The fine-grained classification of encrypted traffic is important for network security analysis. Malicious attacks are usually encrypted and simulated as normal application or content traffic. Supervised machine learning methods are widely used for traffic classification and show good performances. However, they need a large amount of labeled data to train a model, while labeled data is hard to obtain. Aiming at solving this problem, this paper proposes a method to train a model based on the K-nearest neighbor (KNN) algorithm, which only needs a small amount of data. Due to the fact that the importance of different traffic features varies, and traditional KNN does not highlight the importance of different features, this study introduces the concept of feature weight and proposes the weighted feature KNN (WKNN) algorithm. Furthermore, to obtain the optimal feature set and the corresponding feature weight set, a feature selection and feature weight self-adaptive algorithm for WKNN is proposed. In addition, a three-layer classification framework for encrypted network flows is established. Based on the improved KNN and the framework, this study finally presents a method for fine-grained classification of encrypted network flows, which can identify the encryption status, application type and content type of encrypted network flows with high accuracies of 99.3%, 92.4%, and 97.0%, respectively.
Security issues of large-scale local area network are becoming more prominent and the anomaly detection for the network traffic is the key means to solve this problem. On the other hand, it is a challenge to extract effective and accurate traffic features for anomaly detection. In order to resolve this challenge, multi-types of network flow features are designed and analyzed in the present study. These features include sequence packet features, general statistical features and environmental features, which can profile the characteristics of network flows accurately. Moreover, a method based on the hybrid neural network is proposed to detect anomaly by analyzing these features. One-dimensional convolutional network is implemented to analyze the sequence features in the hybrid neural network, while deep neural networks are utilized to learn the characteristics of high-dimension feature vectors including general statistical features and environmental features. The method can make comprehensive analysis for network anomaly detection. Two datasets of ISCX-IDS-2012 and CIC-IDS-2017 are carried out to evaluate the performance of the proposed method and other similar algorithms. The present study shows that the comprehensive performances of the proposed method are better than that for others algorithms. It is concluded that the proposed method can be applied for the anomaly detection applications with reasonable performance. INDEX TERMS Anomaly detection, hybrid neural network, network flow feature.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.