THS-IDPC: A three-stage hierarchical sampling method based on improved density peaks clustering algorithm for encrypted malicious traffic detection

Chen, Liangchen; Gao, Shu; Liu, Baoxu; Lü, Zhigang; Jiang, Zhengwei

doi:10.1007/s11227-020-03372-1

Cited by 26 publications

(15 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Ma et al [32] proposed an enhanced KNN algorithm to train an encrypted traffic detection model, which enhances the KNN distance calculation. For unsupervised Learning, Chen et al [13] proposed an improved density peaks clustering algorithm to enhance the accuracy and efficiency of encrypted malicious traffic detection. Celik et al [17] compared the performance of K-means, one-class support vector machine (OCSVM), least squares anomaly detection (LSAD), and KNN algorithms by using tamper resistant features, such as Goodput and ratio between maximum packet over minimum packet.…”

Section: Preliminariesmentioning

confidence: 99%

“…Their experiments indicate that the small number of features can achieve similar accuracy as compared to other existing methods. Many research [13][20] [32] are designed to use machine selection on the optimal features chosen from a large set of extracted features without human intervention. On the other hand, [9][10] [37][44] [47] directly used raw data as the deep learning methods input.…”

Section: Feature Set Selectionmentioning

confidence: 99%

“…a) Traditional Machine Learning Approach: For the traditional machine learning, algorithms and feature set optimization are the main focus. For unsupervised learning, there are many works like Chen et al [13], which proposed a three-stage hierarchical sampling approach by further developing density peaks clustering algorithm (THS-IDPC) based on grid screening, custom centre decision value and mutual neighbour degree (DPC-GS-MND). Experiments have shown that their DPC-GS-MND is better than average-linkage [86], DPC, modified density peak clustering algorithm (MDPCA) [87] and DPC-GS.…”

Section: E Algorithms Selectionmentioning

confidence: 99%

“…[13][25][28][29][33][92] extracted unique features from TLS/SSL protocol to train their HTTPs detection models. Shekhawat et al [29] compared SVM, XGBoost, and RF algorithms with TLS/SSL features for binary detection and multi-classification of encrypted malicious traffic, and finally proposed that XGBoost with selected TLS/SSL features can achieve a 99.15% accuracy under their own training dataset.…”

mentioning

confidence: 99%

See 3 more Smart Citations

Machine Learning for Encrypted Malicious Traffic Detection: Approaches, Datasets and Comparative Study

Wang,

Fok,

Thing

2022

Preprint

View full text Add to dashboard Cite

As people's demand for personal privacy and data security becomes a priority, encrypted traffic has become mainstream in the cyber world. However, traffic encryption is also shielding malicious and illegal traffic introduced by adversaries, from being detected. This is especially so in the post-COVID-19 environment where malicious traffic encryption is growing rapidly. Common security solutions that rely on plain payload content analysis such as deep packet inspection are rendered useless. Thus, machine learning based approaches have become an important direction for encrypted malicious traffic detection. In this paper, we formulate a universal framework of machine learning based encrypted malicious traffic detection techniques and provided a systematic review. Furthermore, current research adopts different datasets to train their models due to the lack of well-recognized datasets and feature sets. As a result, their model performance cannot be compared and analyzed reliably. Therefore, in this paper, we analyse, process and combine datasets from 5 different sources to generate a comprehensive and fair dataset to aid future research in this field. On this basis, we also implement and compare 10 encrypted malicious traffic detection algorithms. We then discuss challenges and propose future directions of research.

show abstract

Section: Preliminariesmentioning

confidence: 99%

Section: Feature Set Selectionmentioning

confidence: 99%

Section: E Algorithms Selectionmentioning

confidence: 99%

mentioning

confidence: 99%

See 2 more Smart Citations

Machine Learning for Encrypted Malicious Traffic Detection: Approaches, Datasets and Comparative Study

Wang,

Fok,

Thing

2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Traditionally, the ransomware can be detected to some extent with DPI (Deep Packet Inspection) [1], [2] and other methods. However, with the appearance of security protocol such as SSL or TLS, attacker begin to avoid detection with encryption technology [3]. Anomaly detection methods based on machine learning, such as KNN (K-nearest Neighbor), SVM (Support Vector Machine), Decision Trees, etc., can achieve encrypted traffic detection to a certain…”

Section: Introductionmentioning

confidence: 99%

Dual Generative Adversarial Networks Based Unknown Encryption Ransomware Attack Detection

2022

View full text Add to dashboard Cite

Aiming at unknown or variant ransomware attack encrypted with SSL (Secure Sockets Layer)/ TLS (Transport Layer Security) protocol, a detection framework named TGAN-IDS (Transferred Generating Adversarial Network-Intrusion Detection System) based on dual generative adversarial networks is presented in this paper. In this framework, DCGAN (Deep Convolutional Generative Adversarial Network) is adopted to train a generator which has good performance to generate adversarial sample, and is transferred to the generator of TGAN. A pre-training model named PreD is built based on CNN (Convolutional Neural Network), which has good performance to do binary classification, and is transferred to the discriminator of TGAN. The generator and discriminator of TGAN play games in training process until the discriminator has a strong ability to detection unknown attack, and then it is output as an anomaly detector. In order to suppress the deterioration of normal sample detection ability during adversarial training of TGAN, a reconstruction loss function is introduced into the target function of TGAN. Experiments on a mixed dataset which is constructed by CICIDS2017 and other ransomware datasets show comparing with other deep learning network, such as AlexNet, ResNet and DenseNet etc., TGAN-IDS performs well in the indicators of detection accuracy, recall or F1-score etc. Also experiments on KDD99, SWaT and WADI datasets show that TGAN-IDS is suitable for other unencrypted unknown network attack detection.INDEX TERMS Ransomware, encrypted traffic, anomaly detection, GAN, transfer learning.

show abstract

Anomaly Detection Method for Integrated Encrypted Malicious Traffic Based on RFCNN-GRU

Zhao,

Ma,

Fan

et al. 2024

Communications in Computer and Information Science

View full text Add to dashboard Cite

THS-IDPC: A three-stage hierarchical sampling method based on improved density peaks clustering algorithm for encrypted malicious traffic detection

Cited by 26 publications

References 21 publications

Machine Learning for Encrypted Malicious Traffic Detection: Approaches, Datasets and Comparative Study

Machine Learning for Encrypted Malicious Traffic Detection: Approaches, Datasets and Comparative Study

Dual Generative Adversarial Networks Based Unknown Encryption Ransomware Attack Detection

Anomaly Detection Method for Integrated Encrypted Malicious Traffic Based on RFCNN-GRU

Contact Info

Product

Resources

About