The proliferation of internet traffic encryption has become a double-edged sword. While it significantly enhances user privacy, it also inadvertently shields cyber-attacks from detection, presenting a formidable chall...The proliferation of internet traffic encryption has become a double-edged sword. While it significantly enhances user privacy, it also inadvertently shields cyber-attacks from detection, presenting a formidable challenge to cybersecurity. Traditional machine learning and deep learning techniques often fall short in identifying encrypted malicious traffic due to their inability to fully extract and utilize the implicit relational and positional information embedded within data packets. This limitation has led to an unresolved challenge in the cybersecurity community: how to effectively extract valuable insights from the complex patterns of traffic packet transmission. Consequently, this paper introduces the TB-Graph model, an encrypted malicious traffic classification model based on a relational graph attention network. The model is a heterogeneous traffic burst graph that embeds side-channel features, which are unaffected by encryption, into the graph nodes and connects them with three different types of burst edges. Subsequently, we design a relational positional coding that prevents the loss of temporal relationships between the original traffic flows during graph transformation. Ultimately, TB-Graph leverages the powerful graph representation learning capabilities of Relational Graph Attention Network (RGAT) to extract latent behavioral features from the burst graph nodes and edge relationships. Experimental results show that TB-Graph outperforms various state-of-the-art methods in fine-grained encrypted malicious traffic classification tasks on two public datasets, indicating its enhanced capability for identifying encrypted malicious traffic.展开更多
While encryption technology safeguards the security of network communications,malicious traffic also uses encryption protocols to obscure its malicious behavior.To address the issues of traditional machine learning me...While encryption technology safeguards the security of network communications,malicious traffic also uses encryption protocols to obscure its malicious behavior.To address the issues of traditional machine learning methods relying on expert experience and the insufficient representation capabilities of existing deep learning methods for encrypted malicious traffic,we propose an encrypted malicious traffic classification method that integrates global semantic features with local spatiotemporal features,called BERT-based Spatio-Temporal Features Network(BSTFNet).At the packet-level granularity,the model captures the global semantic features of packets through the attention mechanism of the Bidirectional Encoder Representations from Transformers(BERT)model.At the byte-level granularity,we initially employ the Bidirectional Gated Recurrent Unit(BiGRU)model to extract temporal features from bytes,followed by the utilization of the Text Convolutional Neural Network(TextCNN)model with multi-sized convolution kernels to extract local multi-receptive field spatial features.The fusion of features from both granularities serves as the ultimate multidimensional representation of malicious traffic.Our approach achieves accuracy and F1-score of 99.39%and 99.40%,respectively,on the publicly available USTC-TFC2016 dataset,and effectively reduces sample confusion within the Neris and Virut categories.The experimental results demonstrate that our method has outstanding representation and classification capabilities for encrypted malicious traffic.展开更多
Using deep learning models to deal with the classification tasks in network traffic offers a new approach to address the imbalanced Internet of Things malicious traffic classification problems.However,the employment d...Using deep learning models to deal with the classification tasks in network traffic offers a new approach to address the imbalanced Internet of Things malicious traffic classification problems.However,the employment difficulty of these models may be immense due to their high resource consumption and inadequate interpretability.Fortunately,the effectiveness of sampling methods based on the statistical principles in imbalance data distribution indicates the path.In this paper,we address these challenges by proposing a hybrid sampling method,termed HSS,which integrates undersampling and oversampling techniques.Our approach not only mitigates the imbalance in malicious traffic but also fine-tunes the sampling threshold to optimize performance,as substantiated through validation tests.Employed across three distinct classification tasks,this method furnishes simplified yet representative samples,enhancing the baseline models’classification capabilities by a minimum of 6.02%and a maximum of 182.66%.Moreover,it notably reduces resource consumption,with sample numbers diminishing to a ratio of at least 83.53%.This investigation serves as a foundation,demonstrating the efficacy of HSS in bolstering security measures in IoT networks,potentially guiding the development of more adept and resource-efficient solutions.展开更多
With the emergence of new attack techniques,traffic classifiers usually fail to maintain the expected performance in real-world network environments.In order to have sufficient generalizability to deal with unknown ma...With the emergence of new attack techniques,traffic classifiers usually fail to maintain the expected performance in real-world network environments.In order to have sufficient generalizability to deal with unknown malicious samples,they require a large number of new samples for retraining.Considering the cost of data collection and labeling,data augmentation is an ideal solution.We propose an optimized noise-based traffic data augmentation system,ONTDAS.The system uses a gradient-based searching algorithm and an improved Bayesian optimizer to obtain optimized noise.The noise is injected into the original samples for data augmentation.Then,an improved bagging algorithm is used to integrate all the base traffic classifiers trained on noised datasets.The experiments verify ONTDAS on 6 types of base classifiers and 4 publicly available datasets respectively.The results show that ONTDAS can effectively enhance the traffic classifiers’performance and significantly improve their generalizability on unknown malicious samples.The system can also alleviate dataset imbalance.Moreover,the performance of ONTDAS is significantly superior to the existing data augmentation methods mentioned.展开更多
文摘The proliferation of internet traffic encryption has become a double-edged sword. While it significantly enhances user privacy, it also inadvertently shields cyber-attacks from detection, presenting a formidable challenge to cybersecurity. Traditional machine learning and deep learning techniques often fall short in identifying encrypted malicious traffic due to their inability to fully extract and utilize the implicit relational and positional information embedded within data packets. This limitation has led to an unresolved challenge in the cybersecurity community: how to effectively extract valuable insights from the complex patterns of traffic packet transmission. Consequently, this paper introduces the TB-Graph model, an encrypted malicious traffic classification model based on a relational graph attention network. The model is a heterogeneous traffic burst graph that embeds side-channel features, which are unaffected by encryption, into the graph nodes and connects them with three different types of burst edges. Subsequently, we design a relational positional coding that prevents the loss of temporal relationships between the original traffic flows during graph transformation. Ultimately, TB-Graph leverages the powerful graph representation learning capabilities of Relational Graph Attention Network (RGAT) to extract latent behavioral features from the burst graph nodes and edge relationships. Experimental results show that TB-Graph outperforms various state-of-the-art methods in fine-grained encrypted malicious traffic classification tasks on two public datasets, indicating its enhanced capability for identifying encrypted malicious traffic.
基金This research was funded by National Natural Science Foundation of China under Grant No.61806171Sichuan University of Science&Engineering Talent Project under Grant No.2021RC15+2 种基金Open Fund Project of Key Laboratory for Non-Destructive Testing and Engineering Computer of Sichuan Province Universities on Bridge Inspection and Engineering under Grant No.2022QYJ06Sichuan University of Science&Engineering Graduate Student Innovation Fund under Grant No.Y2023115The Scientific Research and Innovation Team Program of Sichuan University of Science and Technology under Grant No.SUSE652A006.
文摘While encryption technology safeguards the security of network communications,malicious traffic also uses encryption protocols to obscure its malicious behavior.To address the issues of traditional machine learning methods relying on expert experience and the insufficient representation capabilities of existing deep learning methods for encrypted malicious traffic,we propose an encrypted malicious traffic classification method that integrates global semantic features with local spatiotemporal features,called BERT-based Spatio-Temporal Features Network(BSTFNet).At the packet-level granularity,the model captures the global semantic features of packets through the attention mechanism of the Bidirectional Encoder Representations from Transformers(BERT)model.At the byte-level granularity,we initially employ the Bidirectional Gated Recurrent Unit(BiGRU)model to extract temporal features from bytes,followed by the utilization of the Text Convolutional Neural Network(TextCNN)model with multi-sized convolution kernels to extract local multi-receptive field spatial features.The fusion of features from both granularities serves as the ultimate multidimensional representation of malicious traffic.Our approach achieves accuracy and F1-score of 99.39%and 99.40%,respectively,on the publicly available USTC-TFC2016 dataset,and effectively reduces sample confusion within the Neris and Virut categories.The experimental results demonstrate that our method has outstanding representation and classification capabilities for encrypted malicious traffic.
文摘Using deep learning models to deal with the classification tasks in network traffic offers a new approach to address the imbalanced Internet of Things malicious traffic classification problems.However,the employment difficulty of these models may be immense due to their high resource consumption and inadequate interpretability.Fortunately,the effectiveness of sampling methods based on the statistical principles in imbalance data distribution indicates the path.In this paper,we address these challenges by proposing a hybrid sampling method,termed HSS,which integrates undersampling and oversampling techniques.Our approach not only mitigates the imbalance in malicious traffic but also fine-tunes the sampling threshold to optimize performance,as substantiated through validation tests.Employed across three distinct classification tasks,this method furnishes simplified yet representative samples,enhancing the baseline models’classification capabilities by a minimum of 6.02%and a maximum of 182.66%.Moreover,it notably reduces resource consumption,with sample numbers diminishing to a ratio of at least 83.53%.This investigation serves as a foundation,demonstrating the efficacy of HSS in bolstering security measures in IoT networks,potentially guiding the development of more adept and resource-efficient solutions.
基金supported in part by the National Key Research and Development Program of China(No.2022YFB4500800)the National Science Foundation of China(No.42071431).
文摘With the emergence of new attack techniques,traffic classifiers usually fail to maintain the expected performance in real-world network environments.In order to have sufficient generalizability to deal with unknown malicious samples,they require a large number of new samples for retraining.Considering the cost of data collection and labeling,data augmentation is an ideal solution.We propose an optimized noise-based traffic data augmentation system,ONTDAS.The system uses a gradient-based searching algorithm and an improved Bayesian optimizer to obtain optimized noise.The noise is injected into the original samples for data augmentation.Then,an improved bagging algorithm is used to integrate all the base traffic classifiers trained on noised datasets.The experiments verify ONTDAS on 6 types of base classifiers and 4 publicly available datasets respectively.The results show that ONTDAS can effectively enhance the traffic classifiers’performance and significantly improve their generalizability on unknown malicious samples.The system can also alleviate dataset imbalance.Moreover,the performance of ONTDAS is significantly superior to the existing data augmentation methods mentioned.
