Search Results (13)

DNS over HTTPS (DoH) is an advanced version of the traditional DNS protocol that prevents eavesdropping and man-in-the-middle attacks by encrypting queries and responses. However, it introduces new challenges such as encrypted traffic communication, masking malicious activity, tunneling attacks, and complicating intrusion detection system (IDS) packet inspection. In contrast, unencrypted packets in the traditional Non-DoH version remain vulnerable to eavesdropping, privacy breaches, and spoofing. To address these challenges, an optimized dual-path feature selection approach is designed to select the most efficient packet features for binary class (DoH-Normal, DoH-Malicious) and multiclass (Non-DoH, DoH-Normal, DoH-Malicious) classification. Ant Colony Optimization (ACO) is integrated with machine learning algorithms such as XGBoost, K-Nearest Neighbors (KNN), Random Forest (RF), and Convolutional Neural Networks (CNNs) using CIRA-CIC-DoHBrw-2020 as the benchmark dataset. Experimental results show that the proposed model selects the most effective features for both scenarios, achieving the highest detection and outperforming previous studies in IDS. The highest accuracy obtained for binary and multiclass classifications was 0.9999 and 0.9955, respectively. The optimized feature set contributed significantly to reducing computational costs and processing time across all utilized classifiers. The results provide a robust, fast, and accurate solution to challenges associated with encrypted DNS packets. Full article

The identification and classification of network traffic are crucial for maintaining network security, optimizing network management, and ensuring reliable service quality. These functions help prevent malicious activities, such as network attacks and illegal intrusions, while supporting the efficient allocation of network resources and enhancing user experience. However, the widespread use of traffic encryption technology, while improving data transmission security, also obscures the content of traffic, making it challenging to accurately classify and identify encrypted traffic. This limitation hampers both network security maintenance and further improvements in service quality. Therefore, there is an urgent need to develop an efficient and accurate encryption traffic identification method. This study addresses three key challenges: First, existing methods fail to explore the potential relationship between flow load features and sequence features during feature extraction. Second, there is a need for approaches that can adapt to the diverse characteristics of different protocols, ensuring the accuracy and robustness of encrypted traffic identification. Third, traditional deep learning models need large amounts of labeled data, which are expensive to acquire. To overcome these challenges, we propose an encrypted traffic recognition method based on a CLSTM model (a combination of 2-conv CNN and BiLSTM) and Mean Teacher collaborative learning. This approach detects and integrates traffic load features with sequence features to improve the accuracy and robustness of encrypted traffic identification while reducing the model’s reliance on labeled data through the consistency constraint of unlabeled data using Mean Teacher. Experimental results demonstrate that the CLSTM-MT collaborative learning method outperforms traditional methods in encrypted traffic identification and classification, achieving superior performance even with limited labeled data, thus addressing the high cost of data labeling. Full article

The adoption of DNS over HTTPS (DoH) has significantly enhanced user privacy and security by encrypting DNS queries. However, it also presents new challenges for detecting malicious activities, such as DNS tunneling, within encrypted traffic. In this study, we propose MTL-DoHTA, a multi-task learning-based framework designed to analyze DoH traffic and classify it into three tasks: (1) DoH vs. non-DoH traffic, (2) benign vs. malicious DoH traffic, and (3) the identification of DNS tunneling tools (e.g., dns2tcp, dnscat2, iodine). Leveraging statistical features derived from network traffic and a 2D-CNN architecture enhanced with GradNorm and attention mechanisms, MTL-DoHTA achieves a macro-averaging F1-score of 0.9905 on the CIRA-CIC-DoHBrw-2020 dataset. Furthermore, the model effectively handles class imbalance and mitigates overfitting using downsampling techniques while maintaining high classification performance. The proposed framework can serve as a reliable tool for monitoring and securing sensor-based network systems against sophisticated threats, while also demonstrating its potential to enhance multi-tasking capabilities in resource-constrained sensor environments. Full article

With the development and widespread application of network information, new technologies led by 5G are emerging, resulting in an increasingly complex network security environment and more diverse attack methods. Unlike traditional networks, 5G networks feature higher connection density, faster data transmission speeds, and lower latency, which are widely applied in scenarios such as smart cities, the Internet of Things, and autonomous driving. The vast amounts of sensitive data generated by these applications become primary targets during the processes of collection and secure sharing, and unauthorized access or tampering could lead to severe data breaches and integrity issues. However, as 5G networks extensively employ encryption technologies to protect data transmission, attackers can hide malicious content within encrypted communication, rendering traditional content-based traffic detection methods ineffective for identifying malicious encrypted traffic. To address this challenge, this paper proposes a malicious encrypted traffic detection method based on reconstructive domain adaptation and adversarial hybrid neural networks. The proposed method integrates generative adversarial networks with ResNet, ResNeXt, and DenseNet to construct an adversarial hybrid neural network, aiming to tackle the challenges of encrypted traffic detection. On this basis, a reconstructive domain adaptation module is introduced to reduce the distribution discrepancy between the source domain and the target domain, thereby enhancing cross-domain detection capabilities. By preprocessing traffic data from public datasets, the proposed method is capable of extracting deep features from encrypted traffic without the need for decryption. The generator utilizes the adversarial hybrid neural network module to generate realistic malicious encrypted traffic samples, while the discriminator achieves sample classification through high-dimensional feature extraction. Additionally, the domain classifier within the reconstructive domain adaptation module further improves the model’s stability and generalization across different network environments and time periods. Experimental results demonstrate that the proposed method significantly improves the accuracy and efficiency of malicious encrypted traffic detection in 5G network environments, effectively enhancing the detection performance of malicious traffic in 5G networks. Full article

The exponential growth of encrypted network traffic poses significant challenges for detecting malicious activities online. The scale of emerging malicious traffic is significantly smaller than that of normal traffic, and the imbalanced data distribution poses challenges for detection. However, most existing methods rely on single-category features for classification, which struggle to detect covert malicious traffic behaviors. In this paper, we introduce a novel semi-supervised approach to identify malicious traffic by leveraging multimodal traffic characteristics. By integrating the sequence and topological information inherent in the traffic, we achieve a multifaceted representation of encrypted traffic. We design two independent neural networks to learn the corresponding sequence and topological features from the traffic. This dual-feature extraction enhances the model’s robustness in detecting anomalies within encrypted traffic. The model is trained using a joint strategy that minimizes both the reconstruction error from the autoencoder and the classification loss, allowing it to effectively utilize limited labeled data alongside a large amount of unlabeled data. A confidence-estimation module enhances the classifier’s ability to detect unknown attacks. Finally, our method is evaluated on two benchmark datasets, UNSW-NB15 and CICIDS2017, under various scenarios, including different training set label ratios and the presence of unknown attacks. Our model outperforms other models by 3.49% and 5.69% in F1 score at labeling rates of 1% and 0.1%, respectively. Full article

The advent of 5G heralds unprecedented connectivity with high throughput and low latency for network users. Software-defined networking (SDN) plays a significant role in fulfilling these requirements. However, it poses substantial security challenges due to its inherent centralized management strategy. Moreover, SDN confronts limitations in handling malicious traffic under 5G’s extensive data flow. To deal with these issues, this paper presents a novel intrusion detection system (IDS) designed for 5G SDN networks, leveraging the advanced capabilities of binarized deep spiking capsule fire hawk neural networks (BSHNN) and blockchain technology, which operates across multiple layers. Initially, the lightweight encryption algorithm (LEA) is used at the data acquisition layer to authenticate mobile users via trusted third parties. Followed by optimal switch selection using the mud-ring algorithm in the switch layer, and the data flow rules are secured by employing blockchain technology incorporating searchable encryption algorithms within the blockchain plane. The domain controller layer utilizes binarized deep spiking capsule fire hawk neural network (BSHNN) for real-time data packet classification, while the smart controller layer uses enhanced adapting hidden attribute-weighted naive bayes (EAWNB) to identify suspicious packets during data transmission. The experimental results show that the proposed technique outperforms the state-of-the-art approaches in terms of accuracy (98.02%), precision (96.40%), detection rate (96.41%), authentication time (16.2 s), throughput, delay, and packet loss ratio. Full article

The widespread use of encrypted traffic poses challenges to network management and network security. Traditional machine learning-based methods for encrypted traffic classification no longer meet the demands of management and security. The application of deep learning technology in encrypted traffic classification significantly improves the accuracy of models. This study focuses primarily on encrypted traffic classification in the fields of network analysis and network security. To address the shortcomings of existing deep learning-based encrypted traffic classification methods in terms of computational memory consumption and interpretability, we introduce a Parameter-Efficient Fine-Tuning method for efficiently tuning the parameters of an encrypted traffic classification model. Experimentation is conducted on various classification scenarios, including Tor traffic service classification and malicious traffic classification, using multiple public datasets. Fair comparisons are made with state-of-the-art deep learning model architectures. The results indicate that the proposed method significantly reduces the scale of fine-tuning parameters and computational resource usage while achieving performance comparable to that of the existing best models. Furthermore, we interpret the learning mechanism of encrypted traffic representation in the pre-training model by analyzing the parameters and structure of the model. This comparison validates the hypothesis that the model exhibits hierarchical structure, clear organization, and distinct features. Full article

In today’s digitalized era, the usage of Android devices is being extensively witnessed in various sectors. Cybercriminals inevitably adapt to new security technologies and utilize these platforms to exploit vulnerabilities for nefarious purposes, such as stealing users’ sensitive and personal data. This may result in financial losses, discredit, ransomware, or the spreading of infectious malware and other catastrophic cyber-attacks. Due to the fact that ransomware encrypts user data and requests a ransom payment in exchange for the decryption key, it is one of the most devastating types of malicious software. The implications of ransomware attacks can range from a loss of essential data to a disruption of business operations and significant monetary damage. Artificial intelligence (AI)-based techniques, namely machine learning (ML), have proven to be notable in the detection of Android ransomware attacks. However, ensemble models and deep learning (DL) models have not been sufficiently explored. Therefore, in this study, we utilized ML- and DL-based techniques to build efficient, precise, and robust models for binary classification. A publicly available dataset from Kaggle consisting of 392,035 records with benign traffic and 10 different types of Android ransomware attacks was used to train and test the models. Two experiments were carried out. In experiment 1, all the features of the dataset were used. In experiment 2, only the best 19 features were used. The deployed models included a decision tree (DT), support vector machine (SVM), k-nearest neighbor (KNN), ensemble of (DT, SVM, and KNN), feedforward neural network (FNN), and tabular attention network (TabNet). Overall, the experiments yielded excellent results. DT outperformed the others, with an accuracy of 97.24%, precision of 98.50%, and F1-score of 98.45%. Whereas, in terms of the highest recall, SVM achieved 100%. The acquired results were thoroughly discussed, in addition to addressing limitations and exploring potential directions for future work. Full article

The proliferation of smart devices in the 5G era of industrial IoT (IIoT) produces significant traffic data, some of which is encrypted malicious traffic, creating a significant problem for malicious traffic detection. Malicious traffic classification is one of the most efficient techniques for detecting malicious traffic. Although it is a labor-intensive and time-consuming process to gather large labeled datasets, the majority of prior studies on the classification of malicious traffic use supervised learning approaches and provide decent classification results when a substantial quantity of labeled data is available. This paper proposes a semi-supervised learning approach for classifying malicious IIoT traffic. The approach utilizes the encoder–decoder model framework to classify the traffic, even with a limited amount of labeled data available. We sample and normalize the data during the data-processing stage. In the semi-supervised model-building stage, we first pre-train a model on a large unlabeled dataset. Subsequently, we transfer the learned weights to a new model, which is then retrained using a small labeled dataset. We also offer an edge intelligence model that considers aspects such as computation latency, transmission latency, and privacy protection to improve the model’s performance. To achieve the lowest total latency and to reduce the risk of privacy leakage, we first create latency and privacy-protection models for each local, edge, and cloud. Then, we optimize the total latency and overall privacy level. In the study of IIoT malicious traffic classification, experimental results demonstrate that our method reduces the model training and classification time with 97.55% accuracy; moreover, our approach boosts the privacy-protection factor. Full article

Telecommuting and telelearning have gradually become mainstream lifestyles in the post-epidemic era. The extensive interconnection of massive terminals gives attackers more opportunities, which brings more significant challenges to network traffic security analysis. The existing attacks, often using encryption technology and distributed attack methods, increase the number and complexity of attacks. However, the traditional methods need more analysis of encrypted malicious traffic interaction patterns and cannot explore the potential correlations of interaction patterns in a macroscopic and comprehensive manner. Anyway, the changes in interaction patterns caused by attacks also need further study. Therefore, to achieve accurate and effective identification of attacks, it is essential to comprehensively describe the interaction patterns of malicious traffic and portray the relations of interaction patterns with the appearance of attacks. We propose a method for classifying attacks based on the traffic interaction attribute graph, named G-TIAG. At first, the G-TIAG studies interaction patterns of traffic describes the construction rule of the graphs and selects the attributive features of nodes in each graph. Then, it uses a convolutional graph network with a GRU and self-attention to classify benign data and different attacks. Our approach achieved the best classification results, with 89% accuracy and F1-Score, 88% recall, respectively, on publicly available datasets. The improvement is about 7% compared to traditional machine learning classification results and about 6% compared to deep learning classification results, which finally successfully achieved the classification of attacks. Full article

The SSL/TLS protocol is widely used in data encryption transmission. Aiming at the problem of detecting SSL/TLS-encrypted malicious traffic with small-scale and unbalanced training data, a deep-forest-based detection method called DF-IDS is proposed in this paper. According to the characteristics of SSL/TSL protocol, the network traffic was split into sessions according to the 5-tuple information. Each session was then transformed into a two-dimensional traffic image as the input of a deep-learning classifier. In order to avoid information loss and improve the detection efficiency, the multi-grained cascade forest (gcForest) framework was simplified with only cascade structure, which was named cascade forest (CaForest). By integrating random forest and extra trees in the CaForest framework, an end-to-end high-precision detector for small-scale and unbalanced SSL/TSL encrypted malicious traffic was realized. Compared with other deep-learning-based methods, the experimental results showed that the detection rate of DF-IDS was 6.87% to 29.5% higher than that of other methods on a small-scale and unbalanced dataset. The advantage of DF-IDS was more obvious in the multi-classification case. Full article

Recently, a majority of security operations centers (SOCs) have been facing a critical issue of increased adoption of transport layer security (TLS) encryption on the Internet, in network traffic analysis (NTA). To this end, in this survey article, we present existing research on NTA and related areas, primarily focusing on TLS-encrypted traffic to detect and classify malicious traffic with deployment scenarios for SOCs. Security experts in SOCs and researchers in academia can obtain useful information from our survey, as the main focus of our survey is NTA methods applicable to malware detection and family classification. Especially, we have discussed pros and cons of three main deployment models for encrypted NTA: TLS interception, inspection using cryptographic functions, and passive inspection without decryption. In addition, we have discussed the state-of-the-art methods in TLS-encrypted NTA for each component of a machine learning pipeline, typically used in the state-of-the-art methods. Full article

The fine-grained classification of encrypted traffic is important for network security analysis. Malicious attacks are usually encrypted and simulated as normal application or content traffic. Supervised machine learning methods are widely used for traffic classification and show good performances. However, they need a large amount of labeled data to train a model, while labeled data is hard to obtain. Aiming at solving this problem, this paper proposes a method to train a model based on the K-nearest neighbor (KNN) algorithm, which only needs a small amount of data. Due to the fact that the importance of different traffic features varies, and traditional KNN does not highlight the importance of different features, this study introduces the concept of feature weight and proposes the weighted feature KNN (WKNN) algorithm. Furthermore, to obtain the optimal feature set and the corresponding feature weight set, a feature selection and feature weight self-adaptive algorithm for WKNN is proposed. In addition, a three-layer classification framework for encrypted network flows is established. Based on the improved KNN and the framework, this study finally presents a method for fine-grained classification of encrypted network flows, which can identify the encryption status, application type and content type of encrypted network flows with high accuracies of 99.3%, 92.4%, and 97.0%, respectively. Full article