A deep‐learning‐ and reinforcement‐learning‐based system for encrypted network malicious traffic detection

Yang, Jin; Liang, Gang; Li, Beibei; Wen, Guozhu; Gao, Tianxi

doi:10.1049/ell2.12125

Cited by 16 publications

(4 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In particular, network traffic is typical time series data, so preprocessing is essential. Length normalization is generally essential in machine learning and deep learning, where models require input of the same length in [12,21,24,30,54] the data length was normalized to 784 bytes for the purpose of transforming one-dimensional data into two-dimensional data, and [26,34,50] generated the same length of input data for network traffic data through normalization to a user-specified length and used it for anomaly detection experiments.…”

Section: Preprocessingmentioning

confidence: 99%

Artificial Intelligence-Based Anomaly Detection Technology over Encrypted Traffic: A Systematic Literature Review

Ji,

Lee,

Kang

et al. 2024

Sensors

View full text Add to dashboard Cite

As cyber-attacks increase in unencrypted communication environments such as the traditional Internet, protected communication channels based on cryptographic protocols, such as transport layer security (TLS), have been introduced to the Internet. Accordingly, attackers have been carrying out cyber-attacks by hiding themselves in protected communication channels. However, the nature of channels protected by cryptographic protocols makes it difficult to distinguish between normal and malicious network traffic behaviors. This means that traditional anomaly detection models with features from packets extracted a deep packet inspection (DPI) have been neutralized. Recently, studies on anomaly detection using artificial intelligence (AI) and statistical characteristics of traffic have been proposed as an alternative. In this review, we provide a systematic review for AI-based anomaly detection techniques over encrypted traffic. We set several research questions on the review topic and collected research according to eligibility criteria. Through the screening process and quality assessment, 30 research articles were selected with high suitability to be included in the review from the collected literature. We reviewed the selected research in terms of dataset, feature extraction, feature selection, preprocessing, anomaly detection algorithm, and performance indicators. As a result of the literature review, it was confirmed that various techniques used for AI-based anomaly detection over encrypted traffic were used. Some techniques are similar to those used for AI-based anomaly detection over unencrypted traffic, but some technologies are different from those used for unencrypted traffic.

show abstract

Section: Preprocessingmentioning

confidence: 99%

Artificial Intelligence-Based Anomaly Detection Technology over Encrypted Traffic: A Systematic Literature Review

Ji,

Lee,

Kang

et al. 2024

Sensors

View full text Add to dashboard Cite

show abstract

“…By extracting frequency domain features for training the deep learning model, the detection accuracy was improved, the scale of features was limited, and faster detection speed was realized. Many other studies [11] [12] [13] have also carried out performance optimization based on various deep learning models, but most of these works are based on supervised learning, which requires a large amount of data with accurate labels, which needs lots of human effort in a practical production environment.…”

Section: Pos(isgc2022)030mentioning

confidence: 99%

Malicious Traffic Detection with Class Imbalanced Data Based on Coarse-grained Labels

Li¹,

Liu²,

Wang³

et al. 2022

Proceedings of International Symposium on Grids &Amp; Clouds 2022 — PoS(ISGC2022)

View full text Add to dashboard Cite

In order to resist complex cyber-attacks, a Security Operations Center (SOC) named IHEPSOC has been developed and deployed in the Institute of High Energy Physics (IHEP) of the Chinese Academy of Sciences, which contributed to the reliability and security of the network for IHEP. It has become a major task to integrate state-of-the-art cyber-attack detection methods for IHEPSOC to improve the ability of threat detection. Malicious traffic detection based on machine learning is an emerging security paradigm, which can effectively detect both known and unknown cyberattacks. However, the existing studies usually adopt traditional supervised learning, which often encounter issues when applied to real-world production environment due to its implicit assumptions on the operating dependence. For example, most studies are based on datasets that already have accurate data labels, but labeling these datasets accurately requires significant manual effort. In addition, in the real-world service, the volume of benign traffic data is larger than that of the malicious traffic data, and the imbalance between benign and malicious categories also makes many machine learning detection models difficult to apply to a production environment. Based on these, we propose a detection method for class imbalanced malicious traffic based on coarsegrained data labels, which achieves comparable performance compare to other supervised learning methods. We conducted three experiments, using the Android Malware 2017 dataset, and verified the practicability and effectiveness of the proposed method.

show abstract

“…In their proposed framework, a method called a "deep-full-range" (DFR) process is applied, based on three deep learning models, namely, the CNN, LSTM, and sparse autoencoder models. In 2021, Yang et al [19] proposed a malicious traffic detection model for encrypted networks that is based on ResNet. They deleted irrelevant data information from data packets, as well as any duplicate or empty data packets.…”

Section: Current Research On Malicious Encrypted Traffic Detectionmentioning

confidence: 99%

Adversarial Malicious Encrypted Traffic Detection Based on Refined Session Analysis

Chen

et al. 2022

Symmetry

View full text Add to dashboard Cite

The detection of malicious encrypted traffic is an important part of modern network security research. The producers of the current malware do not pay attention to the fact that malicious encrypted traffic can also be detected; they do not construct further adversarial malicious encrypted traffic to deceive existing malicious encrypted traffic detection methods. However, with the increasing confrontation between attack and defense, adversarial malicious encrypted traffic samples will appear gradually, which will make the existing malicious encrypted traffic detection methods obsolete. In this paper, an adversarial malicious encrypted traffic detection method based on refined session analysis (ADRSA) is proposed. The key ideas of this method are: 1) interpretability analysis is used to extract malicious traffic features that are not easily affected by encryption, 2) restoration technology is used to further improve traffic separability, and 3) a deep neural network is used to identify adversarial malicious encrypted traffic. In experimental tests, the ADRSA method could accurately detect malicious encrypted traffic, particularly adversarial malicious encrypted traffic, and the detection rate is more than 95%. However, the detection rate of other malicious encrypted traffic detection methods is almost zero when facing adversarial malicious encrypted traffic. The detection performance of ADRSA exceeds that of the most popular detection methods.

show abstract

A deep‐learning‐ and reinforcement‐learning‐based system for encrypted network malicious traffic detection

Cited by 16 publications

References 10 publications

Artificial Intelligence-Based Anomaly Detection Technology over Encrypted Traffic: A Systematic Literature Review

Artificial Intelligence-Based Anomaly Detection Technology over Encrypted Traffic: A Systematic Literature Review

Malicious Traffic Detection with Class Imbalanced Data Based on Coarse-grained Labels

Adversarial Malicious Encrypted Traffic Detection Based on Refined Session Analysis

Contact Info

Product

Resources

About