Abstract
In recent years, the use of TLS (Transport Layer Security) protocol to protect communication information has become increasingly popular as users are more aware of network security. However, hackers have also exploited the salient features of the TLS protocol to carry out covert malicious attacks, which threaten the security of network space. Currently, the commonly used traffic detection methods are not always reliable when applied to the problem of encrypted malicious traffic detection due to their limitations. The most significant problem is that these methods do not focus on the key features of encrypted traffic. To address this problem, this study proposes an efficient detection model for encrypted malicious traffic based on transport layer security protocol and a multi-head self-attention mechanism called TLS-MHSA. Firstly, we extract the features of TLS traffic during pre-processing and perform traffic statistics to filter redundant features. Then, we use a multi-head self-attention mechanism to focus on learning key features as well as generate the most important combined features to construct the detection model, thereby detecting the encrypted malicious traffic. Finally, we use a public dataset to verify the effectiveness and efficiency of the TLS-MHSA model, and the experimental results show that the proposed TLS-MHSA model has high precision, recall, F1-measure, AUC-ROC as well as higher stability than seven state-of-the-art detection models.
- [1] . 2016. Unsupervised network intrusion detection systems for zero-day fast-spreading attacks and botnets. JDCTA (International Journal of Digital Content Technology and its Applications 10, 2 (2016), 1–13.Google Scholar
- [2] . 2016. Identifying encrypted malware traffic with contextual flow data. In Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security. Association for Computing Machinery, New York, NY, USA, 35–46. Google ScholarDigital Library
- [3] . 2018. Deciphering malware’s use of TLS (without decryption). Journal of Computer Virology and Hacking Techniques 14, 3 (2018), 195–211.Google ScholarCross Ref
- [4] . 2006. Early application identification. In Proceedings of the 2006 ACM CoNEXT Conference. Association for Computing Machinery, New York, NY, USA, 1–12. Google ScholarDigital Library
- [5] . 2014. A survey on encrypted traffic classification. In Applications and Techniques in Information Security, , , , and (Eds.). Springer Berlin, Berlin, 73–81. Google ScholarCross Ref
- [6] . 2023. A novel detection model for abnormal network traffic based on bidirectional temporal convolutional network. Information and Software Technology 157 (2023), 107166. Google ScholarDigital Library
- [7] . 2019. Joy. https://github.com/cisco/joy, Retrieved on 2019-11-8.Google Scholar
- [8] . 2014. An empirical comparison of botnet detection methods. Computers & Security 45 (2014), 100–123.Google ScholarDigital Library
- [9] . 2018. Rumor detection with hierarchical social attention network. In Proceedings of the 27th ACM International Conference on Information and Knowledge Management (CIKM’18). Association for Computing Machinery, New York, NY, USA, 943–951. Google ScholarDigital Library
- [10] . 2022. E-MinBatch GraphSAGE: An industrial internet attack detection model. Sec. and Commun. Netw. 2022 (
Jan. 2022), 12 pages. Google ScholarDigital Library - [11] . 2021. TSCRNN: A novel classification scheme of encrypted traffic based on flow spatiotemporal features for efficient management of IIoT. Computer Networks 190 (2021), 107974.Google ScholarCross Ref
- [12] . 2019. Recurrent models of visual co-attention for person re-identification. IEEE Access 7 (2019), 8865–8875.Google ScholarCross Ref
- [13] . 2023. A novel multimodal deep learning framework for encrypted traffic classification. IEEE/ACM Transactions on Networking 31, 3 (2023), 1369–1384. Google ScholarCross Ref
- [14] . 2020. Detection of DoH tunnels using time-series classification of encrypted traffic. In 2020 IEEE Intl. Conf. on Dependable, Autonomic and Secure Computing, Intl. Conf. on Pervasive Intelligence and Computing, Intl. Conf. on Cloud and Big Data Computing, Intl. Conf. on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech). IEEE, Calgary, AB, Canada, 63–70. Google ScholarCross Ref
- [15] . 2022. A novel approach based on adaptive online analysis of encrypted traffic for identifying malware in IIoT. Information Sciences 601 (2022), 162–174.Google ScholarCross Ref
- [16] . 2019. Detecting Malware in TLS Traffic. Master’s thesis. Imperial College London.Google Scholar
- [17] . 2018. Toward generating a new intrusion detection dataset and intrusion traffic characterization. ICISSP 1 (2018), 108–116.Google Scholar
- [18] . 2019. Feature analysis of encrypted malicious traffic. Expert Systems with Applications 125 (2019), 130–141.Google ScholarDigital Library
- [19] . 2018. Classifying IoT devices in smart environments using network traffic characteristics. IEEE Transactions on Mobile Computing 18, 8 (2018), 1745–1759.Google ScholarCross Ref
- [20] . 2018. Automatic detection of various malicious traffic using side channel features on TCP packets. In Computer Security, , , and (Eds.). Springer International Publishing, Cham, 346–362. Google ScholarDigital Library
- [21] . 2015. Stratosphere Laboratory Datasets. https://www.stratosphereips.org/datasets-overview, Retrieved March 13, 2020.Google Scholar
- [22] . 2017. Attention is all you need. Advances in Neural Information Processing Systems 30 (2017). https://proceedings.neurips.cc/paper_files/paper/2017/file/3f5ee243547dee91fbd053c1c4a845aa-Paper.pdfGoogle Scholar
- [23] . 2015. A survey of methods for encrypted traffic classification and analysis. International Journal of Network Management 25, 5 (2015), 355–374.Google ScholarDigital Library
- [24] . 2020. Why are my flows different? A tutorial on flow exporters. IEEE Communications Surveys & Tutorials 22, 3 (2020), 2064–2103.Google ScholarCross Ref
- [25] . 2020. Decoupled attention network for text recognition. In Proceedings of the AAAI Conference on Artificial Intelligence. AAAI Press, Palo Alto, CA, 12216–12224. Google ScholarCross Ref
- [26] . 2022. DEV-ETA: An interpretable detection framework for encrypted malicious traffic. Comput. J. 66, 5 (
03 2022), 1213–1227. .arXiv:https://academic.oup.com/comjnl/article-pdf/66/5/1213/50397336/bxac008.pdf Google ScholarCross Ref - [27] . 2018. Sequential recommender system based on hierarchical attention network. In Proceedings of the 27th International Joint Conference on Artificial Intelligence (IJCAI’18). AAAI Press, Palo Alto, CA, 3926–3932. Google ScholarDigital Library
- [28] . 2019. An encrypted malicious traffic detection system based on neural network. In 2019 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC). IEEE, Guilin, China, 62–70. Google ScholarCross Ref
- [29] . 2022. GCN-ETA: High-efficiency encrypted malicious traffic detection. Sec. and Commun. Netw. 2022 (
Jan. 2022), 11 pages. Google ScholarDigital Library
Index Terms
- TLS-MHSA: An Efficient Detection Model for Encrypted Malicious Traffic based on Multi-Head Self-Attention Mechanism
Recommendations
Graph based encrypted malicious traffic detection with hybrid analysis of multi-view features
AbstractAt present, the TLS cryptographic protocol is widely deployed. While protecting the security and integrity of transmitted information, it also makes the detection of malicious behavior more difficult. In recent years, researchers have proposed ...
A Machine Learning-Based Framework for Detecting Malicious HTTPS Traffic
SOICT '23: Proceedings of the 12th International Symposium on Information and Communication TechnologyMalicious traffic detection plays an essential role for Network Operators to prevent attackers from manipulating the network systems. In the past, many Network Intrusion Detection Systems (e.g., Snort, etc.) were designed to inspect the packets using ...
Toward identifying malicious encrypted traffic with a causality detection system
AbstractThe main methods for protecting user privacy and addressing cybersecurity problems caused by encrypted traffic are non-decryption detection approaches. However, these methods face problems such as the small number of trainable features and ...
Comments