Abstract
With the continuous advancement of information technology, the concerns regarding privacy and network communication security are growing. Many applications have adopted encryption to ensure the confidentiality of network communication. However, the use of encryption has also provided opportunities for attackers. Attackers have begun to use encryption to conceal malicious activities, which poses a significant challenge for traffic detection. Traditional traffic detection methods primarily operate at the packet-level or session-level granularity and often neglect to consider the interrelationships between multiple sessions, thereby falling short of capturing comprehensive communication patterns exhibited by malware. In the paper, we propose a graph-based detection of encrypted malicious traffic, known as HIG-RF. It utilizes the GraphSAGE algorithm to generate embedding, comprehensively capturing the behavior patterns of hosts. And then we use the Random Forest model to comprehensively assess the probability of host infection. Our experiments show that HIG-RF achieves over 98% classification accuracy and over 98.5% recall, outperforming other advanced models.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Anderson, B., McGrew, D.: Identifying encrypted malware traffic with contextual flow data. In: Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security, pp. 35–46 (2016)
Anderson, B., McGrew, D.: Machine learning for encrypted malware traffic classification: accounting for noisy labels and non-stationarity. In: Proceedings of the 23rd ACM SIGKDD International Conference on knowledge discovery and data mining, pp. 1723–1732 (2017)
Anderson, B., Paul, S., McGrew, D.: Deciphering malware’s use of TLS (without decryption). J. Comput. Virol. Hacking Tech. 14, 195–211 (2018)
Creech, G., Hu, J.: A semantic approach to host-based intrusion detection systems using contiguousand discontiguous system call patterns. IEEE Trans. Comput. 63(4), 807–819 (2013)
Duncan, B.: Malware traffic analysis (2023). https://malware-traffic-analysis.net/
Fu, C., Li, Q., Shen, M., Xu, K.: Frequency domain feature based robust malicious traffic detection. IEEE/ACM Trans. Networking 31(1), 452–467 (2022)
Fu, Z., et al.: Encrypted malware traffic detection via graph-based network analysis. In: Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses, pp. 495–509 (2022)
Google: google transparency report (2023). https://transparencyreport.google.com/
Kipf, T.N., Welling, M.: Semi-supervised classification with graph convolutional networks. arXiv preprint arXiv:1609.02907 (2016)
Marín, G., Caasas, P., Capdehourat, G.: DeepMAL - deep learning models for malware traffic detection and classification. In: Data Science – Analytics and Applications, pp. 105–112. Springer, Wiesbaden (2021). https://doi.org/10.1007/978-3-658-32182-6_16
Ponemon: hidden threats in encrypted traffic (2016). https://www.ponemon.org/local/upload/file/A10%20Report%20Final.pdf
Project, Z.: Zeek (2023). https://zeek.org/
Shekhawat, A.S., Di Troia, F., Stamp, M.: Feature analysis of encrypted malicious traffic. Expert Syst. Appl. 125, 130–141 (2019)
University, C.T.: Ctu-13 (2023). https://www.stratosphereips.org/datasets-ctu13
Wang, W., Zhu, M., Wang, J., Zeng, X., Yang, Z.: End-to-end encrypted traffic classification with one-dimensional convolution neural networks. In: 2017 IEEE International Conference on Intelligence and Security Informatics (ISI), pp. 43–48. IEEE (2017)
Zhang, H., Papadopoulos, C., Massey, D.: Detecting encrypted botnet traffic. In: 2013 Proceedings IEEE INFOCOM, pp. 3453–1358. IEEE (2013)
Zscaler ThreatLabz: State of encrypted attacks 2022 report (2022). https://www.zscaler.com/blogs/security-research/2022-encrypted-attacks-report
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Guo, Q., Yang, W., Cui, B. (2024). Graph-Based Detection of Encrypted Malicious Traffic with Spatio-Temporal Features. In: Barolli, L. (eds) Advances in Internet, Data & Web Technologies. EIDWT 2024. Lecture Notes on Data Engineering and Communications Technologies, vol 193. Springer, Cham. https://doi.org/10.1007/978-3-031-53555-0_8
Download citation
DOI: https://doi.org/10.1007/978-3-031-53555-0_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-53554-3
Online ISBN: 978-3-031-53555-0
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)