Network Traffic Features Research Articles

Cyber-Securing Medical Devices Using Machine Learning: A Case Study of Pacemaker

This study aims to enhance the cybersecurity framework of pacemaker devices by identifying vulnerabilities and recommending effective strategies. The objectives are to pinpoint cybersecurity weaknesses, utilize machine learning to predict security breaches, and propose countermeasures based on analytical trends. The literature review highlights the transformation of pacemaker technology from basic, fixed-rate devices to sophisticated systems with wireless capabilities, which, while improving patient care, also introduce significant cybersecurity risks. These risks include unauthorized entry, data breaches, and life-threatening device malfunctions. The methodology in this study utilizes a quantitative research approach using the WUSTL-EHMS-2020 dataset, which includes network traffic features, patients' biometric features, and attack label. The step-by-step method of machine learning prediction includes data collection, data preprocessing, feature engineering, and models’ training using Support Vector Machines (SVM) and Gradient Boosting Machines (GBM). The implementation results used evaluation metrics like accuracy, precision, recall, and F1 score to show that GBM model outperformed the SVM model. The GBM model achieved higher accuracy of 95.1% compared to 92.5% for SVM, greater precision of 99.6% compared to 96.7% for SVM, better recall of 94.9% compared to 42.7% for SVM, and a higher F1 score of 76.3% compared to 59.0% for SVM, making GBM model more effective in predicting cybersecurity threats. This study concludes that GBM is an effective machine learning model for enhancing pacemaker cybersecurity by analyzing network traffic and biometric data patterns. Future recommendations for improving the pacemaker cybersecurity include implementing GBM model for threat predictions, integration with existing security measures, and regular model updates and retraining.

Gauss Markov and Flow Balanced Vector Radial Learning network traffic classification on IoT with SDN.

Recent evolution in connected devices modelled a massive stipulation for network traffic resources and classification. Software-defined networking (SDN) enables ML techniques with the Internet of Things (IoT) to automate network traffic. This helps to reduce accuracy and improves latency. Problems by conventional techniques to categorize network traffic acquired from IoT and assign resources can be resolved through SDN solutions. This manuscript proposes a proposed network traffic classification technique on IoT with SDN called Gauss Markov and Flow-balanced Vector Radial Learning (GM-FVRL). With the network traffic features acquired from the IoT devices, SDN-enabled Gauss Markov Correlation-based IoT Network Traffic Feature Extraction is applied to extort relevant network aspects. Next, the flow-balanced radial-based ML model for network traffic categorization uses the relevant extracted network traffic features. With the aid of flow, the balanced radial basis function reduces the influence of noise due to distinct network flow. This helps to improve accuracy and minimize latency. Due to this, better precision and recall is ensured. Performance of our method has been evaluated utilizing a scheme using an SDN traffic dataset. The results show that our method classifies the network traffic with high classification accuracy and minimum latency, ensuring better precision and recall.

Network Traffic Feature Behaviour Augmentation Fusion based Attacks Classification for Intrusion Detection System in SDN Framework

The implementation of Software-Defined Network(SDN) across multiple data centers aims to simplify thecontrol and management of networks. However, the increasingpopularity of SDN has also attracted the attention of attackers.To tackle this problem, it is essential to have an intrusiondetection system (IDS) in place, which plays a crucial role incybersecurity by addressing external threats. The advantageof SDN’s centralized nature is that it facilitates the training ofan IDS based on machine learning. However, there is a scarcityof research specifically focused on intrusion detection in SDN.Existing literature often treats SDN intrusion detection assimilar to traditional computer systems and relies on intrusiondatasets generated for those systems. We explore the issueof intrusion detection in SDN using the most recent publicdataset (InSDN). However, InSDN is an imbalanced data set.In this paper, we have recommended a method to balance thedata as well as a method to find the best features to improvethe quality of IDS using Machine Learning. In addition, wealso suggest a method of classifying SDN network traffic andnormal network traffic. At the same time, we also evaluate theefficiency of the SDN system with the load balancing systemand without the load balancing system.

The Attention-Based Autoencoder for Network Traffic Classification with Interpretable Feature Representation

Network traffic classification is crucial for identifying network applications and defending against network threats. Traditional traffic classification approaches struggle to extract structural features and suffer from poor interpretability of feature representations. The high symmetry between network traffic classification and its interpretable feature representation is vital for network traffic analysis. To address these issues, this paper proposes a traffic classification and feature representation model named the attention mechanism autoencoder (AMAE). The AMAE model extracts the global spatial structural features of network traffic through attention mechanisms and employs an autoencoder to extract local structural features and perform dimensionality reduction. This process maps different network traffic features into one-dimensional coordinate systems in the form of spectra, termed FlowSpectrum. The spectra of different network traffic represent different intervals in the coordinate system. This paper tests the interpretability and classification performance of network traffic features of the AMAE model using the ISCX-VPN2016 dataset. Experimental results demonstrate that by analyzing the overall distribution of attention weights and local weight values of network traffic, the model effectively explains the differences in the spectral representation intervals of different types of network traffic. Furthermore, our approach achieves the highest classification accuracy of up to 100% for non-VPN-encrypted traffic and 99.69% for VPN-encrypted traffic, surpassing existing traffic classification schemes.

SEARCH FOR INFORMATIVE FEATURES BASED ON THE PRINCIPAL COMPONENT METHOD IN MALICIOUS TRAFFIC IDENTIFICATION AND ASSESSMENT TASKS

The proposed study will be aimed at improving the accuracy of detecting malicious traffic in telecommunications networks of companies. One of the important tasks of the study was to develop a model of the required network traffic feature space by highlighting the most informative features of network packets. Due to the fact that the analysis of all the features present in network traffic requires large computing resources and the redundancy of the analyzed data can lead to retraining of the developed model, there is an urgent need to reduce the size of the feature space by highlighting the most informative and excluding less informative features. This article proposes the application of the principal component method to achieve the goal of identifying the most informative features from network traffic. The proposed approach increases the reliability of the results of identification of malicious traffic of companies, without loss of quality.

Network Traffic Classification Model Based on Spatio-Temporal Feature Extraction

The demand for encrypted communication is increasing with the continuous development of secure and trustworthy networks. In edge computing scenarios, the requirement for data processing security is becoming increasingly high. Therefore, the accurate identification of encrypted traffic has become a prerequisite to ensure edge intelligent device security. Currently, encrypted network traffic classification relies on single-feature extraction methods. These methods have simple feature extraction, making distinguishing encrypted network data flows and designing compelling manual features challenging. This leads to low accuracy in multi-classification tasks involving encrypted network traffic. This paper proposes a hybrid deep learning model for multi-classification tasks to address this issue based on the synergy of dilated convolution and gating unit mechanisms. The model comprises a Gated Dilated Convolution (GDC) module and a CA-LSTM module. The GDC module completes the spatial feature extraction of encrypted network traffic through dilated convolution and gating unit mechanisms. In contrast, the CA-LSTM module focuses on extracting temporal network traffic features. By employing a collaborative approach to extract spatio-temporal features, the model ensures feature extraction diversity, guarantees robustness, and effectively enhances the feature extraction rate. We evaluate our multi-classification model using the ISCX VPN-nonVPN public dataset. Experimental results show that the proposed method achieves an accuracy rate of over 95% and a recall rate of over 90%, significantly outperforming existing methods.

SNDMI: Spyware network traffic detection method based on inducement operations

Spyware is a type of malware widely used by attackers to steal confidential information from users without their knowledge. It has the characteristics of high latency, high stealth, and high threat. Spyware typically uses trigger-based tactics to implement its malicious behavior, making it a challenge for traditional host-based detection methods and traditional network traffic-based detection methods to implement highly accurate and efficient spyware detection. To address this problem, this article focuses on the network behavior of spyware, analyzes the inducibility of spyware network traffic, and further proposes a spyware network traffic detection method based on inducement operations (SNDMI). SNDMI can cause spyware to generate more network traffic for detection by using inducement operations in the constructed inducement operation set. SNDMI extracts three types of network traffic features: distributional features, statistical features, and trend features, and uses a genetic algorithm to select features. The experimental results show that SNDMI with LightGBM achieves an accuracy of 98.98% and a false positive rate of 0.45% on the traffic of hundreds of benign and spyware samples.

Comparing Metaheuristic Search Techniques in Addressing the Effectiveness of Clustering-Based DDoS Attack Detection Methods

Distributed Denial of Service (DDoS) attacks have increased in frequency and sophistication over the last ten years. Part of the challenge of defending against such attacks requires the analysis of very large volumes of data. Metaheuristic algorithms can assist in selecting relevant features from the network traffic data for use in DDoS detection models. By efficiently exploring different combinations of features, these methods can identify subsets that are informative for distinguishing between normal and attack traffic. However, identifying an optimized solution in this area is an open research question. Tuning the parameters of metaheuristic search techniques in the optimization process is critical. In this study, a switching approximation is used in a variety of metaheuristic search techniques. This approximation is used to find the best solution for the analysis of the network traffic features in either lower or upper values between 0 and 1. We compare the fine-tuning of this parameter against standard approaches and find that it is not substantially better than the BestFirst algorithm (a standard default approach for feature selection). This study contributes to the literature by testing and eliminating various fine-tuning strategies for the metaheuristic approach.

Bolstering IoT security with IoT device type Identification using optimized Variational Autoencoder Wasserstein Generative Adversarial Network

ABSTRACT Due to the massive growth in Internet of Things (IoT) devices, it is necessary to properly identify, authorize, and protect against attacks the devices connected to the particular network. In this manuscript, IoT Device Type Identification based on Variational Auto Encoder Wasserstein Generative Adversarial Network optimized with Pelican Optimization Algorithm (IoT-DTI-VAWGAN-POA) is proposed for Prolonging IoT Security. The proposed technique comprises three phases, such as data collection, feature extraction, and IoT device type detection. Initially, real network traffic dataset is gathered by distinct IoT device types, like baby monitor, security camera, etc. For feature extraction phase, the network traffic feature vector comprises packet sizes, Mean, Variance, Kurtosis derived by Adaptive and concise empirical wavelet transforms. Then, the extracting features are supplied to VAWGAN is used to identify the IoT devices as known or unknown. Then Pelican Optimization Algorithm (POA) is considered to optimize the weight factors of VAWGAN for better IoT device type identification. The proposed IoT-DTI-VAWGAN-POA method is implemented in Python and proficiency is examined under the performance metrics, like accuracy, precision, f-measure, sensitivity, Error rate, computational complexity, and RoC. It provides 33.41%, 32.01%, and 31.65% higher accuracy, and 44.78%, 43.24%, and 48.98% lower error rate compared to the existing methods.

Detecting cyberthreats in Metaverse learning platforms using an explainable DNN

The rapid integration of the Internet of Artificial Intelligence and Internet of Things (AI-IoT) technologies has given rise to a pivotal element of the upcoming digital era, the Metaverse. This confluence has significantly impacted virtual learning platforms by introducing enhanced, immersive, and interactive environments for learners, educators, and institutions. However, the growing reliance on Metaverse necessitates robust cybersecurity measures to detect and mitigate cyber threats and ensure the safety of users. This paper proposes an explainable deep neural network (DNN) designed to identify and address network intrusion attacks within Metaverse learning environments. By leveraging the latest cybersecurity IoT datasets and employing an effective feature selection method, this study provides a visually interpretable, trustworthy, and quantitative explanation of the network intrusion detection system (NIDS) model using Shapley Additive exPlanations (SHAP) and local interpretable model-agnostic explanation (LIME) explainability methods. The adopted explainable DNN, capable of processing network traffic features from interconnected Metaverse devices and IoT sensors, can facilitate accurate and comprehensible remediation of anomalous from benign activities within Metaverse. The NIDS model yields a high performing accuracy of 99.9% for establishing a more secure and trustworthy metaverse learning environment.

Digital Twin for Transportation Big Data: A Reinforcement Learning-Based Network Traffic Prediction Approach

Vehicular Ad-Hoc Networks (VANETs), as the crucial support of Intelligent Transportation Systems (ITS), have received great attention in recent years. With the rapid development of VANETs, various services have generated a great deal of data that can be used for transportation planning and safe driving. Especially, with the advent of Coronavirus Disease 2019 (COVID-19), the transportation system has been impacted, thus novel modes of transportation planning and intelligent applications are necessary. Digital twins can provide powerful support for artificial intelligence applications in Transportation Big Data (TBD). The features of VANETs are varying, which arises the main challenge of digital twins applying in TBD. Network traffic prediction, as part of digital twins, is useful for network management and security in VANETs, such as network planning and anomaly detection. This paper proposes a network traffic prediction algorithm aiming at time-varying traffic flows with a large number of fluctuations. This algorithm combines Deep Q-Learning (DQN) and Generative Adversarial Networks (GAN) for network traffic feature extraction. DQN is leveraged to carry out network traffic prediction, in which GAN is involved to represent Q-network. Meanwhile, the generative network can increase the number of samples to improve the prediction error. We evaluate the performance of our method by implementing it on three real network traffic data sets. Finally, we compare the two state-of-the-art competing methods with our method.

A feature selection based on genetic algorithm for intrusion detection of industrial control systems

With the popularity of Internet technology, industrial control systems (ICS) have started to access the Internet, which significantly facilitates engineers to manage ICS remotely but also exposes risks. Usually, an intrusion detection system (IDS) is used to secure network systems. Feature selection plays a crucial role in IDSs because detecting anomalies from high-dimensional network traffic features is time-consuming. However, few specific studies have been conducted for ICS. Many redundant features and data imbalance problems in ICS data lead to poor performance and low efficiency of generic IDS classification. In this paper, we design a genetic algorithm-based feature selection method for ICS characteristics. The proposed method incorporates a feature ranking fusion mechanism in the genetic algorithm for eliminating redundant features, enhances the global merit-seeking speed using the growing tree clustering idea, and we also design a new fitness function for ICS characteristics. The effectiveness and advancement of the proposed method are demonstrated on a real ICS dataset.

Network Source Identification Mechanism for IoT Devices Using Machine Learning Techniques

The rapid progress and evolution of the Internet of Things (IoT) have led to a significant increase in the occurrence of security gaps. Pinpointing the source of network traffic coming from IoT devices can be challenging, but doing so can reduce security risks. This study proposes a network traffic source identification mechanism that leverages machine learning (ML) techniques to accurately determine the source of network traffic. The study utilizes a diverse dataset obtained from a purpose-built IoT/IIoT testbed and employs feature extraction, model development, and evaluation techniques. By utilizing network traffic features, a range of classifiers, including LGBMClassifier (LGBM), CatBoostClassifier (CB), RandomForestClassifier (RF), ExtraTreesClassifier (ET), KneighborsClassifier (KNN), and DecisionTreeClassifier (DT), were trained and evaluated. The results demonstrate exceptional performance across the classifiers, with high accuracy, precision, recall, and F1 scores achieved in identifying the source of network traffic. Among the classifier models, LGBM achieved the best accuracy value of 0.99999857, precision value of 0.99999859, and F1 score of 0.999998803, with CB achieving the best recall of 0.999997875. Some of these results are novel, and others performed better than existing systems. The findings of this study contribute to source identification, ensure the accountability of IoT network users, and provide insights into developing better defenses against security threats in the IoT domain

Anomaly Detection for Modbus over TCP in Control Systems Using Entropy and Classification-Based Analysis

This article presents a statistical approach using entropy and classification-based analysis to detect anomalies in industrial control systems traffic. Several statistical techniques have been proposed to create baselines and measure deviation to detect intrusion in enterprise networks with a centralized intrusion detection approach in mind. Looking at traffic volume alone to find anomalous deviation may not be enough—it may result in increased false positives. The near real-time communication requirements, coupled with the lack of centralized infrastructure in operations technology and limited resources of the sensor motes, require an efficient anomaly detection system characterized by these limitations. This paper presents extended results from our previous work by presenting a detailed cluster-based entropy analysis on selected network traffic features. It further extends the analysis using a classification-based approach. Our detailed entropy analysis corroborates with our earlier findings that, although some degree of anomaly may be detected using univariate and bivariate entropy analysis for Denial of Service (DOS) and Man-in-the-Middle (MITM) attacks, not much information may be obtained for the initial reconnaissance, thus preventing early stages of attack detection in the Cyber Kill Chain. Our classification-based analysis shows that, overall, the classification results of the DOS attacks were much higher than the MITM attacks using two Modbus features in addition to the three TCP/IP features. In terms of classifiers, J48 and random forest had the best classification results and can be considered comparable. For the DOS attack, no resampling with the 60–40 (training/testing split) had the best results (average accuracy of 97.87%), but for the MITM attack, the 80–20 non-attack vs. attack data with the 75–25 split (average accuracy of 82.81%) had the best results.

Is iterative feature selection technique efficient enough? A comparative performance analysis of RFECV feature selection technique in ransomware classification using SHAP

The realm of cybersecurity places significant importance on early ransomware detection. Feature selection is critical in this context, as it enhances detection accuracy, mitigates overfitting, and reduces training time by eliminating irrelevant and redundant data. However, iterative feature selection techniques tend to select the best-performing subset of features through an iterative process which leaves chance for a crucial feature not being selected and the number of selected features may not always be the optimal or the most suitable for a given problem. Hence, this study aims to conduct a performance comparison analysis of an iterative feature selection technique- Recursive Feature Elimination with Cross-Validation (RFECV) with six supervised Machine Learning (ML) models to evaluate its efficiency in classifying ransomware utilizing the Application Programming Interface (API) call and network traffic features. The study employs an Explainable Artificial Intelligence (XAI) framework called SHapley Additive exPlanations (SHAP) to derive the crucial features when RFECV is not integrated with the ML models. These features are then compared with RFECV-selected features when it is integrated. Results show that without RFECV the ML models achieve better classification accuracies on two datasets. Again, RFECV falls short of selecting impactful features, leading to more false alarms. Moreover, it lacks the capability to rank the features based on their importance, reducing its efficiency in ransomware classification overall. Thus, this study underscores the importance of integrating explainability techniques to identify critical features, rather than solely relying on iterative feature selection methods, to enhance the resilience of ransomware detection systems.

A Collaborative Stealthy DDoS Detection Method Based on Reinforcement Learning at the Edge of Internet of Things

The weaknesses of IoT devices leads to vulnerabilities easily, which can be exploited by criminals to launch distributed denial of service (DDoS) attacks, becoming a major security hazard. Nowadays, the rapid development of the Internet of Things (IoT) makes the IoT-based DDoS attacks have the characteristics of wide distribution, large scale and more stealthy that brings greater challenges for the DDoS detection. In this paper, we conduct our research based on the edge-side of IoT for providing earlier detection capability and more efficient resource utilization. We propose a novel reinforcement learning-based collaborative DDoS detection method and design a lightweight unsupervised classifier based on statistics. We deploy the classifiers in IoT edge gateways to detect anomalies by analyzing network traffic features in time. In order to deal with the dynamic changes of the IoT environment, we use the Soft Actor-Critic (SAC) reinforcement learning model deployed on the edge server to adjust the parameter configuration of the underlying unsupervised classifier dynamically, which can ensure excellent detection effect for different types of IoT devices. In addition, a collaborative aggregation module is designed in the edge server to share the observation state and historical experience, which has a unique collaborative reward mechanism for the reinforcement learning model to fully mobilize the collaborative work capability. The experiments on public dataset and constructed real-world testbed demonstrate that our proposed method has excellent detection performance and especially it can also discover stealthy IoT-based DDoS attacks accurately.

A multimodal hybrid parallel network intrusion detection model

With the rapid growth of Internet data traffic, the means of malicious attack become more diversified. The single modal intrusion detection model cannot fully exploit the rich feature information in the massive network traffic data, resulting in unsatisfactory detection results. To address this issue, this paper proposes a multimodal hybrid parallel network intrusion detection model (MHPN). The proposed model extracts network traffic features from two modalities: the statistical information of network traffic and the original load of traffic, and constructs appropriate neural network models for each modal information. Firstly, a two-branch convolutional neural network is combined with Long Short-Term Memory (LSTM) network to extract the spatio-temporal feature information of network traffic from the original load mode of traffic, and a convolutional neural network is used to extract the feature information of traffic statistics. Then, the feature information extracted from the two modalities is fused and fed to the CosMargin classifier for network traffic classification. The experimental results on the ISCX-IDS 2012 and CIC-IDS-2017 datasets show that the MHPN model outperforms the single-modal models and achieves an average accuracy of 99.98 % . The model also demonstrates strong robustness and a positive sample recognition rate.

Artificial intelligence enabled Luong Attention and Hosmer Lemeshow Regression Window‐based attack detection in 6G

SummaryRegardless of the developments of networking and communication technologies, security is without exception a predominant feature to ensure network reliability. The future sixth‐generation (6G) network is anticipated to be carried out with artificial intelligence (AI) powered communication via machine learning (ML), post‐quantum cryptography, and so on. AI‐powered communication has been in recent years utilized in enhancing network traffic performance with respect to resource management, optimal frequency spectrum design, security, and latency. The studies of modern wireless communications and anticipated features of 6G networks revealed a prerequisite for designing a trustworthy attack detection mechanism. In this work, a method called, Luong Attention and Hosmer Lemeshow Regression Window‐based (LA‐HLRW) attack detection in 6G is proposed. Initially, with the raw Botnet Attack dataset obtained as input, preprocessing is performed to normalize network traffic features. Next, the dimensionality of network traffic feature of large‐scale network traffic data is reduced using the Luong Attention integrated with Long Short Term Memory (LSTM)‐based Feature extraction model. Finally, with the objective of classifying network traffic samples for attack detection in 6G, we analyze the low dimensional network traffic feature set produced by Luong Attention integrated with LSTM using the Hosmer Lemeshow Logistic Regression Window‐based Attack Detection model. Extensive experiments are performed with the Botnet Attack dataset to validate the efficiency of the proposed LA‐HLRW method by using different parameters such as attack detection accuracy, attack detection time, precision, and recall. The overall analysis of proposed LA‐HLRW results significantly reduced the attack detection time by 24%, and additionally improved attack detection accuracy, precision, and recall by 5%, 5%, and 6% as compared to existing attack detection methods respectively.

Cellular Network Traffic Prediction Based on Correlation ConvLSTM and Self-Attention Network

Predicting the future dynamicity of the network traffic are crucially important to support the 5G intelligent system and automated network management. In this letter, we propose a Correlation-based ConvLSTM and Self-Attention-based Network (CCSANet) to accurately predict complex cellular network traffic. In the proposed CCSANet, the correlation layer is leveraged in ConvLSTM to improve the ability of extracting consecutive spatial features. Additionally, the self-attention is adopted to aggregate the ability of extracting the dependency between external factors feature and network traffic feature. Experimental evaluations on real-world cellular network traffic datasets demonstrate the effectiveness of CCSANet, which outperforms the state-of-the-art (SOTA) methods.

Data Instrumentation From IoT Network Traffic as Support for Security Management

The Internet of Things revolutionizes human life by inaugurating scenarios such as smart homes. However, IoT devices contain much sensitive information about users and devices from a security and privacy perspective. Through traffic-based attacks, adversaries map changes in traffic rates to a particular in-home user’s actions. An efficient IoT data instrumentation may protect users against traffic-based attacks by giving valuable information to adaptive network security solutions. Nonetheless, no work performs data instrumentation or uses feature exploration to reveal relevant features to assist network security management. Thus, this article introduces IoTReGuard, an IoT Method to Reveal and Guard IoT Network Traffic Features. IoTReguard aims to explore network traffic features to reveal the most relevant ones and hide them to protect users’ privacy. By IoT network feature exploration and data instrumentation, IoTReGuard provides valuable information on network traffic features to mask critical features. Results showed that IoTReGuard reduced from 70% to 20% of F1-Score on identifying the IoT devices, improving user privacy.