The article deals with the problem of evaluating the performance of narrowband wireless mesh networks, which are the basis for creating highly reliable communication systems in conditions of limited radio frequency spectrum resources. Particular attention is paid to the study of the peculiarities of network operation in the relay node modes. It is established that the efficiency of narrowband wireless mesh networks significantly depends on the settings of data transmission parameters: message size, modulation rate, use of short acknowledgments and direct error correction mechanisms. A systematic approach to evaluating the key parameters of network performance is proposed: data transmission rate, packet transmission time, probability of successful message delivery, and calculation relations for determining the packet transmission time and payload bitrate with regard to service information are given. Particular attention is paid to the mechanism of confirming the delivery of packets through a short message of confirmation of receipt of a data packet, in particular, the impact of retransmissions on the overall network throughput. It is shown that the use of direct error correction schemes helps to reduce the impact of radio channel interference and improve communication reliability, but increases the overall data transmission time. The results of the study allow us to formulate recommendations for optimizing network parameters and demonstrate a clear relationship between transmission characteristics and network performance to ensure guaranteed message delivery. The obtained measurements of key parameters provide the basis for an objective and accelerated analysis of the performance of narrowband wireless mesh networks in applied conditions, and also confirm the feasibility of using the proposed approach to improve the accuracy and informativeness of the assessment.

Encrypted traffic classification poses significant challenges in network security due to the growing use of encryption protocols, which obscure packet payloads. This paper introduces a novel framework that leverages dual embedding mechanisms and Graph Neural Networks (GNNs) to model both temporal and spatial dependencies in traffic flows. By utilizing metadata features such as packet size, inter-arrival times, and protocol attributes, the framework achieves robust classification without relying on payload content. The proposed framework demonstrates an average classification accuracy of 96.7%, F1-score of 96.0%, and AUC-ROC of 97.9% across benchmark datasets, including ISCX VPN-nonVPN, QUIC, and USTC-TFC2016. These results mark an improvement of up to 8% in F1-score and 10% in AUC-ROC compared to state-of-the-art baselines. Extensive experiments validate the framework’s scalability and robustness, confirming its potential for real-world applications like intrusion detection and network monitoring. The integration of dual embedding mechanisms and GNNs allows for accurate fine-grained classification of encrypted traffic flows, addressing critical challenges in modern network security.

Remote Direct Memory Access (RDMA) technology provides a low-latency, high-bandwidth, and CPU-bypassed method for data transmission between servers. Recent works have proved that multipath transmission, especially packet spraying, can avoid network congestion, achieve load balancing, and improve overall performance in data center networks (DCNs). Multipath transmission can result in out-of-order (OOO) packet delivery. However, existing RDMA transport protocols, such as RDMA over Converged Ethernet version 2 (RoCEv2), are designed for handling sequential packets, limiting their ability to support multipath transmission. To address this issue, in this study, we propose ORNIC, a high-performance RDMA Network Interface Card (NIC) with out-of-order packet direct write method for multipath transmission. ORNIC supports both in-order and out-of-order packet reception. The payload of OOO packets is written directly to user memory without reordering. The write address is embedded in the packets only when necessary. A bitmap is used to check data integrity and detect packet loss. We redesign the bitmap structure into an array of bitmap blocks that support dynamic allocation. Once a bitmap block is full, it is marked and can be freed in advance. We implement ORNIC on a Xilinx U200 FPGA (Field-Programmable Gate Array), which consumes less than 15% of hardware resources. ORNIC can achieve 95 Gbps RDMA throughput, which is nearly 2.5 times that of MP-RDMA. When handling OOO packets, ORNIC’s performance is virtually unaffected, while the performance of Xilinx ERNIC and Mellanox CX-5 drops below 1 Gbps. Moreover, compared with MELO and LEFT, our bitmap has higher performance and lower bitmap block usage.

Conventional supervised machine learning is widely used for intrusion detection without packet payload inspection, showing good accuracy in detecting known attacks. However, these methods require large labeled datasets, which are scarce due to privacy concerns, and struggle with generalizing to real-world traffic and adapting to domain shifts. Additionally, they are ineffective against zero-day attacks and need frequent retraining, making them difficult to maintain in dynamic network environments. To overcome the limitations of traditional machine learning methods, we propose novel Deterministic (DetMKTL) and Stochastic Multiple-Kernel Transfer Learning (StoMKTL) algorithms that are based on transfer learning. These algorithms leverage multiple kernel functions to capture complex, non-linear relationships in network traffic, enhancing adaptability and accuracy while reducing dependence on large labeled datasets. The proposed algorithms demonstrated good accuracy, particularly in cross-domain evaluations, achieving accuracy rates exceeding 90%. This highlights the robustness of the models in handling diverse network environments and varying data distributions. Moreover, our models exhibited superior performance in detecting multiple types of cyber attacks, including zero-day threats. Specifically, the detection rates reached up to 87% for known attacks and approximately 75% for unseen attacks or their variants. This emphasizes the ability of our algorithms to generalize well to novel and evolving threat scenarios, which are often overlooked by traditional systems. Additionally, the proposed algorithms performed effectively in encrypted traffic analysis, achieving an accuracy of 86%. This result demonstrates the possibility of our models to identify malicious activities within encrypted communications without compromising data privacy.

Crypto-jacking attack is a novel type of cyber-attack on the internet that has emerged because of the popularity of digital currencies. These attacks are the most common type of attacks in the cryptocurrency field because of their specific features such as easy scenario, un-traceability, and ease of secrecy. In crypto-jacking attacks, it is common to embed malicious code inside website scripts. Different techniques have been provided to deal with Crypto-jacking attacks, but crypto-jacking attackers bypass them by limiting resources. The crypto-mining services provided on the internet are legal, and due to the anonymous nature of cryptocurrencies, client identification is a challenging task. Improving the accuracy and performance of the Crypto-jacking attack detection methods are the main objectives of this study. In this paper, a hybrid network-based method to identify these attacks to achieve better and more accurate results. The proposed solution (CMShark) is a combination of machine learning (ML) models, IP blacklisting and payload inspection methods. In the ML model, the packets are classified using size patterns; in IP blacklisting, attacks are detected based on known infected addresses and infected scripts. In payload inspection, the provided information on the packet payload is searched for any suspicious keywords. The proposed method relies solely on the network and is deployed on the edge of the network, making it infrastructureindependent. The proposed detection model reaches an accuracy score of 97.02%, an F1-score of 96.90% a ROC AUC score of 97.20% in input NetFlow classification; and a 93.98% accuracy score, 94.30% F1-score and 97.30% ROC AUC score in output NetFlow classification.

Multi-view multi-label network traffic classification based on MLP-Mixer neural network

Data centers increasingly utilize commodity servers to deploy low-latency Network Functions (NFs). However, the emergence of multi-hundred-gigabit-per-second network interface cards (NICs) has drastically increased the performance expected from commodity servers. Additionally, recently introduced systems that store packet payloads in temporary off-CPU locations (e.g., programmable switches, NICs, and RDMA servers) further increase the load on NF servers, making packet processing even more challenging. This paper demonstrates existing bottlenecks and challenges of state-of-the-art stateful packet processing frameworks and proposes a system, called FAJITA, to tackle these challenges & accelerate stateful packet processing on commodity hardware. FAJITA proposes an optimized processing pipeline for stateful network functions to minimize memory accesses and overcome the overheads of accessing shared data structures while ensuring efficient batch processing at every stage of the pipeline. Furthermore, FAJITA provides a performant architecture to deploy high-performance network functions service chains containing stateful elements with different state granularities. FAJITA improves the throughput and latency of high-speed stateful network functions by ~2.43x compared to the most performant state-of-the-art solutions, enabling commodity hardware to process up to ~178 Million 64-B packets per second (pps) using 16 cores.

In the framework of the space-air-ground-ocean integrated network, the underwater acoustic sensor network (UASN) plays a pivotal role. The design of media access control (MAC) protocols is essential for the UASN to ensure efficient and reliable data transmission. From the perspective of differentiated services in the UASN, a service-aware and scheduling-based hybrid MAC protocol, named the SSH-MAC protocol, is proposed in this paper. In the SSH-MAC protocol, the centralized scheduling strategy is adopted by sensor nodes with environmental monitoring service, and the distributed scheduling strategy is adopted by sensor nodes with target detection service. Considering the time-varying data generation rate of sensor nodes, the sink node will switch the scheduling mode of sensor nodes based on the specific control packet and adjust the resource allocation ratio between centralized scheduling and distributed scheduling. Simulation results show that the performance of the SSH-MAC protocol, in terms of utilization, end-to-end delay, packet delivery ratio, energy consumption, and payload efficiency, is good.

Malicious encrypted traffic detection is a critical component of network security management. Previous detection methods can be categorized into two classes as follows: one is to use the feature engineering method to construct traffic features for classification and the other is to use the end-to-end method that directly inputs the original traffic to obtain traffic features for classification. Both of the abovementioned two methods have the problem that the obtained features cannot fully characterize the traffic. To this end, this paper proposes a hierarchical multimodal deep learning model (HMMED) for malicious encrypted traffic detection. This model adopts the abovementioned two feature generation methods to learn the features of payload and header, respectively, then fuses the features to get the final traffic features, and finally inputs the final traffic features into the softmax classifier for classification. In addition, since traditional deep learning is highly dependent on the training set size and data distribution, resulting in a model that is not very generalizable and difficult to adapt to unseen encrypted traffic, the model proposed in this paper uses a large amount of unlabeled encrypted traffic in the pretraining layer to pretrain a submodel used to obtain a generic packet payload representation. The test results on the USTC-TFC2016 dataset show that the proposed model can effectively solve the problem of insufficient feature extraction of traditional detection methods and improve the ACC of malicious encrypted traffic detection.

DE-GNN: Dual embedding with graph neural network for fine-grained encrypted traffic classification

Traffic fingerprint was considered an effective security protection mechanism in IoT scenarios because it can be used to automatically identify accessed devices. However, the results of replication experiments show that the classic traffic fingerprints based on simple network traffic attribute features have a significantly lower ability to identify accessed devices in real 5G IoT scenarios compared to what was stated in traditional IoT scenarios. The growing homogenization of IoT traffic caused by the application of 5G is believed to be the reason for the poor ability of traditional traffic fingerprints to identify 5G IoT terminals. Studying an enhanced traffic fingerprint is necessary to accommodate the homogeneous Internet of Things traffic. In addition, during the reproducing experiments, we noticed that the solution of overlap is a key factor that restricts the recognition ability of one-vs-all multi-classifiers, and the efficiency of existing methods still has some room for optimization. Based on targeted improvements to these two issues, we proposed an enhanced IoT terminal traffic fingerprint based on packet payload transition patterns to improve the device recognition ability in homogeneous IoT traffic. Additionally, we designed an improved solution for overlap based on density centers to expedite decision making. According to the experimental results, when compared with the existing traffic fingerprint, the proposed traffic fingerprint in this study demonstrated a Macro-Average Precision of close to 90% for network traffic from real 5G IoT terminals. The proposed overlap solution based on the density centers reduced the decision-making time from hundreds of seconds to tens of seconds while ensuring decision-making accuracy.

Voice over internet protocol (VoIP) calls are increasingly transported over computer-based networking due to several factors, such as low call rates. However, point-to-point (P-P) calls, as a division of VoIP, are encountering a capacity utilization issue. The main reason for that is the giant packet header, especially when compared to the runt P-P calls packet payload. Therefore, this research article introduced a method to solve the liability of the giant packet header of the P-P calls. The introduced method is named voice segment compaction (VSC). The VSC method employs the unneeded P-P calls packet header elements to carry the voice packet payload. This, in turn, reduces the size of the voice payload and improves network capacity utilization. The preliminary results demonstrated the importance of the introduced VSC method, while network capacity improved by up to 38.33%.

Abstract The adoption of the Voice over Internet Protocol (VoIP) system is growing due to several factors, including its meagre rate and the numerous contours that can be joined with VoIP systems. However, the wasteful utilisation of the computer network is an inevitable problem that limits the rapid growth of VoIP systems. The essential explanation behind this wasteful utilisation of the computer network bandwidth (BW) is the considerable preamble length of the VoIP packet. In this study, we invent a technique that addresses the considerable preamble length of the VoIP packet. The designed technique is known as the manikin voice frame (MVF). The primary idea of the MVF technique is to utilise the VoIP packet preamble tuples that are not essential to the voice calls, particularly client-to-client calls (voice calls between only two users). Specifically, these tuples will be utilised for reserving the data of the VoIP packet. In certain instances, this will make the VoIP packet data manikin or even make it empty. The performance assessment of the introduced MVF technique demonstrated that the utilisation of the computer network BW has enhanced by 33%. Along these lines, the MVF technique indicates potential progress in resolving the inefficient usage of the computer network BW.

Wireless-based sensing of physical environments has garnered tremendous attention recently, and its applications range from intruder detection to environmental occupancy monitoring. Wi-Fi is positioned as a particularly advantageous sensing medium, due to the ubiquity of Wi-Fi-enabled devices in a more connected world. Although Wi-Fi-based sensing using Channel State Information (CSI) has shown promise, existing sensing systems commonly configure dedicated transmitters to generate packets for sensing. These dedicated transmitters substantially increase the energy requirements of Wi-Fi sensing systems, and hence there is a need for understanding how ambient transmissions from nearby Wi-Fi devices can be leveraged instead. This paper explores the potential of Wi-Fi-based sensing using CSI derived from ambient transmissions of Wi-Fi devices. We demonstrate that CSI sensing accuracy is dependent on the underlying traffic type and the Wi-Fi transceiver architecture, and that control packets yield more robust CSI than payload packets. We also show that traffic containing upload data is more suitable for human occupancy counting, using the Probability Mass Function (PMF) of CSI. We further demonstrate that multiple spatially diverse streams of Wi-Fi CSI can be combined for sensing to an accuracy of 99%. The experimental study highlights the importance of training Wi-Fi sensing systems for multiple transmission sources to improve accuracy. This research has significant implications for the development of energy-efficient Wi-Fi sensing solutions for a range of applications.

Introducing packet-level analysis in programmable data planes to advance Network Intrusion Detection

Currently, the multiprotocol label switching (MPLS) standard is extremely prevalent. By exploiting the features provided by MPLS technology, a range of services, including IP telephony, have enhanced their overall performance. However, due to the size of the packet header, the IP telephony service consumes a significant portion of the MPLS network's available bandwidth. For instance, in IP telephony over MPLS networks, the packet header might account for as much as 80% of lost time and bandwidth. Designers working on IP telephony are making substantial efforts to address this issue. This study contributes to current efforts by proposing a novel approach called Tel-MPLS, which involves IP telephony over MPLS. TelMPLS approach uses the superfluous fields in the IP telephony packet's header to retain the packet data, therefore lowering or zeroing the IP telephony packet's payload. Tel-MPLS is an approach that significantly reduces the bandwidth of IP telephony MPLS networks. According to the findings, the Tel-MPLS approach is capable of reducing the amount of bandwidth that is lost by 12% when using the G.729 codec.

Remote access trojan traffic early detection method based on Markov matrices and deep learning

A large volume of network trace data are collected by the government and public and private organizations and can be analyzed for various purposes such as resolving network problems, improving network performance, and understanding user behavior. However, most organizations are reluctant to share their data with any external experts for analysis, because they contain sensitive information deemed proprietary to the organization, thus raising privacy concerns. Even if the payload of network packets is not shared, header data may disclose sensitive information that adversaries can exploit to perform unauthorized actions. So network trace data need to be anonymized before being shared. Most of the existing anonymization tools have two major shortcomings: (1) they cannot provide provable protection, and (2) their performance relies on setting the right parameter values such as the degree of privacy protection and the features that should be anonymized, but there is little assistance for a user to optimally set these parameters. This article proposes a self-adaptive and secure approach to anonymize network trace data and provides provable protection and automatic optimal settings of parameters. A comparison of the proposed approach with existing anonymization tools via experimentation demonstrated that the proposed method outperforms the existing anonymization techniques.

Using traditional methods based on detection rules written by human security experts presents significant challenges for the accurate detection of network threats, which are becoming increasingly sophisticated. In order to deal with the limitations of traditional methods, network threat detection techniques utilizing artificial intelligence technologies such as machine learning are being extensively studied. Research has also been conducted on analyzing various string patterns in network packet payloads through natural language processing techniques to detect attack intent. However, due to the nature of packet payloads that contain binary and text data, a new approach is needed that goes beyond typical natural language processing techniques. In this paper, we study a token extraction method optimized for payloads using n-gram and byte-pair encoding techniques. Furthermore, we generate embedding vectors that can understand the context of the packet payload using algorithms such as Word2Vec and FastText. We also compute the embedding of various header data associated with packets such as IP addresses and ports. Given these features, we combine a text 1D CNN and a multi-head attention network in a novel fashion. We validated the effectiveness of our classification technique on the CICIDS2017 open dataset and over half a million data collected by The Education Cyber Security Center (ECSC), currently operating in South Korea. The proposed model showed remarkable performance compared to previous studies, achieving highly accurate classification with an F1-score of 0.998. Our model can also preprocess and classify 150,000 network threats per minute, helping security agents in the field maximize their time and analyze more complex attack patterns.

Nowadays, almost all network traffic is encrypted. Attackers hide themselves using this traffic and attack over encrypted channels. Inspections performed only on packet headers and metadata are insufficient for detecting cyberattacks over encrypted channels. Therefore, it is important to analyze packet contents in applications that require control over payloads, such as content filtering, intrusion detection systems (IDSs), data loss prevention systems (DLPs), and fraud detection. This technology, known as deep packet inspection (DPI), provides full control over the communication between two end stations by keenly analyzing the network traffic. This study proposes a multi-pattern-matching algorithm that reduces the memory space and time required in the DPI pattern matching compared to traditional automaton-based algorithms with its ability to process more than one packet payload character at once. The pattern-matching process in the DPI system created to evaluate the performance of the proposed algorithm (PA) is conducted on the graphics processing unit (GPU), which accelerates the processing of network packets with its parallel computing capability. This study compares the PA with the Aho-Corasick (AC) and Wu–Manber (WM) algorithms, which are widely used in the pattern-matching process, considering the memory space required and throughput obtained. Algorithm tables created with a dataset containing 500 patterns use 425 and 688 times less memory space than those of the AC and WM algorithms, respectively. In the pattern-matching process using these tables, the PA is 3.5 and 1.5 times more efficient than the AC and WM algorithms, respectively.