Toward identifying malicious encrypted traffic with a causality detection system

Abstract

The main methods for protecting user privacy and addressing cybersecurity problems caused by encrypted traffic are non-decryption detection approaches. However, these methods face problems such as the small number of trainable features and imbalanced training datasets, which seriously affect the robustness of existing malicious encrypted traffic detection systems (TDSs). To address these issues, we identify malicious encrypted traffic with a causality explainable detection system (METCXDS). Our detection tasks increase the number of noncryptographic features and eliminate noise features to improve interpretability. First, we extract and recombine temporal and statistical features to increase the number of trainable features. Then, the influence of causal features on the results is enhanced by weighting causal reasoning features, and noise features with low weights are removed to improve the causal interpretability of the detection results. Furthermore, samples are generated through a Wasserstein generative adversarial network (WGAN) that learns the causal feature distribution to balance the training samples. Finally, the METCXDS performance is evaluated through the detection balance index and causal feature index. On the CICIDS2017 and DoHBrw2020 datasets, compared with previous TDSs, our system improves the overall F1 score by up to >10 %. And the causality of the detection results is verified by the causal effects, which identify the causes of anomalies in encrypted traffic and clarify the decision-making process of the detection system.