Abstract
As network traffic is increasingly valued for privacy protection and the encrypted SSL/TLS (Secure Sockets Layer/Transport Layer Security) traffic is surging, more and more malicious behaviors are hidden in it. Current detection methods are less accurate in detecting new and unknown malicious traffic. Although the method based on the supervised machine learning model has excellent accuracy performance, it has low detection strength and poor scalability for new and unknown malicious traffic. Therefore, this paper proposes a malicious SSL/TLS traffic detection method based on feature adaptive learning. The model can automatically learn key classification information from the unmarked malicious SSL/TLS encrypted traffic, and uses the 5-Tuple-Masking technology to optimize the input data, which greatly enhances the model's adaptation ability to new malicious traffic in complex network environments. After experimental verification, its comprehensive accuracy rate reaches 89.25%. Moreover, the supervised convolutional neural network detection method is used to compare and test the feasibility of this model in the field of malicious SSL/TLS traffic detection.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Cisco: Annual Cybersecurity Report: The evolution of malware and rise of artificial intelligence[R/OL]. (2018-02) [2019-07-22] (2018). https://www.cisco.com/c/en/us/products/security/security-reports.html
Korczynski, M., Duda, A.: Markov chain fingerprinting to classify encrypted traffic. In: INFOCOM, 2014 Proceedings IEEE, pp. 781–789. IEEE (2014)
Zhao, B., Guo, H., Liu, Q.R., et al.: Protocol independent identification of encrypted traffic based on weighted eumnlative sum test. J. Softw. 24(6), 1334–1345 (2013)
Velan, P., Cermak, M., Celeda, P., et al.: A survey of methods for encrypted traffic classification and analysis. Int. J. Netw. Manag. 25(5), 355–374 (2015)
Khakpour, A.R., Liu, A.X.: An information-theoretical approach to high-speed flow nature identification. IEEE/ACM Trans. Netw. (TON) 21(4), 1076–1089 (2013)
Anderson, B., Paul, S., McGrew, D.: Deciphering malware’s use of TLS (without decryption). Comput Virol Hack Tech 14, 195 (2018). https://doi.org/10.1007/s11416-017-0306-6
Anderson, B., McGrew, D.: Identifying Encrypted Malware Traffic with Contextual Flow Data, pp. 35–46. https://doi.org/10.1145/2996758.2996768
Anderson, B., Mcgrew, D.A.: Machine Learning for Encrypted Malware Traffic Classification: Accounting for Noisy Labels and Non-Stationarity. Knowledge discovery and data mining, pp. 1723–1732 (2017)
Amaral, A.A., de Mendes, L.S., et al.: Deep IP flow inspection to detect beyond network anomalies. Comput. Commun. 2016(98), 80–96 (2016)
Wen-chen, Y.E., Min, W.A.N.G., et al.: Network flow inspection method of joint DPI and DFI. Comput. Eng. 2011(102), 104 (2011)
Ghosh, A., Senthilrajan, A.: An approach for detecting spear phishing using deep packet inspection and deep flow inspection. In: Proceedings of 5th International Conference on Cyber Security & Privacy (ICCS) (2019)
Shekhawat, A.S.: Analysis of Encrypted Malicious Traffic. Master's Projects, p. 622 (2018)
Shekhawat, A.S., Troia, F.D., et al.: Feature analysis of encrypted malicious traffic. Expert Syst. Appl. 2019, 130–141 (2019)
Wang, Z.: The Applications of Deep Learning on Traffic Identification [EB/OL]. [11–22] (2019). https://goo.gl/WouIM6.
Wang, W., Zhu, M., Zeng, X., Ye, X., Sheng, Y.: Malware traffic classification using convolutional neural network for representation learning. In: 2017 International Conference on Information Networking (ICOIN), pp. 712–717. IEEE (2017)
Prasse, P., Machlica, L., Pevny, T., et al.: Malware detection by analysing network traffic with neural networks. In: 2017 IEEE Security and Privacy Workshops (SPW), pp. 205–210. IEEE (2017)
Morichetta, A., Casas, P., et al.: EXPLAIN-IT: towards explainable AI for unsupervised network traffic analysis. In: Proceedings of the 3rd ACM CoNEXT Workshop on Big DAta, Machine Learning and Artificial Intelligence for Data Communication Networks, pp. 22–28 (2019).
Bacquet, C., Gumus, K., et al.: A comparison of unsupervised learning techniques for encrypted traffic identification. J. Inf. Assur. Secur. 5(2010), 464–472 (2010)
Zeng, Y., Gu, H., Wei, W., et al.: Deep-full-range: a deep learning based network encrypted traffic classification and intrusion detection framework. IEEE Access 2019, 1–1 (2019)
Husák, M., et al.: HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting. EURASIP J. Inf. Secur. 2016(1), 30 (2016)
CIC. Data View [EB/OL]. [2019-11-25]. http://www.unb.ca/cic/datasets/index.html. Stratosphereips. Datasets-overview [EB/OL]. [2019-10-15] https://www.stratosphereips.org/datasets-overview
ALEXA. Website Ranking [EB/OL]. [2019-7-22]. https://www.alexa.com
Kotani, G., Sekiya, Y.: Unsupervised Scanning Behavior Detection Based on Distribution of Network Traffic Features Using Robust Autoencoders. ICDMW (2018)
Pan, W., Cheng, G., Guo, X., Huang, S.: Review and perspective in encrypted traffic identification research. J. Commun. 37(9), 154–167 (2016)
Acknowledgements
This research is supported by the National Key Research and Development Program of China (No. 2017YFB0802500, No.2016YFB0800904) and Shanghai industrial foundation project (Grant No.GYQJ-2018-3-03).
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Zhou, Z., Bin, H., Li, J. et al. Malicious encrypted traffic features extraction model based on unsupervised feature adaptive learning. J Comput Virol Hack Tech 18, 453–463 (2022). https://doi.org/10.1007/s11416-022-00429-y
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-022-00429-y