Abstract

Nowadays, most network traffic is encrypted, which protects user privacy but hides attack traces, further hindering identifying attacks to inspect traffic packages. Machine Learning (ML) methods are widely applied to attack classification on encrypted traffic owing to no need for manual analysis. However, existing studies only concentrate on basic statistical features and cannot obtain the crucial attack behaviors hiding in the encrypted traffic. Worse still, attackers constantly update attack vectors to evade detection, which means outdated features extracted from historical traffic fail to recognize unseen attacks.As a solution, we propose an attack classification approach, attack fingerprint based on graphs of time-window (TGPrint). We first filter normal traffic flows using ML models to eliminate the impact of useless, noisy data for attack classification and maintain suspicious traffic. Then, we create attack graphs to depict interaction behaviors of attack-victim hosts from suspicious traffic containing crucial attack behaviors. Besides, we divide a specific duration for each attack to precisely elaborate attack graphs, where temporal, statistical, and aggregate features are extracted to portray attack behaviors. Finally, we utilize Graph Neural Networks (GNNs) to mine and grasp the crucial behavior patterns from attack graphs to generate fingerprints and classify attacks, even unseen attacks. Extensive experiments are conducted on well-known datasets to verify our approach. It achieves a precision of 99% in attack classification on encrypted traffic, an average higher than other ML methods of 50%. Meanwhile, it classifies unseen attacks with an average accuracy of over 80% and has a strong robustness to false positives.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.