes, which are independent of payload analysis, to ensure compatibility with encrypted traffic. The first stage of the proposed architecture is precision oriented to detect potentially malicious traffic with a low decision threshold, and the second stage is precision oriented to enhance classification and remove false positives. To avoid optimistic bias, a strict attack-type separation protocol is employed, where testing attack types are strictly prohibited from training. The proposed method is tested on three benchmark datasets: CSIC 2012 (HTTP level), UNSW-NB15 (intra-domain), and CSE-CIC-IDS2018 (cross-domain). The experimental results show the excellent intra-domain zero-day detection capability (up to 94.81% accuracy with 0.50% FPR), controllable performance degradation in the cross-domain setting (80.53% accuracy with near-zero FPR), and extremely low FP rates on all datasets. The system provides microsecond-level inference latency (0.002–0.006 ms), a throughput of up to 470,000 requests per second, and memory usage below 6.2 MB without GPU support. These results confirm the significance of architectural optimization and thorough evaluation in building efficient zero-day detection systems. Full article
(This article belongs to the Special Issue Multimedia Data and Network Security)
Show Figures

Figure 1

28 pages, 922 KB  
Article
MAESTRO: A Multi-Scale Ensemble Framework with GAN-Based Data Refinement for Robust Malicious Tor Traffic Detection
by Jinbu Geng, Yu Xie, Jun Li, Xuewen Yu and Lei He
Mathematics 2026, 14(3), 551; https://doi.org/10.3390/math14030551 - 3 Feb 2026
Viewed by 880
Abstract
Malicious Tor traffic data contains deep domain-specific knowledge, which makes labeling challenging, and the lack of labeled data degrades the accuracy of learning-based detectors. Real-world deployments also exhibit severe class imbalance, where malicious traffic constitutes a small minority of network flows, which further [...] Read more.
Malicious Tor traffic data contains deep domain-specific knowledge, which makes labeling challenging, and the lack of labeled data degrades the accuracy of learning-based detectors. Real-world deployments also exhibit severe class imbalance, where malicious traffic constitutes a small minority of network flows, which further reduces detection performance. In addition, Tor’s fixed 512-byte cell architecture removes packet-size diversity that many encrypted-traffic methods rely on, making feature extraction difficult. This paper proposes an efficient three-stage framework, MAESTRO v1.0, for malicious Tor traffic detection. In Stage 1, MAESTRO extracts multi-scale behavioral signatures by fusing temporal, positional, and directional embeddings at cell, direction, and flow granularities to mitigate feature homogeneity; it then compresses these representations with an autoencoder into compact latent features. In Stage 2, MAESTRO introduces an ensemble-based quality quantification method that combines five complementary anomaly detection models to produce robust discriminability scores for adaptive sample weighting, helping the classifier to emphasize high-quality samples. MAESTRO also trains three specialized GANs per minority class and applies strict five-model ensemble validation to synthesize diverse high-fidelity samples, addressing extreme class imbalance. We evaluate MAESTRO under systematic imbalance settings, ranging from the natural distribution to an extreme 1% malicious ratio. On the CCS’22 Tor malware dataset, MAESTRO achieves 92.38% accuracy, 64.79% recall, and 73.70% F1-score under the natural distribution, improving F1-score by up to 15.53% compared with state-of-the-art baselines. Under the 1% malicious setting, MAESTRO maintains 21.1% recall, which is 14.1 percentage points higher than the best baseline, while conventional methods drop below 10%. Full article
(This article belongs to the Special Issue New Advances in Network Security and Data Privacy)
Show Figures

Figure 1

19 pages, 2692 KB  
Article
A Hybrid Deep Learning Model Based on Spatio-Temporal Feature Mining for Traffic Analysis in Industrial Internet Gateway
by Danpei Li, Pinglai He, Jiayi Li, Panfeng Xu, Yan Song and Xiaoping Bai
Symmetry 2026, 18(2), 245; https://doi.org/10.3390/sym18020245 - 30 Jan 2026
Viewed by 991
Abstract
As the scale of the Industrial Internet continues to expand, the number of network connections and data traffic are experiencing explosive growth. Security threats and attack types targeting the Industrial Internet are becoming increasingly complex, rendering traditional firewalls and encryption/decryption technologies inadequate for [...] Read more.
As the scale of the Industrial Internet continues to expand, the number of network connections and data traffic are experiencing explosive growth. Security threats and attack types targeting the Industrial Internet are becoming increasingly complex, rendering traditional firewalls and encryption/decryption technologies inadequate for addressing diverse and sophisticated attack scenarios. Furthermore, traffic characteristics within the Industrial Internet environment exhibit significant asymmetry, such as a highly imbalanced distribution between benign and malicious traffic. To address this challenge, this paper proposes CBiNet—a hybrid deep learning model that integrates a one-dimensional convolutional neural network (1D-CNN) with a bidirectional long short-term memory network (BiLSTM). Designed to effectively learn and leverage such asymmetric spatio-temporal patterns, experimental validation demonstrates that the CBiNet model can efficiently tackle complex traffic identification tasks in industrial internet environments. It provides a highly accurate, scalable intrusion detection method for securing industrial internet gateways. Full article
(This article belongs to the Section Computer)
Show Figures

Figure 1

25 pages, 1862 KB  
Article
A Novel Architecture for Mitigating Botnet Threats in AI-Powered IoT Environments
by Vasileios A. Memos, Christos L. Stergiou, Alexandros I. Bermperis, Andreas P. Plageras and Konstantinos E. Psannis
Sensors 2026, 26(2), 572; https://doi.org/10.3390/s26020572 - 14 Jan 2026
Cited by 2 | Viewed by 1807
Abstract
The rapid growth of Artificial Intelligence of Things (AIoT) environments in various sectors has introduced major security challenges, as these smart devices can be exploited by malicious users to form Botnets of Things (BoT). Limited computational resources and weak encryption mechanisms in such [...] Read more.
The rapid growth of Artificial Intelligence of Things (AIoT) environments in various sectors has introduced major security challenges, as these smart devices can be exploited by malicious users to form Botnets of Things (BoT). Limited computational resources and weak encryption mechanisms in such devices make them attractive targets for attacks like Distributed Denial of Service (DDoS), Man-in-the-Middle (MitM), and malware distribution. In this paper, we propose a novel multi-layered architecture to mitigate BoT threats in AIoT environments. The system leverages edge traffic inspection, sandboxing, and machine learning techniques to analyze, detect, and prevent suspicious behavior, while uses centralized monitoring and response automation to ensure rapid mitigation. Experimental results demonstrate the necessity and superiority over or parallel to existing models, providing an early detection of botnet activity, reduced false positives, improved forensic capabilities, and scalable protection for large-scale AIoT areas. Overall, this solution delivers a comprehensive, resilient, and proactive framework to protect AIoT assets from evolving cyber threats. Full article
(This article belongs to the Special Issue Internet of Things Cybersecurity)
Show Figures

Figure 1

29 pages, 6368 KB  
Article
CNNRes-DIndRNN: A New Method for Detecting TLS-Encrypted Malicious Traffic
by Jinsha Zhang, Xiaoying Wang, Chunhui Li, Qingjie Zhang, Guoqing Yang, Xinyu Li, Fangfang Cui, Ruize Gu, Panpan Qi and Shuai Liu
Future Internet 2026, 18(1), 8; https://doi.org/10.3390/fi18010008 - 24 Dec 2025
Cited by 1 | Viewed by 1859
Abstract
While ensuring the accuracy of encrypted malicious traffic detection, improving model training speed remains a challenge. In order to solve this challenge, we propose CNNRes-DIndRNN for detecting encrypted malicious traffic classification. This model uses 1D-CNN to capture local feature relationships between data and [...] Read more.
While ensuring the accuracy of encrypted malicious traffic detection, improving model training speed remains a challenge. In order to solve this challenge, we propose CNNRes-DIndRNN for detecting encrypted malicious traffic classification. This model uses 1D-CNN to capture local feature relationships between data and IndRNN to capture their global dependency relationships. This method uses Zeek (version 7.0.0) to filter TLS datasets and NetTiSA to build time-series features that help models identify malicious behaviors. Combine time-series and encrypted features, then encode them with XLNet to improve model learning ability and speed training. In the final step, the encoded data is fed into CNNRes-DIndRNN. The results on five datasets including CTU-13 and MCFP showed that CNNRes-DIndRNN achieved 99.81% accuracy in binary classification and 99.67% in multi-class classification. These results represent improvements of 0.50–7.78% (binary) and 0.93–12.26% (multi-class) over all baseline methods. In performance comparisons, CNNRes-DIndRNN achieved the fastest training and testing times. It achieves the best comprehensive performance while maintaining high recognition accuracy. Full article
(This article belongs to the Section Cybersecurity)
Show Figures

Figure 1

20 pages, 1741 KB  
Article
GCN-MHA Method for Encrypted Malicious Traffic Detection and Classification
by Yanan Liu, Suhao Wang, Zheng Zhang, Tianhao Hou, Jipeng Shen, Pengfei Wang, Shuo Qiu and Lejun Ma
Electronics 2025, 14(23), 4627; https://doi.org/10.3390/electronics14234627 - 25 Nov 2025
Viewed by 1057
Abstract
Modern network attacks are becoming stealthier and smarter. Attackers use encryption to cover up malicious traffic, which makes it really hard to detect. To solve this problem, this paper introduces a new model called Graph Convolutional Network with Multi-Head Attention (GCN-MHA). The goal [...] Read more.
Modern network attacks are becoming stealthier and smarter. Attackers use encryption to cover up malicious traffic, which makes it really hard to detect. To solve this problem, this paper introduces a new model called Graph Convolutional Network with Multi-Head Attention (GCN-MHA). The goal of this model is to improve how we find and sort encrypted malicious traffic. First, we turn network traffic into a “graph”—this helps capture its structural and time-related features. Then, our GCN-MHA framework uses graph convolutional layers to learn spatial information. A multi-head attention mechanism helps it focus on the most important features. When tested on the ISCX-VPN2016 dataset, the model achieved an overall high accuracy of 98.79% and a recall rate of 99.24% under six categories of malicious traffic. We also performed cross-validation on two other datasets: USTC-TFC2016 and CIC-Darknet2020. These tests showed that the model has strong generalization ability on different data. Full article
Show Figures

Figure 1

24 pages, 1991 KB  
Article
A Multi-Feature Semantic Fusion Machine Learning Architecture for Detecting Encrypted Malicious Traffic
by Shiyu Tang, Fei Du, Zulong Diao and Wenjun Fan
J. Cybersecur. Priv. 2025, 5(3), 47; https://doi.org/10.3390/jcp5030047 - 17 Jul 2025
Cited by 3 | Viewed by 3199
Abstract
With the increasing sophistication of network attacks, machine learning (ML)-based methods have showcased promising performance in attack detection. However, ML-based methods often suffer from high false rates when tackling encrypted malicious traffic. To break through these bottlenecks, we propose EFTransformer, an encrypted flow [...] Read more.
With the increasing sophistication of network attacks, machine learning (ML)-based methods have showcased promising performance in attack detection. However, ML-based methods often suffer from high false rates when tackling encrypted malicious traffic. To break through these bottlenecks, we propose EFTransformer, an encrypted flow transformer framework which inherits semantic perception and multi-scale feature fusion, can robustly and efficiently detect encrypted malicious traffic, and make up for the shortcomings of ML in the context of modeling ability and feature adequacy. EFTransformer introduces a channel-level extraction mechanism based on quintuples and a noise-aware clustering strategy to enhance the recognition ability of traffic patterns; adopts a dual-channel embedding method, using Word2Vec and FastText to capture global semantics and subword-level changes; and uses a Transformer-based classifier and attention pooling module to achieve dynamic feature-weighted fusion, thereby improving the robustness and accuracy of malicious traffic detection. Our systematic experiments on the ISCX2012 dataset demonstrate that EFTransformer achieves the best detection performance, with an accuracy of up to 95.26%, a false positive rate (FPR) of 6.19%, and a false negative rate (FNR) of only 5.85%. These results show that EFTransformer achieves high detection performance against encrypted malicious traffic. Full article
(This article belongs to the Section Security Engineering & Applications)
Show Figures

Figure 1

21 pages, 1847 KB  
Article
A Certificateless Aggregated Signcryption Scheme Based on Edge Computing in VANETs
by Wenfeng Zou, Qiang Guo and Xiaolan Xie
Electronics 2025, 14(10), 1993; https://doi.org/10.3390/electronics14101993 - 14 May 2025
Cited by 3 | Viewed by 1415
Abstract
The development of Vehicle AD Hoc Networks (VANETs) has significantly enhanced the efficiency of intelligent transportation systems. Through real-time communication between vehicles and roadside units (RSUs), the immediate sharing of traffic information has been achieved. However, challenges such as network congestion, data privacy, [...] Read more.
The development of Vehicle AD Hoc Networks (VANETs) has significantly enhanced the efficiency of intelligent transportation systems. Through real-time communication between vehicles and roadside units (RSUs), the immediate sharing of traffic information has been achieved. However, challenges such as network congestion, data privacy, and low computing efficiency still exist. Data privacy is at risk of leakage due to the sensitivity of vehicle information, especially in a resource-constrained vehicle environment, where computing efficiency becomes a bottleneck restricting the development of VANETs. To address these challenges, this paper proposes a certificateless aggregated signcryption scheme based on edge computing. This scheme integrates online/offline encryption (OOE) technology and a pseudonym mechanism. It not only solves the problem of key escrow, generating part of the private key through collaboration between the user and the Key Generation Center (KGC), but also uses pseudonyms to protect the real identities of the vehicle and RSU, effectively preventing privacy leakage. This scheme eliminates bilinear pairing operations, significantly improves efficiency, and supports conditional traceability and revocation of malicious vehicles while maintaining anonymity. The completeness analysis shows that under the assumptions of calculating the Diffie–Hellman (CDH) and elliptic curve discrete logarithm problem (ECDLP), this scheme can meet the requirements of IND-CCA2 confidentiality and EUF-CMA non-forgeability. The performance evaluation further confirmed that, compared with the existing schemes, this scheme performed well in both computing and communication costs and was highly suitable for the resource-constrained VANET environment. Full article
(This article belongs to the Special Issue Unmanned Aerial Vehicles (UAVs) Communication and Networking)
Show Figures

Figure 1

27 pages, 9653 KB  
Article
DNS over HTTPS Tunneling Detection System Based on Selected Features via Ant Colony Optimization
by Hardi Sabah Talabani, Zrar Khalid Abdul and Hardi Mohammed Mohammed Saleh
Future Internet 2025, 17(5), 211; https://doi.org/10.3390/fi17050211 - 7 May 2025
Cited by 6 | Viewed by 4287
Abstract
DNS over HTTPS (DoH) is an advanced version of the traditional DNS protocol that prevents eavesdropping and man-in-the-middle attacks by encrypting queries and responses. However, it introduces new challenges such as encrypted traffic communication, masking malicious activity, tunneling attacks, and complicating intrusion detection [...] Read more.
DNS over HTTPS (DoH) is an advanced version of the traditional DNS protocol that prevents eavesdropping and man-in-the-middle attacks by encrypting queries and responses. However, it introduces new challenges such as encrypted traffic communication, masking malicious activity, tunneling attacks, and complicating intrusion detection system (IDS) packet inspection. In contrast, unencrypted packets in the traditional Non-DoH version remain vulnerable to eavesdropping, privacy breaches, and spoofing. To address these challenges, an optimized dual-path feature selection approach is designed to select the most efficient packet features for binary class (DoH-Normal, DoH-Malicious) and multiclass (Non-DoH, DoH-Normal, DoH-Malicious) classification. Ant Colony Optimization (ACO) is integrated with machine learning algorithms such as XGBoost, K-Nearest Neighbors (KNN), Random Forest (RF), and Convolutional Neural Networks (CNNs) using CIRA-CIC-DoHBrw-2020 as the benchmark dataset. Experimental results show that the proposed model selects the most effective features for both scenarios, achieving the highest detection and outperforming previous studies in IDS. The highest accuracy obtained for binary and multiclass classifications was 0.9999 and 0.9955, respectively. The optimized feature set contributed significantly to reducing computational costs and processing time across all utilized classifiers. The results provide a robust, fast, and accurate solution to challenges associated with encrypted DNS packets. Full article
Show Figures

Figure 1

19 pages, 2393 KB  
Article
CLSTM-MT (a Combination of 2-Conv CNN and BiLSTM Under the Mean Teacher Collaborative Learning Framework): Encryption Traffic Classification Based on CLSTM (a Combination of 2-Conv CNN and BiLSTM) and Mean Teacher Collaborative Learning
by Xiaozong Qiu, Guohua Yan and Lihua Yin
Appl. Sci. 2025, 15(9), 5089; https://doi.org/10.3390/app15095089 - 3 May 2025
Cited by 1 | Viewed by 1366
Abstract
The identification and classification of network traffic are crucial for maintaining network security, optimizing network management, and ensuring reliable service quality. These functions help prevent malicious activities, such as network attacks and illegal intrusions, while supporting the efficient allocation of network resources and [...] Read more.
The identification and classification of network traffic are crucial for maintaining network security, optimizing network management, and ensuring reliable service quality. These functions help prevent malicious activities, such as network attacks and illegal intrusions, while supporting the efficient allocation of network resources and enhancing user experience. However, the widespread use of traffic encryption technology, while improving data transmission security, also obscures the content of traffic, making it challenging to accurately classify and identify encrypted traffic. This limitation hampers both network security maintenance and further improvements in service quality. Therefore, there is an urgent need to develop an efficient and accurate encryption traffic identification method. This study addresses three key challenges: First, existing methods fail to explore the potential relationship between flow load features and sequence features during feature extraction. Second, there is a need for approaches that can adapt to the diverse characteristics of different protocols, ensuring the accuracy and robustness of encrypted traffic identification. Third, traditional deep learning models need large amounts of labeled data, which are expensive to acquire. To overcome these challenges, we propose an encrypted traffic recognition method based on a CLSTM model (a combination of 2-conv CNN and BiLSTM) and Mean Teacher collaborative learning. This approach detects and integrates traffic load features with sequence features to improve the accuracy and robustness of encrypted traffic identification while reducing the model’s reliance on labeled data through the consistency constraint of unlabeled data using Mean Teacher. Experimental results demonstrate that the CLSTM-MT collaborative learning method outperforms traditional methods in encrypted traffic identification and classification, achieving superior performance even with limited labeled data, thus addressing the high cost of data labeling. Full article
Show Figures

Figure 1

18 pages, 563 KB  
Article
MTL-DoHTA: Multi-Task Learning-Based DNS over HTTPS Traffic Analysis for Enhanced Network Security
by Woong Kyo Jung and Byung Il Kwak
Sensors 2025, 25(4), 993; https://doi.org/10.3390/s25040993 - 7 Feb 2025
Cited by 10 | Viewed by 3200
Abstract
The adoption of DNS over HTTPS (DoH) has significantly enhanced user privacy and security by encrypting DNS queries. However, it also presents new challenges for detecting malicious activities, such as DNS tunneling, within encrypted traffic. In this study, we propose MTL-DoHTA, a multi-task [...] Read more.
The adoption of DNS over HTTPS (DoH) has significantly enhanced user privacy and security by encrypting DNS queries. However, it also presents new challenges for detecting malicious activities, such as DNS tunneling, within encrypted traffic. In this study, we propose MTL-DoHTA, a multi-task learning-based framework designed to analyze DoH traffic and classify it into three tasks: (1) DoH vs. non-DoH traffic, (2) benign vs. malicious DoH traffic, and (3) the identification of DNS tunneling tools (e.g., dns2tcp, dnscat2, iodine). Leveraging statistical features derived from network traffic and a 2D-CNN architecture enhanced with GradNorm and attention mechanisms, MTL-DoHTA achieves a macro-averaging F1-score of 0.9905 on the CIRA-CIC-DoHBrw-2020 dataset. Furthermore, the model effectively handles class imbalance and mitigates overfitting using downsampling techniques while maintaining high classification performance. The proposed framework can serve as a reliable tool for monitoring and securing sensor-based network systems against sophisticated threats, while also demonstrating its potential to enhance multi-tasking capabilities in resource-constrained sensor environments. Full article
Show Figures

Figure 1

25 pages, 2222 KB  
Article
Multiple Kernel Transfer Learning for Enhancing Network Intrusion Detection in Encrypted and Heterogeneous Network Environments
by Abdelfattah Amamra and Vincent Terrelonge
Electronics 2025, 14(1), 80; https://doi.org/10.3390/electronics14010080 - 27 Dec 2024
Cited by 7 | Viewed by 2451
Abstract
Conventional supervised machine learning is widely used for intrusion detection without packet payload inspection, showing good accuracy in detecting known attacks. However, these methods require large labeled datasets, which are scarce due to privacy concerns, and struggle with generalizing to real-world traffic and [...] Read more.
Conventional supervised machine learning is widely used for intrusion detection without packet payload inspection, showing good accuracy in detecting known attacks. However, these methods require large labeled datasets, which are scarce due to privacy concerns, and struggle with generalizing to real-world traffic and adapting to domain shifts. Additionally, they are ineffective against zero-day attacks and need frequent retraining, making them difficult to maintain in dynamic network environments. To overcome the limitations of traditional machine learning methods, we propose novel Deterministic (DetMKTL) and Stochastic Multiple-Kernel Transfer Learning (StoMKTL) algorithms that are based on transfer learning. These algorithms leverage multiple kernel functions to capture complex, non-linear relationships in network traffic, enhancing adaptability and accuracy while reducing dependence on large labeled datasets. The proposed algorithms demonstrated good accuracy, particularly in cross-domain evaluations, achieving accuracy rates exceeding 90%. This highlights the robustness of the models in handling diverse network environments and varying data distributions. Moreover, our models exhibited superior performance in detecting multiple types of cyber attacks, including zero-day threats. Specifically, the detection rates reached up to 87% for known attacks and approximately 75% for unseen attacks or their variants. This emphasizes the ability of our algorithms to generalize well to novel and evolving threat scenarios, which are often overlooked by traditional systems. Additionally, the proposed algorithms performed effectively in encrypted traffic analysis, achieving an accuracy of 86%. This result demonstrates the possibility of our models to identify malicious activities within encrypted communications without compromising data privacy. Full article
(This article belongs to the Special Issue Machine Learning in Data Analytics and Prediction)
Show Figures

Figure 1

24 pages, 4109 KB  
Article
AI-Based Malicious Encrypted Traffic Detection in 5G Data Collection and Secure Sharing
by Gang Han, Haohe Zhang, Zhongliang Zhang, Yan Ma and Tiantian Yang
Electronics 2025, 14(1), 51; https://doi.org/10.3390/electronics14010051 - 26 Dec 2024
Cited by 6 | Viewed by 3028
Abstract
With the development and widespread application of network information, new technologies led by 5G are emerging, resulting in an increasingly complex network security environment and more diverse attack methods. Unlike traditional networks, 5G networks feature higher connection density, faster data transmission speeds, and [...] Read more.
With the development and widespread application of network information, new technologies led by 5G are emerging, resulting in an increasingly complex network security environment and more diverse attack methods. Unlike traditional networks, 5G networks feature higher connection density, faster data transmission speeds, and lower latency, which are widely applied in scenarios such as smart cities, the Internet of Things, and autonomous driving. The vast amounts of sensitive data generated by these applications become primary targets during the processes of collection and secure sharing, and unauthorized access or tampering could lead to severe data breaches and integrity issues. However, as 5G networks extensively employ encryption technologies to protect data transmission, attackers can hide malicious content within encrypted communication, rendering traditional content-based traffic detection methods ineffective for identifying malicious encrypted traffic. To address this challenge, this paper proposes a malicious encrypted traffic detection method based on reconstructive domain adaptation and adversarial hybrid neural networks. The proposed method integrates generative adversarial networks with ResNet, ResNeXt, and DenseNet to construct an adversarial hybrid neural network, aiming to tackle the challenges of encrypted traffic detection. On this basis, a reconstructive domain adaptation module is introduced to reduce the distribution discrepancy between the source domain and the target domain, thereby enhancing cross-domain detection capabilities. By preprocessing traffic data from public datasets, the proposed method is capable of extracting deep features from encrypted traffic without the need for decryption. The generator utilizes the adversarial hybrid neural network module to generate realistic malicious encrypted traffic samples, while the discriminator achieves sample classification through high-dimensional feature extraction. Additionally, the domain classifier within the reconstructive domain adaptation module further improves the model’s stability and generalization across different network environments and time periods. Experimental results demonstrate that the proposed method significantly improves the accuracy and efficiency of malicious encrypted traffic detection in 5G network environments, effectively enhancing the detection performance of malicious traffic in 5G networks. Full article
(This article belongs to the Special Issue Novel Methods Applied to Security and Privacy Problems, Volume II)
Show Figures

Figure 1

24 pages, 1270 KB  
Article
AFF_CGE: Combined Attention-Aware Feature Fusion and Communication Graph Embedding Learning for Detecting Encrypted Malicious Traffic
by Junhao Liu, Guolin Shao, Hong Rao, Xiangjun Li and Xuan Huang
Appl. Sci. 2024, 14(22), 10366; https://doi.org/10.3390/app142210366 - 11 Nov 2024
Viewed by 2202
Abstract
While encryption enhances data security, it also presents significant challenges for network traffic analysis, especially in detecting malicious activities. To tackle this challenge, this paper introduces combined Attention-aware Feature Fusion and Communication Graph Embedding Learning (AFF_CGE), an advanced representation learning framework designed for [...] Read more.
While encryption enhances data security, it also presents significant challenges for network traffic analysis, especially in detecting malicious activities. To tackle this challenge, this paper introduces combined Attention-aware Feature Fusion and Communication Graph Embedding Learning (AFF_CGE), an advanced representation learning framework designed for detecting encrypted malicious traffic. By leveraging an attention mechanism and graph neural networks, AFF_CGE extracts rich semantic information from encrypted traffic and captures complex relations between communicating nodes. Experimental results reveal that AFF_CGE substantially outperforms traditional methods, improving F1-scores by 5.3% through 22.8%. The framework achieves F1-scores ranging from 0.903 to 0.929 across various classifiers, exceeding the performance of state-of-the-art techniques. These results underscore the effectiveness and robustness of AFF_CGE in detecting encrypted malicious traffic, demonstrating its superior performance. Full article
(This article belongs to the Section Computing and Artificial Intelligence)
Show Figures

Figure 1

Back to TopTop