Abnormal network traffic, as a frequent security risk, requires a series of techniques to categorize and detect it. Existing network traffic anomaly detection still faces challenges: the inability to fully extract loc...Abnormal network traffic, as a frequent security risk, requires a series of techniques to categorize and detect it. Existing network traffic anomaly detection still faces challenges: the inability to fully extract local and global features, as well as the lack of effective mechanisms to capture complex interactions between features;Additionally, when increasing the receptive field to obtain deeper feature representations, the reliance on increasing network depth leads to a significant increase in computational resource consumption, affecting the efficiency and performance of detection. Based on these issues, firstly, this paper proposes a network traffic anomaly detection model based on parallel dilated convolution and residual learning (Res-PDC). To better explore the interactive relationships between features, the traffic samples are converted into two-dimensional matrix. A module combining parallel dilated convolutions and residual learning (res-pdc) was designed to extract local and global features of traffic at different scales. By utilizing res-pdc modules with different dilation rates, we can effectively capture spatial features at different scales and explore feature dependencies spanning wider regions without increasing computational resources. Secondly, to focus and integrate the information in different feature subspaces, further enhance and extract the interactions among the features, multi-head attention is added to Res-PDC, resulting in the final model: multi-head attention enhanced parallel dilated convolution and residual learning (MHA-Res-PDC) for network traffic anomaly detection. Finally, comparisons with other machine learning and deep learning algorithms are conducted on the NSL-KDD and CIC-IDS-2018 datasets. The experimental results demonstrate that the proposed method in this paper can effectively improve the detection performance.展开更多
With the rise of encrypted traffic,traditional network analysis methods have become less effective,leading to a shift towards deep learning-based approaches.Among these,multimodal learning-based classification methods...With the rise of encrypted traffic,traditional network analysis methods have become less effective,leading to a shift towards deep learning-based approaches.Among these,multimodal learning-based classification methods have gained attention due to their ability to leverage diverse feature sets from encrypted traffic,improving classification accuracy.However,existing research predominantly relies on late fusion techniques,which hinder the full utilization of deep features within the data.To address this limitation,we propose a novel multimodal encrypted traffic classification model that synchronizes modality fusion with multiscale feature extraction.Specifically,our approach performs real-time fusion of modalities at each stage of feature extraction,enhancing feature representation at each level and preserving inter-level correlations for more effective learning.This continuous fusion strategy improves the model’s ability to detect subtle variations in encrypted traffic,while boosting its robustness and adaptability to evolving network conditions.Experimental results on two real-world encrypted traffic datasets demonstrate that our method achieves a classification accuracy of 98.23% and 97.63%,outperforming existing multimodal learning-based methods.展开更多
The integration of cloud computing into traditional industrial control systems is accelerating the evolution of Industrial Cyber-Physical System(ICPS),enhancing intelligence and autonomy.However,this transition also e...The integration of cloud computing into traditional industrial control systems is accelerating the evolution of Industrial Cyber-Physical System(ICPS),enhancing intelligence and autonomy.However,this transition also expands the attack surface,introducing critical security vulnerabilities.To address these challenges,this article proposes a hybrid intrusion detection scheme for securing ICPSs that combines system state anomaly and network traffic anomaly detection.Specifically,an improved variation-Bayesian-based noise covariance-adaptive nonlinear Kalman filtering(IVB-NCA-NLKF)method is developed to model nonlinear system dynamics,enabling optimal state estimation in multi-sensor ICPS environments.Intrusions within the physical sensing system are identified by analyzing residual discrepancies between predicted and observed system states.Simultaneously,an adaptive network traffic anomaly detection mechanism is introduced,leveraging learned traffic patterns to detect node-and network-level anomalies through pattern matching.Extensive experiments on a simulated network control system demonstrate that the proposed framework achieves higher detection accuracy(92.14%)with a reduced false alarm rate(0.81%).Moreover,it not only detects known attacks and vulnerabilities but also uncovers stealthy attacks that induce system state deviations,providing a robust and comprehensive security solution for the safety protection of ICPS.展开更多
Network traffic identification is critical for maintaining network security and further meeting various demands of network applications.However,network traffic data typically possesses high dimensionality and complexi...Network traffic identification is critical for maintaining network security and further meeting various demands of network applications.However,network traffic data typically possesses high dimensionality and complexity,leading to practical problems in traffic identification data analytics.Since the original Dung Beetle Optimizer(DBO)algorithm,Grey Wolf Optimization(GWO)algorithm,Whale Optimization Algorithm(WOA),and Particle Swarm Optimization(PSO)algorithm have the shortcomings of slow convergence and easily fall into the local optimal solution,an Improved Dung Beetle Optimizer(IDBO)algorithm is proposed for network traffic identification.Firstly,the Sobol sequence is utilized to initialize the dung beetle population,laying the foundation for finding the global optimal solution.Next,an integration of levy flight and golden sine strategy is suggested to give dung beetles a greater probability of exploring unvisited areas,escaping from the local optimal solution,and converging more effectively towards a global optimal solution.Finally,an adaptive weight factor is utilized to enhance the search capabilities of the original DBO algorithm and accelerate convergence.With the improvements above,the proposed IDBO algorithm is then applied to traffic identification data analytics and feature selection,as so to find the optimal subset for K-Nearest Neighbor(KNN)classification.The simulation experiments use the CICIDS2017 dataset to verify the effectiveness of the proposed IDBO algorithm and compare it with the original DBO,GWO,WOA,and PSO algorithms.The experimental results show that,compared with other algorithms,the accuracy and recall are improved by 1.53%and 0.88%in binary classification,and the Distributed Denial of Service(DDoS)class identification is the most effective in multi-classification,with an improvement of 5.80%and 0.33%for accuracy and recall,respectively.Therefore,the proposed IDBO algorithm is effective in increasing the efficiency of traffic identification and solving the problem of the original DBO algorithm that converges slowly and falls into the local optimal solution when dealing with high-dimensional data analytics and feature selection for network traffic identification.展开更多
VPNs are vital for safeguarding communication routes in the continually changing cybersecurity world.However,increasing network attack complexity and variety require increasingly advanced algorithms to recognize and c...VPNs are vital for safeguarding communication routes in the continually changing cybersecurity world.However,increasing network attack complexity and variety require increasingly advanced algorithms to recognize and categorizeVPNnetwork data.We present a novelVPNnetwork traffic flowclassificationmethod utilizing Artificial Neural Networks(ANN).This paper aims to provide a reliable system that can identify a virtual private network(VPN)traffic fromintrusion attempts,data exfiltration,and denial-of-service assaults.We compile a broad dataset of labeled VPN traffic flows from various apps and usage patterns.Next,we create an ANN architecture that can handle encrypted communication and distinguish benign from dangerous actions.To effectively process and categorize encrypted packets,the neural network model has input,hidden,and output layers.We use advanced feature extraction approaches to improve the ANN’s classification accuracy by leveraging network traffic’s statistical and behavioral properties.We also use cutting-edge optimizationmethods to optimize network characteristics and performance.The suggested ANN-based categorization method is extensively tested and analyzed.Results show the model effectively classifies VPN traffic types.We also show that our ANN-based technique outperforms other approaches in precision,recall,and F1-score with 98.79%accuracy.This study improves VPN security and protects against new cyberthreats.Classifying VPNtraffic flows effectively helps enterprises protect sensitive data,maintain network integrity,and respond quickly to security problems.This study advances network security and lays the groundwork for ANN-based cybersecurity solutions.展开更多
In the rapidly evolving field of cybersecurity,the challenge of providing realistic exercise scenarios that accurately mimic real-world threats has become increasingly critical.Traditional methods often fall short in ...In the rapidly evolving field of cybersecurity,the challenge of providing realistic exercise scenarios that accurately mimic real-world threats has become increasingly critical.Traditional methods often fall short in capturing the dynamic and complex nature of modern cyber threats.To address this gap,we propose a comprehensive framework designed to create authentic network environments tailored for cybersecurity exercise systems.Our framework leverages advanced simulation techniques to generate scenarios that mirror actual network conditions faced by professionals in the field.The cornerstone of our approach is the use of a conditional tabular generative adversarial network(CTGAN),a sophisticated tool that synthesizes realistic synthetic network traffic by learning fromreal data patterns.This technology allows us to handle technical components and sensitive information with high fidelity,ensuring that the synthetic data maintains statistical characteristics similar to those observed in real network environments.By meticulously analyzing the data collected from various network layers and translating these into structured tabular formats,our framework can generate network traffic that closely resembles that found in actual scenarios.An integral part of our process involves deploying this synthetic data within a simulated network environment,structured on software-defined networking(SDN)principles,to test and refine the traffic patterns.This simulation not only facilitates a direct comparison between the synthetic and real traffic but also enables us to identify discrepancies and refine the accuracy of our simulations.Our initial findings indicate an error rate of approximately 29.28%between the synthetic and real traffic data,highlighting areas for further improvement and adjustment.By providing a diverse array of network scenarios through our framework,we aim to enhance the exercise systems used by cybersecurity professionals.This not only improves their ability to respond to actual cyber threats but also ensures that the exercise is cost-effective and efficient.展开更多
In this paper we apply the nonlinear time series analysis method to small-time scale traffic measurement data. The prediction-based method is used to determine the embedding dimension of the traffic data. Based on the...In this paper we apply the nonlinear time series analysis method to small-time scale traffic measurement data. The prediction-based method is used to determine the embedding dimension of the traffic data. Based on the reconstructed phase space, the local support vector machine prediction method is used to predict the traffic measurement data, and the BIC-based neighbouring point selection method is used to choose the number of the nearest neighbouring points for the local support vector machine regression model. The experimental results show that the local support vector machine prediction method whose neighbouring points are optimized can effectively predict the small-time scale traffic measurement data and can reproduce the statistical features of real traffic measurements.展开更多
This paper proposes a method for improving the precision of Network Traffic Prediction based on the Maximum Correntropy Criterion(NTPMCC),where the nonlinear characteristics of network traffic are considered.This meth...This paper proposes a method for improving the precision of Network Traffic Prediction based on the Maximum Correntropy Criterion(NTPMCC),where the nonlinear characteristics of network traffic are considered.This method utilizes the MCC as a new error evaluation criterion or named the cost function(CF)to train neural networks(NN).MCC is based on a new similarity function(Generalized correlation entropy function,Correntropy),which has as its foundation the Parzen window evaluation and Renyi entropy of error probability density function.At the same time,by combining the MCC with the Mean Square Error(MSE),a mixed evaluation criterion with MCC and MSE is proposed as a cost function of NN training.According to the traffic network characteristics including the nonlinear,non-Gaussian,and mutation,the Elman neural network is trained by MCC and MCC-MSE,and then the trained neural network is used as the model for predicting network traffic.The simulation results based on the evaluation by Mean Absolute Error(MAE),MSE,and Sum Squared Error(SSE)show that the accuracy of the prediction based on MCC is superior to the results of the Elman neural network with MSE.The overall performance is improved by about 0.0131.展开更多
Intrusion detection system ean make effective alarm for illegality of networkusers, which is absolutely necessarily and important to build security environment of communicationbase service According to the principle t...Intrusion detection system ean make effective alarm for illegality of networkusers, which is absolutely necessarily and important to build security environment of communicationbase service According to the principle that the number of network traffic can affect the degree ofself-similar traffic, the paper investigates the variety of self-similarity resulted fromunconventional network traffic. A network traffic model based on normal behaviors of user isproposed and the Hursl parameter of this model can be calculated. By comparing the Hurst parameterof normal traffic and the self-similar parameter, we ean judge whether the network is normal or notand alarm in time.展开更多
Attacks on websites and network servers are among the most critical threats in network security.Network behavior identification is one of the most effective ways to identify malicious network intrusions.Analyzing abno...Attacks on websites and network servers are among the most critical threats in network security.Network behavior identification is one of the most effective ways to identify malicious network intrusions.Analyzing abnormal network traffic patterns and traffic classification based on labeled network traffic data are among the most effective approaches for network behavior identification.Traditional methods for network traffic classification utilize algorithms such as Naive Bayes,Decision Tree and XGBoost.However,network traffic classification,which is required for network behavior identification,generally suffers from the problem of low accuracy even with the recently proposed deep learning models.To improve network traffic classification accuracy thus improving network intrusion detection rate,this paper proposes a new network traffic classification model,called ArcMargin,which incorporates metric learning into a convolutional neural network(CNN)to make the CNN model more discriminative.ArcMargin maps network traffic samples from the same category more closely while samples from different categories are mapped as far apart as possible.The metric learning regularization feature is called additive angular margin loss,and it is embedded in the object function of traditional CNN models.The proposed ArcMargin model is validated with three datasets and is compared with several other related algorithms.According to a set of classification indicators,the ArcMargin model is proofed to have better performances in both network traffic classification tasks and open-set tasks.Moreover,in open-set tasks,the ArcMargin model can cluster unknown data classes that do not exist in the previous training dataset.展开更多
The modeling of network traffic is important for the design and application of networks, but little is known as to the characteristics of distribution of packets in network traffic. In this letter the distribution of ...The modeling of network traffic is important for the design and application of networks, but little is known as to the characteristics of distribution of packets in network traffic. In this letter the distribution of packets in network traffic is explored.展开更多
Network traffic classification is essential in supporting network measurement and management.Many existing traffic classification approaches provide application-level results regardless of the network quality of servi...Network traffic classification is essential in supporting network measurement and management.Many existing traffic classification approaches provide application-level results regardless of the network quality of service(QoS)requirements.In practice,traffic flows from the same application may have irregular network behaviors that should be identified to various QoS classes for best network resource management.To address the issues,we propose to conduct traffic classification with two newly defined QoSaware features,i.e.,inter-APP similarity and intraAPP diversity.The inter-APP similarity represents the close QoS association between the traffic flows that originate from the different Internet applications.The intra-APP diversity describes the QoS variety of the traffic even among those originated from the same Internet application.The core of performing the QoS-aware feature extraction is a Long-Short Term Memory neural network based Autoencoder(LSTMAE).The QoS-aware features extracted by the encoder part of the LSTM-AE are then clustered into the corresponding QoS classes.Real-life data from multiple applications are collected to evaluate the proposed QoS-aware network traffic classification approach.The evaluation results demonstrate the efficacy of the extracted QoS-aware features in supporting the traffic classification,which can further contribute to future network measurement and management.展开更多
This paper uses a correlation dimension based nonlinear analysis approach to analyse the dynamics of network traffics with three different application protocols-HTTP, FTP and SMTP. First, the phase space is reconstruc...This paper uses a correlation dimension based nonlinear analysis approach to analyse the dynamics of network traffics with three different application protocols-HTTP, FTP and SMTP. First, the phase space is reconstructed and the embedding parameters are obtained by the mutual information method. Secondly, the correlation dimensions of three different traffics are calculated and the results of analysis have demonstrated that the dynamics of the three different application protocol traffics is different from each other in nature, i.e. HTTP and FTP traffics are chaotic, furthermore, the former is more complex than the later; on the other hand, SMTP traffic is stochastic. It is shown that correlation dimension approach is an efficient method to understand and to characterize the nonlinear dynamics of HTTP, FTP and SMTP protocol network traffics. This analysis provided insight into and a more accurate understanding of nonlinear dynamics of internet traffics which have a complex mixture of chaotic and stochastic components.展开更多
Network traffic prediction models can be grouped into two types, single models and combined ones. Combined models integrate several single models and thus can improve prediction accuracy. Based on wavelet transform, g...Network traffic prediction models can be grouped into two types, single models and combined ones. Combined models integrate several single models and thus can improve prediction accuracy. Based on wavelet transform, grey theory, and chaos theory, this paper proposes a novel combined model, wavelet-grey-chaos (WGC), for network traffic prediction. In the WGC model, we develop a time series decomposition method without the boundary problem by modifying the standard à trous algorithm, decompose the network traffic into two parts, the residual part and the burst part to alleviate the accumulated error problem, and employ the grey model GM(1,1) and chaos model to predict the residual part and the burst part respectively. Simulation results on real network traffic show that the WGC model does improve prediction accuracy.展开更多
GARCH-M ( generalized autoregressive conditional heteroskedasticity in the mean) model is used to analyse the volatility clustering phenomenon in mobile communication network traffic. Normal distribution, t distributi...GARCH-M ( generalized autoregressive conditional heteroskedasticity in the mean) model is used to analyse the volatility clustering phenomenon in mobile communication network traffic. Normal distribution, t distribution and generalized Pareto distribution assumptions are adopted re- spectively to simulate the random component in the model. The demonstration of the quantile of network traffic series indicates that common GARCH-M model can partially deal with the "fat tail" problem. However, the "fat tail" characteristic of the random component directly affects the accura- cy of the calculation. Even t distribution is based on the assumption for all the data. On the other hand, extreme value theory, which only concentrates on the tail distribution, can provide more ac- curate result for high quantiles. The best result is obtained based on the generalized Pareto distribu- tion assumption for the random component in the GARCH-M model.展开更多
The massive influx of traffic on the Internet has made the composition of web traffic increasingly complex.Traditional port-based or protocol-based network traffic identification methods are no longer suitable for to...The massive influx of traffic on the Internet has made the composition of web traffic increasingly complex.Traditional port-based or protocol-based network traffic identification methods are no longer suitable for today’s complex and changing networks.Recently,machine learning has beenwidely applied to network traffic recognition.Still,high-dimensional features and redundant data in network traffic can lead to slow convergence problems and low identification accuracy of network traffic recognition algorithms.Taking advantage of the faster optimizationseeking capability of the jumping spider optimization algorithm(JSOA),this paper proposes a jumping spider optimization algorithmthat incorporates the harris hawk optimization(HHO)and small hole imaging(HHJSOA).We use it in network traffic identification feature selection.First,the method incorporates the HHO escape energy factor and the hard siege strategy to forma newsearch strategy for HHJSOA.This location update strategy enhances the search range of the optimal solution of HHJSOA.We use small hole imaging to update the inferior individual.Next,the feature selection problem is coded to propose a jumping spiders individual coding scheme.Multiple iterations of the HHJSOA algorithmfind the optimal individual used as the selected feature for KNN classification.Finally,we validate the classification accuracy and performance of the HHJSOA algorithm using the UNSW-NB15 dataset and KDD99 dataset.Experimental results show that compared with other algorithms for the UNSW-NB15 dataset,the improvement is at least 0.0705,0.00147,and 1 on the accuracy,fitness value,and the number of features.In addition,compared with other feature selectionmethods for the same datasets,the proposed algorithmhas faster convergence,better merit-seeking,and robustness.Therefore,HHJSOAcan improve the classification accuracy and solve the problem that the network traffic recognition algorithm needs to be faster to converge and easily fall into local optimum due to high-dimensional features.展开更多
Spatio-temporal cellular network traffic prediction at wide-area level plays an important role in resource reconfiguration,traffic scheduling and intrusion detection,thus potentially supporting connected intelligence ...Spatio-temporal cellular network traffic prediction at wide-area level plays an important role in resource reconfiguration,traffic scheduling and intrusion detection,thus potentially supporting connected intelligence of the sixth generation of mobile communications technology(6G).However,the existing studies just focus on the spatio-temporal modeling of traffic data of single network service,such as short message,call,or Internet.It is not conducive to accurate prediction of traffic data,characterised by diverse network service,spatio-temporality and supersize volume.To address this issue,a novel multi-task deep learning framework is developed for citywide cellular network traffic prediction.Functionally,this framework mainly consists of a dual modular feature sharing layer and a multi-task learning layer(DMFS-MT).The former aims at mining long-term spatio-temporal dependencies and local spatio-temporal fluctuation trends in data,respectively,via a new combination of convolutional gated recurrent unit(ConvGRU)and 3-dimensional convolutional neural network(3D-CNN).For the latter,each task is performed for predicting service-specific traffic data based on a fully connected network.On the real-world Telecom Italia dataset,simulation results demonstrate the effectiveness of our proposal through prediction performance measure,spatial pattern comparison and statistical distribution verification.展开更多
Pattern matching is a fundamental approach to detect malicious behaviors and information over Internet, which has been gradually used in high-speed network traffic analysis. However, there is a performance bottleneck ...Pattern matching is a fundamental approach to detect malicious behaviors and information over Internet, which has been gradually used in high-speed network traffic analysis. However, there is a performance bottleneck for multi-pattern matching on online compressed network traffic(CNT), this is because malicious and intrusion codes are often embedded into compressed network traffic. In this paper, we propose an online fast and multi-pattern matching algorithm on compressed network traffic(FMMCN). FMMCN employs two types of jumping, i.e. jumping during sliding window and a string jump scanning strategy to skip unnecessary compressed bytes. Moreover, FMMCN has the ability to efficiently process multiple large volume of networks such as HTTP traffic, vehicles traffic, and other Internet-based services. The experimental results show that FMMCN can ignore more than 89.5% of bytes, and its maximum speed reaches 176.470MB/s in a midrange switches device, which is faster than the current fastest algorithm ACCH by almost 73.15 MB/s.展开更多
Network anomalies caused by network attacks can significantly degrade or even terminate network services.A Real-time and reliable detection of anomalies is essential to rapid anomaly diagnosis,anomaly mitigation,and m...Network anomalies caused by network attacks can significantly degrade or even terminate network services.A Real-time and reliable detection of anomalies is essential to rapid anomaly diagnosis,anomaly mitigation,and malfunction recovering.Unlike most detection methods based on the statistical analysis of the packet headers(Such as IP addresses and ports),a new approach only using network traffic volumes is proposed to detect anomalies reliably.Our method is based on autocorrelation function to judge whether anomalies have happened.In details,the correlation coefficients of normal and anomaly data fluctuate slightly respectively,while those of the overlapped data composed of them fluctuate greatly.Experimental results on network traffic volumes transformed from 1999 DARPA intrusion evaluation data set show that this method can effectively detect network anomalies,while avoiding the high false alarms rate.展开更多
Huge networks and increasing network traffic will consume more and more resources.It is critical to predict network traffic accurately and timely for network planning,and resource allocation,etc.In this paper,a combin...Huge networks and increasing network traffic will consume more and more resources.It is critical to predict network traffic accurately and timely for network planning,and resource allocation,etc.In this paper,a combined network traffic prediction model is proposed,which is based on Prophet,evolutionary attention-based LSTM(EALSTM)network,and Gaussian process regression(GPR).According to the non-smooth,sudden,periodic,and long correlation characteristics of network traffic,the prediction procedure is divided into three steps to predict network traffic accurately.In the first step,the Prophetmodel decomposes network traffic data into periodic and non-periodic parts.The periodic term is predicted by the Prophet model for different granularity periods.In the second step,the non-periodic term is fed to an EALSTM network to extract the importance of the different features in the sequence and learn their long correlation,which effectively avoids the long-term dependence problem caused by long step length.Finally,GPR is used to predict the residual term to boost the predictability even further.Experimental results indicate that the proposed scheme is more applicable and can significantly improve prediction accuracy compared with traditional linear and nonlinear models.展开更多
基金supported by the Xiamen Science and Technology Subsidy Project(No.2023CXY0318).
文摘Abnormal network traffic, as a frequent security risk, requires a series of techniques to categorize and detect it. Existing network traffic anomaly detection still faces challenges: the inability to fully extract local and global features, as well as the lack of effective mechanisms to capture complex interactions between features;Additionally, when increasing the receptive field to obtain deeper feature representations, the reliance on increasing network depth leads to a significant increase in computational resource consumption, affecting the efficiency and performance of detection. Based on these issues, firstly, this paper proposes a network traffic anomaly detection model based on parallel dilated convolution and residual learning (Res-PDC). To better explore the interactive relationships between features, the traffic samples are converted into two-dimensional matrix. A module combining parallel dilated convolutions and residual learning (res-pdc) was designed to extract local and global features of traffic at different scales. By utilizing res-pdc modules with different dilation rates, we can effectively capture spatial features at different scales and explore feature dependencies spanning wider regions without increasing computational resources. Secondly, to focus and integrate the information in different feature subspaces, further enhance and extract the interactions among the features, multi-head attention is added to Res-PDC, resulting in the final model: multi-head attention enhanced parallel dilated convolution and residual learning (MHA-Res-PDC) for network traffic anomaly detection. Finally, comparisons with other machine learning and deep learning algorithms are conducted on the NSL-KDD and CIC-IDS-2018 datasets. The experimental results demonstrate that the proposed method in this paper can effectively improve the detection performance.
基金supported by the National Key Research and Development Program of China No.2023YFB2705000.
文摘With the rise of encrypted traffic,traditional network analysis methods have become less effective,leading to a shift towards deep learning-based approaches.Among these,multimodal learning-based classification methods have gained attention due to their ability to leverage diverse feature sets from encrypted traffic,improving classification accuracy.However,existing research predominantly relies on late fusion techniques,which hinder the full utilization of deep features within the data.To address this limitation,we propose a novel multimodal encrypted traffic classification model that synchronizes modality fusion with multiscale feature extraction.Specifically,our approach performs real-time fusion of modalities at each stage of feature extraction,enhancing feature representation at each level and preserving inter-level correlations for more effective learning.This continuous fusion strategy improves the model’s ability to detect subtle variations in encrypted traffic,while boosting its robustness and adaptability to evolving network conditions.Experimental results on two real-world encrypted traffic datasets demonstrate that our method achieves a classification accuracy of 98.23% and 97.63%,outperforming existing multimodal learning-based methods.
基金supported by the National Natural Science Foundation of China(NSFC)under grant No.62371187the Hunan Provincial Natural Science Foundation of China under Grant Nos.2024JJ8309 and 2023JJ50495.
文摘The integration of cloud computing into traditional industrial control systems is accelerating the evolution of Industrial Cyber-Physical System(ICPS),enhancing intelligence and autonomy.However,this transition also expands the attack surface,introducing critical security vulnerabilities.To address these challenges,this article proposes a hybrid intrusion detection scheme for securing ICPSs that combines system state anomaly and network traffic anomaly detection.Specifically,an improved variation-Bayesian-based noise covariance-adaptive nonlinear Kalman filtering(IVB-NCA-NLKF)method is developed to model nonlinear system dynamics,enabling optimal state estimation in multi-sensor ICPS environments.Intrusions within the physical sensing system are identified by analyzing residual discrepancies between predicted and observed system states.Simultaneously,an adaptive network traffic anomaly detection mechanism is introduced,leveraging learned traffic patterns to detect node-and network-level anomalies through pattern matching.Extensive experiments on a simulated network control system demonstrate that the proposed framework achieves higher detection accuracy(92.14%)with a reduced false alarm rate(0.81%).Moreover,it not only detects known attacks and vulnerabilities but also uncovers stealthy attacks that induce system state deviations,providing a robust and comprehensive security solution for the safety protection of ICPS.
基金supported by the National Natural Science Foundation of China under Grant 61602162the Hubei Provincial Science and Technology Plan Project under Grant 2023BCB041.
文摘Network traffic identification is critical for maintaining network security and further meeting various demands of network applications.However,network traffic data typically possesses high dimensionality and complexity,leading to practical problems in traffic identification data analytics.Since the original Dung Beetle Optimizer(DBO)algorithm,Grey Wolf Optimization(GWO)algorithm,Whale Optimization Algorithm(WOA),and Particle Swarm Optimization(PSO)algorithm have the shortcomings of slow convergence and easily fall into the local optimal solution,an Improved Dung Beetle Optimizer(IDBO)algorithm is proposed for network traffic identification.Firstly,the Sobol sequence is utilized to initialize the dung beetle population,laying the foundation for finding the global optimal solution.Next,an integration of levy flight and golden sine strategy is suggested to give dung beetles a greater probability of exploring unvisited areas,escaping from the local optimal solution,and converging more effectively towards a global optimal solution.Finally,an adaptive weight factor is utilized to enhance the search capabilities of the original DBO algorithm and accelerate convergence.With the improvements above,the proposed IDBO algorithm is then applied to traffic identification data analytics and feature selection,as so to find the optimal subset for K-Nearest Neighbor(KNN)classification.The simulation experiments use the CICIDS2017 dataset to verify the effectiveness of the proposed IDBO algorithm and compare it with the original DBO,GWO,WOA,and PSO algorithms.The experimental results show that,compared with other algorithms,the accuracy and recall are improved by 1.53%and 0.88%in binary classification,and the Distributed Denial of Service(DDoS)class identification is the most effective in multi-classification,with an improvement of 5.80%and 0.33%for accuracy and recall,respectively.Therefore,the proposed IDBO algorithm is effective in increasing the efficiency of traffic identification and solving the problem of the original DBO algorithm that converges slowly and falls into the local optimal solution when dealing with high-dimensional data analytics and feature selection for network traffic identification.
文摘VPNs are vital for safeguarding communication routes in the continually changing cybersecurity world.However,increasing network attack complexity and variety require increasingly advanced algorithms to recognize and categorizeVPNnetwork data.We present a novelVPNnetwork traffic flowclassificationmethod utilizing Artificial Neural Networks(ANN).This paper aims to provide a reliable system that can identify a virtual private network(VPN)traffic fromintrusion attempts,data exfiltration,and denial-of-service assaults.We compile a broad dataset of labeled VPN traffic flows from various apps and usage patterns.Next,we create an ANN architecture that can handle encrypted communication and distinguish benign from dangerous actions.To effectively process and categorize encrypted packets,the neural network model has input,hidden,and output layers.We use advanced feature extraction approaches to improve the ANN’s classification accuracy by leveraging network traffic’s statistical and behavioral properties.We also use cutting-edge optimizationmethods to optimize network characteristics and performance.The suggested ANN-based categorization method is extensively tested and analyzed.Results show the model effectively classifies VPN traffic types.We also show that our ANN-based technique outperforms other approaches in precision,recall,and F1-score with 98.79%accuracy.This study improves VPN security and protects against new cyberthreats.Classifying VPNtraffic flows effectively helps enterprises protect sensitive data,maintain network integrity,and respond quickly to security problems.This study advances network security and lays the groundwork for ANN-based cybersecurity solutions.
基金supported in part by the Korea Research Institute for Defense Technology Planning and Advancement(KRIT)funded by the Korean Government’s Defense Acquisition Program Administration(DAPA)under Grant KRIT-CT-21-037in part by the Ministry of Education,Republic of Koreain part by the National Research Foundation of Korea under Grant RS-2023-00211871.
文摘In the rapidly evolving field of cybersecurity,the challenge of providing realistic exercise scenarios that accurately mimic real-world threats has become increasingly critical.Traditional methods often fall short in capturing the dynamic and complex nature of modern cyber threats.To address this gap,we propose a comprehensive framework designed to create authentic network environments tailored for cybersecurity exercise systems.Our framework leverages advanced simulation techniques to generate scenarios that mirror actual network conditions faced by professionals in the field.The cornerstone of our approach is the use of a conditional tabular generative adversarial network(CTGAN),a sophisticated tool that synthesizes realistic synthetic network traffic by learning fromreal data patterns.This technology allows us to handle technical components and sensitive information with high fidelity,ensuring that the synthetic data maintains statistical characteristics similar to those observed in real network environments.By meticulously analyzing the data collected from various network layers and translating these into structured tabular formats,our framework can generate network traffic that closely resembles that found in actual scenarios.An integral part of our process involves deploying this synthetic data within a simulated network environment,structured on software-defined networking(SDN)principles,to test and refine the traffic patterns.This simulation not only facilitates a direct comparison between the synthetic and real traffic but also enables us to identify discrepancies and refine the accuracy of our simulations.Our initial findings indicate an error rate of approximately 29.28%between the synthetic and real traffic data,highlighting areas for further improvement and adjustment.By providing a diverse array of network scenarios through our framework,we aim to enhance the exercise systems used by cybersecurity professionals.This not only improves their ability to respond to actual cyber threats but also ensures that the exercise is cost-effective and efficient.
基金Project supported by the National Natural Science Foundation of China (Grant No 60573065)the Natural Science Foundation of Shandong Province,China (Grant No Y2007G33)the Key Subject Research Foundation of Shandong Province,China(Grant No XTD0708)
文摘In this paper we apply the nonlinear time series analysis method to small-time scale traffic measurement data. The prediction-based method is used to determine the embedding dimension of the traffic data. Based on the reconstructed phase space, the local support vector machine prediction method is used to predict the traffic measurement data, and the BIC-based neighbouring point selection method is used to choose the number of the nearest neighbouring points for the local support vector machine regression model. The experimental results show that the local support vector machine prediction method whose neighbouring points are optimized can effectively predict the small-time scale traffic measurement data and can reproduce the statistical features of real traffic measurements.
基金supported in part by the National Natural Science Foundation of China under Grant No.61071126the National Radio Project under Grants No. 2010ZX03004001, No.2010ZX03004-002, No.2011ZX03002001
文摘This paper proposes a method for improving the precision of Network Traffic Prediction based on the Maximum Correntropy Criterion(NTPMCC),where the nonlinear characteristics of network traffic are considered.This method utilizes the MCC as a new error evaluation criterion or named the cost function(CF)to train neural networks(NN).MCC is based on a new similarity function(Generalized correlation entropy function,Correntropy),which has as its foundation the Parzen window evaluation and Renyi entropy of error probability density function.At the same time,by combining the MCC with the Mean Square Error(MSE),a mixed evaluation criterion with MCC and MSE is proposed as a cost function of NN training.According to the traffic network characteristics including the nonlinear,non-Gaussian,and mutation,the Elman neural network is trained by MCC and MCC-MSE,and then the trained neural network is used as the model for predicting network traffic.The simulation results based on the evaluation by Mean Absolute Error(MAE),MSE,and Sum Squared Error(SSE)show that the accuracy of the prediction based on MCC is superior to the results of the Elman neural network with MSE.The overall performance is improved by about 0.0131.
文摘Intrusion detection system ean make effective alarm for illegality of networkusers, which is absolutely necessarily and important to build security environment of communicationbase service According to the principle that the number of network traffic can affect the degree ofself-similar traffic, the paper investigates the variety of self-similarity resulted fromunconventional network traffic. A network traffic model based on normal behaviors of user isproposed and the Hursl parameter of this model can be calculated. By comparing the Hurst parameterof normal traffic and the self-similar parameter, we ean judge whether the network is normal or notand alarm in time.
基金This work was supported by the National Natural Science Foundation of China(61871046).
文摘Attacks on websites and network servers are among the most critical threats in network security.Network behavior identification is one of the most effective ways to identify malicious network intrusions.Analyzing abnormal network traffic patterns and traffic classification based on labeled network traffic data are among the most effective approaches for network behavior identification.Traditional methods for network traffic classification utilize algorithms such as Naive Bayes,Decision Tree and XGBoost.However,network traffic classification,which is required for network behavior identification,generally suffers from the problem of low accuracy even with the recently proposed deep learning models.To improve network traffic classification accuracy thus improving network intrusion detection rate,this paper proposes a new network traffic classification model,called ArcMargin,which incorporates metric learning into a convolutional neural network(CNN)to make the CNN model more discriminative.ArcMargin maps network traffic samples from the same category more closely while samples from different categories are mapped as far apart as possible.The metric learning regularization feature is called additive angular margin loss,and it is embedded in the object function of traditional CNN models.The proposed ArcMargin model is validated with three datasets and is compared with several other related algorithms.According to a set of classification indicators,the ArcMargin model is proofed to have better performances in both network traffic classification tasks and open-set tasks.Moreover,in open-set tasks,the ArcMargin model can cluster unknown data classes that do not exist in the previous training dataset.
文摘The modeling of network traffic is important for the design and application of networks, but little is known as to the characteristics of distribution of packets in network traffic. In this letter the distribution of packets in network traffic is explored.
文摘Network traffic classification is essential in supporting network measurement and management.Many existing traffic classification approaches provide application-level results regardless of the network quality of service(QoS)requirements.In practice,traffic flows from the same application may have irregular network behaviors that should be identified to various QoS classes for best network resource management.To address the issues,we propose to conduct traffic classification with two newly defined QoSaware features,i.e.,inter-APP similarity and intraAPP diversity.The inter-APP similarity represents the close QoS association between the traffic flows that originate from the different Internet applications.The intra-APP diversity describes the QoS variety of the traffic even among those originated from the same Internet application.The core of performing the QoS-aware feature extraction is a Long-Short Term Memory neural network based Autoencoder(LSTMAE).The QoS-aware features extracted by the encoder part of the LSTM-AE are then clustered into the corresponding QoS classes.Real-life data from multiple applications are collected to evaluate the proposed QoS-aware network traffic classification approach.The evaluation results demonstrate the efficacy of the extracted QoS-aware features in supporting the traffic classification,which can further contribute to future network measurement and management.
基金Project supported in part by the National High Technology Research and Development Program of China (Grant No. 2007AA01Z480)
文摘This paper uses a correlation dimension based nonlinear analysis approach to analyse the dynamics of network traffics with three different application protocols-HTTP, FTP and SMTP. First, the phase space is reconstructed and the embedding parameters are obtained by the mutual information method. Secondly, the correlation dimensions of three different traffics are calculated and the results of analysis have demonstrated that the dynamics of the three different application protocol traffics is different from each other in nature, i.e. HTTP and FTP traffics are chaotic, furthermore, the former is more complex than the later; on the other hand, SMTP traffic is stochastic. It is shown that correlation dimension approach is an efficient method to understand and to characterize the nonlinear dynamics of HTTP, FTP and SMTP protocol network traffics. This analysis provided insight into and a more accurate understanding of nonlinear dynamics of internet traffics which have a complex mixture of chaotic and stochastic components.
基金Project supported by National Basic Research Program of China (Grant Nos 2009CB320505 and 2009CB320504)National High Technology Research and Development Program of China (Grant Nos 2006AA01Z235, 2007AA01Z206 and 2009AA01Z210)
文摘Network traffic prediction models can be grouped into two types, single models and combined ones. Combined models integrate several single models and thus can improve prediction accuracy. Based on wavelet transform, grey theory, and chaos theory, this paper proposes a novel combined model, wavelet-grey-chaos (WGC), for network traffic prediction. In the WGC model, we develop a time series decomposition method without the boundary problem by modifying the standard à trous algorithm, decompose the network traffic into two parts, the residual part and the burst part to alleviate the accumulated error problem, and employ the grey model GM(1,1) and chaos model to predict the residual part and the burst part respectively. Simulation results on real network traffic show that the WGC model does improve prediction accuracy.
基金Supported by University and College Doctoral Subject Special Scientific Research Fund( No. 20040056041).
文摘GARCH-M ( generalized autoregressive conditional heteroskedasticity in the mean) model is used to analyse the volatility clustering phenomenon in mobile communication network traffic. Normal distribution, t distribution and generalized Pareto distribution assumptions are adopted re- spectively to simulate the random component in the model. The demonstration of the quantile of network traffic series indicates that common GARCH-M model can partially deal with the "fat tail" problem. However, the "fat tail" characteristic of the random component directly affects the accura- cy of the calculation. Even t distribution is based on the assumption for all the data. On the other hand, extreme value theory, which only concentrates on the tail distribution, can provide more ac- curate result for high quantiles. The best result is obtained based on the generalized Pareto distribu- tion assumption for the random component in the GARCH-M model.
基金funded by the National Natural Science Foundation of China under Grant No.61602162.
文摘The massive influx of traffic on the Internet has made the composition of web traffic increasingly complex.Traditional port-based or protocol-based network traffic identification methods are no longer suitable for today’s complex and changing networks.Recently,machine learning has beenwidely applied to network traffic recognition.Still,high-dimensional features and redundant data in network traffic can lead to slow convergence problems and low identification accuracy of network traffic recognition algorithms.Taking advantage of the faster optimizationseeking capability of the jumping spider optimization algorithm(JSOA),this paper proposes a jumping spider optimization algorithmthat incorporates the harris hawk optimization(HHO)and small hole imaging(HHJSOA).We use it in network traffic identification feature selection.First,the method incorporates the HHO escape energy factor and the hard siege strategy to forma newsearch strategy for HHJSOA.This location update strategy enhances the search range of the optimal solution of HHJSOA.We use small hole imaging to update the inferior individual.Next,the feature selection problem is coded to propose a jumping spiders individual coding scheme.Multiple iterations of the HHJSOA algorithmfind the optimal individual used as the selected feature for KNN classification.Finally,we validate the classification accuracy and performance of the HHJSOA algorithm using the UNSW-NB15 dataset and KDD99 dataset.Experimental results show that compared with other algorithms for the UNSW-NB15 dataset,the improvement is at least 0.0705,0.00147,and 1 on the accuracy,fitness value,and the number of features.In addition,compared with other feature selectionmethods for the same datasets,the proposed algorithmhas faster convergence,better merit-seeking,and robustness.Therefore,HHJSOAcan improve the classification accuracy and solve the problem that the network traffic recognition algorithm needs to be faster to converge and easily fall into local optimum due to high-dimensional features.
基金supported in part by the Science and Technology Project of Hebei Education Department(No.ZD2021088)in part by the S&T Major Project of the Science and Technology Ministry of China(No.2017YFE0135700)。
文摘Spatio-temporal cellular network traffic prediction at wide-area level plays an important role in resource reconfiguration,traffic scheduling and intrusion detection,thus potentially supporting connected intelligence of the sixth generation of mobile communications technology(6G).However,the existing studies just focus on the spatio-temporal modeling of traffic data of single network service,such as short message,call,or Internet.It is not conducive to accurate prediction of traffic data,characterised by diverse network service,spatio-temporality and supersize volume.To address this issue,a novel multi-task deep learning framework is developed for citywide cellular network traffic prediction.Functionally,this framework mainly consists of a dual modular feature sharing layer and a multi-task learning layer(DMFS-MT).The former aims at mining long-term spatio-temporal dependencies and local spatio-temporal fluctuation trends in data,respectively,via a new combination of convolutional gated recurrent unit(ConvGRU)and 3-dimensional convolutional neural network(3D-CNN).For the latter,each task is performed for predicting service-specific traffic data based on a fully connected network.On the real-world Telecom Italia dataset,simulation results demonstrate the effectiveness of our proposal through prediction performance measure,spatial pattern comparison and statistical distribution verification.
基金supported by China MOST project (No.2012BAH46B04)
文摘Pattern matching is a fundamental approach to detect malicious behaviors and information over Internet, which has been gradually used in high-speed network traffic analysis. However, there is a performance bottleneck for multi-pattern matching on online compressed network traffic(CNT), this is because malicious and intrusion codes are often embedded into compressed network traffic. In this paper, we propose an online fast and multi-pattern matching algorithm on compressed network traffic(FMMCN). FMMCN employs two types of jumping, i.e. jumping during sliding window and a string jump scanning strategy to skip unnecessary compressed bytes. Moreover, FMMCN has the ability to efficiently process multiple large volume of networks such as HTTP traffic, vehicles traffic, and other Internet-based services. The experimental results show that FMMCN can ignore more than 89.5% of bytes, and its maximum speed reaches 176.470MB/s in a midrange switches device, which is faster than the current fastest algorithm ACCH by almost 73.15 MB/s.
基金This work was supported by a grant from the National Natural Science Foundation of China(No.60773192).
文摘Network anomalies caused by network attacks can significantly degrade or even terminate network services.A Real-time and reliable detection of anomalies is essential to rapid anomaly diagnosis,anomaly mitigation,and malfunction recovering.Unlike most detection methods based on the statistical analysis of the packet headers(Such as IP addresses and ports),a new approach only using network traffic volumes is proposed to detect anomalies reliably.Our method is based on autocorrelation function to judge whether anomalies have happened.In details,the correlation coefficients of normal and anomaly data fluctuate slightly respectively,while those of the overlapped data composed of them fluctuate greatly.Experimental results on network traffic volumes transformed from 1999 DARPA intrusion evaluation data set show that this method can effectively detect network anomalies,while avoiding the high false alarms rate.
基金supported by the National Natural Science Foundation of China under Grant Number No.62271264 and 61972207the Project through the Priority Academic Program Development(PAPD)of Jiangsu Higher Education Institution.
文摘Huge networks and increasing network traffic will consume more and more resources.It is critical to predict network traffic accurately and timely for network planning,and resource allocation,etc.In this paper,a combined network traffic prediction model is proposed,which is based on Prophet,evolutionary attention-based LSTM(EALSTM)network,and Gaussian process regression(GPR).According to the non-smooth,sudden,periodic,and long correlation characteristics of network traffic,the prediction procedure is divided into three steps to predict network traffic accurately.In the first step,the Prophetmodel decomposes network traffic data into periodic and non-periodic parts.The periodic term is predicted by the Prophet model for different granularity periods.In the second step,the non-periodic term is fed to an EALSTM network to extract the importance of the different features in the sequence and learn their long correlation,which effectively avoids the long-term dependence problem caused by long step length.Finally,GPR is used to predict the residual term to boost the predictability even further.Experimental results indicate that the proposed scheme is more applicable and can significantly improve prediction accuracy compared with traditional linear and nonlinear models.
