Packet Payload Research Articles

Intrusion Detection Using Payload Embeddings

Attacks launched over the Internet often degrade or disrupt the quality of online services. Various Intrusion Detection Systems (IDSs), with or without prevention capabilities, have been proposed to defend networks or hosts against such attacks. While most of these IDSs extract features from the packet headers to detect any irregularities in the network traffic, some others use payloads alongside the headers. In this study, we propose a payload-based intrusion detection scheme, <monospace>PayloadEmbeddings</monospace>, using byte embeddings of the payloads of network packets. We employ a shallow neural network to generate vector representations for bytes and their corresponding payloads. Our feature extraction technique is coupled with the <inline-formula> <tex-math notation="LaTeX">$k$ </tex-math></inline-formula>-Nearest Neighbours (<inline-formula> <tex-math notation="LaTeX">$k$ </tex-math></inline-formula>NN) algorithm for the classification of packets as intrusive or non-intrusive. In our experiments, we evaluated 34 publicly available datasets, and used ten distinct payload-based, labeled intrusion detection datasets to train and evaluate our approach. Our empirical results show that <monospace>PayloadEmbeddings</monospace> reaches between 75&#x0025; and 99&#x0025; accuracy across all datasets. Finally, we compare our approach to other state-of-the-art and traditional intrusion detection techniques. Our findings suggest that <monospace>PayloadEmbeddings</monospace> demonstrates significant advantages over the other techniques on most of the datasets.

Saving the Bandwidth of IPv6 Networks Using the Fields of the Packet Header

IPv6 protocol is the future of IP networks due to its large IP address capacity. One of the key consequences of this large capacity is that the IP protocol header has enlarged from 20-byte in IPv4 to 40-byte in IPv6. This will consume a considerable share of the bandwidth (BW) for VoIP applications, which produce small packets in tens of bytes only. To handle this issue, we have introduced an efficient technique to use the superfluous fields in the VoIP packet header, including the IPv6 header, to hold the voice data of the packet. This introduced technique is called the Eliminator technique because it shortens or eliminates the packet payload. The Eliminator technique has been analyzed against the typical technique of transferring the VoIP data. The BW utilization of the two techniques has been compared with different codecs namely G.726, G.728, and G.723.1 codecs. The analysis showed that the BW wasting has alleviated by 16.4%, 19.1%, and 25% with these codecs respectively. This BW utilization improvement will indirectly boost the quality of the VoIP calls, especially in the wireless environments. Accordingly, the Eliminator technique is a viable solution for alleviating the wasted BW when running VoIP in IPv6 networks.

Flow Feature-Based Network Traffic Classification Using Machine Learning

Reliable network traffic classification is essential to management and security tasks. Therefore, it is beneficial to analyze and improve existing techniques. Some of the most traditional methodologies for traffic classification are based on port number and packet payload, each of which presents an increasing set of problems. Port number-based classification techniques suffer from the misuse of port numbers and tunneling. This is primarily due to their reliance on the proper use of IANA (Internet Assigned Numbers Authority) assigned numbers. On the other hand, packet payload-based classification has difficulty dealing with encrypted data and legal restrictions to accessing user data. Flow feature-based classification canovercome these challenges by creating profiles based on the traffic patterns of applications. Furthermore, machine learning techniques have shown to be a good match for traffic classification. Thus, the goal of this paper is to explore the combination of these fields and to develop a set of machine learning models capable of classifying network traffic based on flow features. This was achieved by using a ready to use dataset to train two supervised and one unsupervised clustering model.The results for the supervised classifiers were considered comparable to similar studies, while the performance of the clustering model was found to be not satisfactory.

Enhancement Detection DDoS Attacks Using Hybrid N-Gram Techniques

DDoS attacks have always been a concern of cyber experts. To detect DDoS attacks, there are several methods that can be used. One of the methods used in this research is the N-Gram technique. The n-Gram technique analyzes the payload of data packets that enter the network to obtain attack patterns, data is captured and analyzed after which it is compared with net data packets. The chi-square distance value that is close to 1 indicates that the two packages are very similar, so that the data packet is not an attack. A value less than 1 means the data packet is categorized as an attack. In this research, the threshold for determining the level of attack can be lowered to obtain a very high detection accuracy. As a result, the 2-Gram technique has a detection accuracy rate with the lowest false positive value of around 13% with the highest true positive ratio reaching a value of 99.98%.

An Efficient Method to Enhance IP Telephony Performance in IPV6 Networks

Abstract IP telephony have played an essential role during the COVID 19 pandemic lockdown. One of the issues that lower the service level of the IP telephony solutions is the inefficient bandwidth exploitation. This paper proposes a Smallerize/Zeroize (SmlZr) method to enhance bandwidth exploitation. The SmlZr method is explicitly designed for the P2P IP telephony calls over IPv6 networks. The essence concept of the proposed method is to use the unnecessary fields in the header to keep the voice media of the packet. Doing so leads to smallerize or zeroize the packet payload and, thus, enhance the bandwidth exploitation. The SmlZr method has outperformed the RTP method for all the comparison parameters. For instance, the SmlZr method shrinks the bandwidth by 25% compared to the RTP protocol. Bandwidth saving is helpful for P2P IP telephony calls because it alleviates the traffic load. Thus, improve the call capacity boosts the call clarity.

Design and implementation of an intrusion detection system by using Extended BPF in the Linux kernel

An intrusion detection system (IDS) checks the content of headers and payload of packets to detect intrusions from the network. It is an essential function for network security. Traditionally, an IDS, such as Snort, which is a widely used open source IDS, is implemented as a program running in the user space on a hardware server. Recently, with the availability of Extended BPF (eBPF) in the Linux kernel, efficiently checking and filtering arriving packets directly in the kernel becomes feasible. In this work, we design and implement an IDS that has two parts working together. The first part runs in the Linux kernel. Its uses eBPF to perform fast patterns matching to pre-drop a very large portion of packets that have no chance to match any rule. The second part runs in the user space. It examines the packets left by the first part to find the rules that match them. Using a modified version of the registered ruleset of Snort, experimental results show that the maximum throughput of our IDS system can outperform that of Snort by a factor of 3 under many tested conditions.

Deep anomaly detection in packet payload

With the wide deployment of edge devices, a variety of emerging applications have been deployed at the edge of network. To guarantee the safe and efficient operations of the edge applications, especially the extensive web applications, it is important and challenging to detect packet payload anomalies, which can be expressed as a number of specific strings that may cause attacks. Although some approaches have achieved remarkable progress, they are with limited applications since these approaches are dependent on in-depth expert knowledge, e.g., signatures describing anomalies or communication protocol at the application level. Moreover, they might fail to detect the payload anomalies that may have long-term dependency relationships at the edge of network. To overcome these limitations and adaptively detect anomalies from packet payloads, we propose a deep learning based framework which does not rely on any in-depth expert knowledge and is capable of detecting anomalies that have long-term dependency relationships. The proposed framework consists of two parts. First, a novel block sequence construction method is proposed to obtain a valid expression of a payload. The block sequence could encapsulate both the high-dimension information and the underlying sequential information which facilitate the anomaly detection. Secondly, we design a detection model to learn two different dependency relationships within the block sequence, which is based on Long Short-Term Memory (LSTM), Convolutional Neural Networks (CNN) and Multi-head Self Attention Mechanism. Furthermore, we cast the anomaly detection as a classification problem and employ a classifier with attention mechanism to integrate information and detect anomalies. Extensive experimental results on three public datasets indicate that our model could achieve a higher detection rate, while keeping a lower false positive rate compared with two traditional machine learning methods and three state-of-the-art methods.

Enabling Cross-technology Communication from LoRa to ZigBee via Payload Encoding in Sub-1 GHz Bands

Low-power wireless mesh networks (LPWMNs) have been widely used in wireless monitoring and control applications. Although LPWMNs work satisfactorily most of the time thanks to decades of research, they are often complex, inelastic to change, and difficult to manage once the networks are deployed. Moreover, the deliveries of control commands, especially those carrying urgent information such as emergency alarms, suffer long delay, since the messages must go through the hop-by-hop transport. Recent studies show that adding low-power wide-area network radios such as LoRa onto the LPWMN devices (e.g., ZigBee) effectively overcomes the limitation. However, users have shown a marked reluctance to embrace the new heterogeneous communication approach because of the cost of hardware modification. In this article, we introduce LoRaBee, a novel LoRa to ZigBee cross-technology communication (CTC) approach, which leverages the energy emission in the Sub-1 GHz bands as the carrier to deliver information. Although LoRa and ZigBee adopt distinct modulation techniques, LoRaBee sends information from LoRa to ZigBee by putting specific bytes in the payload of legitimate LoRa packets. The bytes are selected such that the corresponding LoRa chirps can be recognized by the ZigBee devices through sampling the received signal strength. Experimental results show that our LoRaBee provides reliable CTC communication from LoRa to ZigBee with the throughput of up to 281.61 bps in the Sub-1 GHz bands.

Zeroize: A New Method to Improve the Utilization of 5G Networks When Running VoIP over IPv6

5G technology is spreading extremely quickly. Many services, including Voice Over Internet Protocol (VoIP), have utilized the features of 5G technology to improve their performance. VoIP service is gradually ruling the telecommunication sector due to its various advantages (e.g., free calls). However, VoIP service wastes a substantial share of the VoIP 5G network’s bandwidth due to its lengthy packet header. For instance, the share of the packet header from bandwidth and channel time reaches 85.7% of VoIP 5G networks when using the IPv6 protocol. VoIP designers are exerting considerable efforts to solve this issue. This paper contributes to these efforts by designing a new technique named Zeroize (zero sizes). The core of the Zeroize technique is based on utilizing the unnecessary fields of the IPv6 protocol header to keep the packet payload (voice data), thereby reducing or “zeroizing” the payload of the VoIP packet. The Zeroize technique substantially reduces the expanded bandwidth of VoIP 5G networks, which is reflected in the wasted channel time. The results show that the Zeroize technique reduces the wasted bandwidth by 20% with the G.723.1 codec. Therefore, this technique successfully reduces the bandwidth and channel time of VoIP 5G networks when using the IPv6 protocol.

CLD-Net: A Network Combining CNN and LSTM for Internet Encrypted Traffic Classification

The development of the Internet has led to the complexity of network encrypted traffic. Identifying the specific classes of network encryption traffic is an important part of maintaining information security. The traditional traffic classification based on machine learning largely requires expert experience. As an end-to-end model, deep neural networks can minimize human intervention. This paper proposes the CLD-Net model, which can effectively distinguish network encrypted traffic. By segmenting and recombining the packet payload of the raw flow, it can automatically extract the features related to the packet payload, and by changing the expression of the packet interval, it integrates the packet interval information into the model. We use the ability of Convolutional Neural Network (CNN) to distinguish image classes, learn and classify the grayscale images that the raw flow has been preprocessed into, and then use the effectiveness of Long Short-Term Memory (LSTM) network on time series data to further enhance the model’s ability to classify. Finally, through feature reduction, the high-dimensional features learned by the neural network are converted into 8 dimensions to distinguish 8 different classes of network encrypted traffic. In order to verify the effectiveness of the CLD-Net model, we use the ISCX public dataset to conduct experiments. The results show that our proposed model can distinguish whether the unknown network traffic uses Virtual Private Network (VPN) with an accuracy of 98% and can accurately identify the specific traffic (chats, audio, or file) of Facebook and Skype applications with an accuracy of 92.89%.

Malware on Internet of UAVs Detection Combining String Matching and Fourier Transformation

Advanced persistent threat (APT), with intense penetration, long duration, and high customization, has become one of the most grievous threats to cybersecurity. Furthermore, the design and development of Internet-of-Things (IoT) devices often do not focus on security, leading APT to extend to IoT, such as the Internet of emerging unmanned aerial vehicles (UAVs). Whether malware with attack payload can be successfully implanted into UAVs or not is the key to APT on the Internet of UAVs. APT malware on UAVs establishes communication with the command and control (C&C) server to achieve remote control for UAVs-aware information stealing. Existing effective methods detect malware by analyzing malicious behaviors generated during C&C communication. However, APT malware usually adopts a low-traffic attack mode, a large amount of normal traffic is mixed in each attack step, to avoid virus checking and killing. Therefore, it is difficult for traditional malware detection methods to discover APT malware on UAVs that carry weak abnormal signals. Fortunately, we found that most APT attacks use domain name system (DNS) to locate C&C server of malware for information transmission periodically. This behavior will leave some records in the network flow and DNS logs, which provides us with an opportunity to identify infected internal UAVs and external malicious domain names. This article proposes an APT malware on the Internet of UAVs detection method combining string matching and Fourier transformation based on DNS traffic, which is able to handle encrypted and obfuscated traffic due to packet payloads independence. We preprocessed the collected network traffic by converting DNS timestamps of DNS request to strings and used the trained random forest model to discover APT malware domain names based on features extracted through string-matching-based periodicity detection and Fourier transformation-based periodicity detection. The proposed method has been evaluated on the data set, including part of normal domains from the normal traffic and malicious domains marked by security experts from APT malware traffic. Experimental results have shown that our proposed detection method can achieve the accuracy of 94%, which is better than the periodicity detection algorithm alone. Moreover, the proposed method does not need to set the confidence to filter the periodicity with high confidence.

Apply machine learning techniques to detect malicious network traffic in cloud computing

Computer networks target several kinds of attacks every hour and day; they evolved to make significant risks. They pass new attacks and trends; these attacks target every open port available on the network. Several tools are designed for this purpose, such as mapping networks and vulnerabilities scanning. Recently, machine learning (ML) is a widespread technique offered to feed the Intrusion Detection System (IDS) to detect malicious network traffic. The core of ML models’ detection efficiency relies on the dataset’s quality to train the model. This research proposes a detection framework with an ML model for feeding IDS to detect network traffic anomalies. This detection model uses a dataset constructed from malicious and normal traffic. This research’s significant challenges are the extracted features used to train the ML model about various attacks to distinguish whether it is an anomaly or regular traffic. The dataset ISOT-CID network traffic part uses for the training ML model. We added some significant column features, and we approved that feature supports the ML model in the training phase. The ISOT-CID dataset traffic part contains two types of features, the first extracted from network traffic flow, and the others computed in specific interval time. We also presented a novel column feature added to the dataset and approved that it increases the detection quality. This feature is depending on the rambling packet payload length in the traffic flow. Our presented results and experiment produced by this research are significant and encourage other researchers and us to expand the work as future work.

Performance Analysis of Packet Aggregation Mechanisms and Their Applications in Access (e.g., IoT, 4G/5G), Core, and Data Centre Networks.

The transmission of massive amounts of small packets generated by access networks through high-speed Internet core networks to other access networks or cloud computing data centres has introduced several challenges such as poor throughput, underutilisation of network resources, and higher energy consumption. Therefore, it is essential to develop strategies to deal with these challenges. One of them is to aggregate smaller packets into a larger payload packet, and these groups of aggregated packets will share the same header, hence increasing throughput, improved resource utilisation, and reduction in energy consumption. This paper presents a review of packet aggregation applications in access networks (e.g., IoT and 4G/5G mobile networks), optical core networks, and cloud computing data centre networks. Then we propose new analytical models based on diffusion approximation for the evaluation of the performance of packet aggregation mechanisms. We demonstrate the use of measured traffic from real networks to evaluate the performance of packet aggregation mechanisms analytically. The use of diffusion approximation allows us to consider time-dependent queueing models with general interarrival and service time distributions. Therefore these models are more general than others presented till now.

Adversarial Network Traffic: Towards Evaluating the Robustness of Deep-Learning-Based Network Traffic Classification

Network traffic classification is used in various applications such as network traffic management, policy enforcement, and intrusion detection systems. Although most applications encrypt their network traffic and some of them dynamically change their port numbers, Machine Learning (ML) and especially Deep Learning (DL)-based classifiers have shown impressive performance in network traffic classification. In this article, we evaluate the robustness of DL-based network traffic classifiers against Adversarial Network Traffic (ANT). ANT causes DL-based network traffic classifiers to predict incorrectly using Universal Adversarial Perturbation (UAP) generating methods. Since there is no need to buffer network traffic before sending ANT, it is generated live. We partition the input space of the DL-based network traffic classification into three categories: packet classification, flow content classification, and flow time series classification. To generate ANT, we propose three new attacks injecting UAP into network traffic. AdvPad attack injects a UAP into the content of packets to evaluate the robustness of packet classifiers. AdvPay attack injects a UAP into the payload of a dummy packet to evaluate the robustness of flow content classifiers. AdvBurst attack injects a specific number of dummy packets with crafted statistical features based on a UAP into a selected burst of a flow to evaluate the robustness of flow time series classifiers. The results indicate injecting a little UAP into network traffic, highly decreases the performance of DL-based network traffic classifiers in all categories.

Pre-Processing of KDD’99 &amp; UNSW-NB Network Intrusion Datasets

An IDS is essential for securing the network. The IDS not only traverses the header portion of the network packet but also inspects the data portion or the payload of the network packet. Therefore, if at all any malicious code is present in the data portion, it would be detected by the IDS and the packet will be denied access to the network or removed accordingly. Various datasets on computer and network intrusions are available publicly and are extensively used in developing successful intrusion detection systems. In this development process pre-processing plays an important role to make the data ready for the prediction process. This paper presents and analyses on two widely used datasets - KDD’99 and UNSW-NB 15 in intrusion detection. Pre-processing of both the datasets is performed considering missing, redundant and noisy data along with the data cleaning process using Weka data miner tool. A brief discussion on a newly created dataset is also presented in the paper.

Contracting VoIP Packet Payload Down to Zero

Abstract The inefficient use of the IP network bandwidth is a fundamental issue that restricts the exponential spreading of Voice over IP (VoIP). The primary reason for this is the big header size of the VoIP packet. In this paper, we propose a method, called Short Voice Frame (SVF), that addresses the big header size of the VoIP packet. The main idea of the SVF method is to make effective use of the VoIP packet header fields that are unneeded to the VoIP technology. In particular, these fields will be used for temporarily buffering the voice frame (VoIP packet payload) data. This will make the VoIP packet payload short or even zero in some cases. The performance evaluation of the proposed SVF method showed that the use of the IP network bandwidth has improved by up to 28.3% when using the G.723.1 codec.

Performance Analysis of a Linear MMSE Receiver in Time-Variant Rayleigh Fading Channels

The performance of the uplink of single and multiuser multiple input multiple output (MIMO) systems depends crucially on the receiver architecture and the quality of channel state information at the receiver. Therefore, several previous works have developed minimum mean squared error (MMSE) receivers and proposed balancing the resources spent on acquiring channel state information and transmitting the payload of data packets. Somewhat surprisingly, the most popular MIMO linear MMSE receivers do not exploit the correlation structure that is present in autoregressive Rayleigh fading environments. Therefore, in this article we first develop a new linear receiver that not only takes channel state information errors into account in minimizing the MSE of the received data symbols, but it also utilizes that the subsequent noisy channel coefficients are correlated. For this new linear MMSE receiver, we derive the achieved MSE as a function of the number of receive antennas and the pilot-to-data power ratio. Interestingly, we find that the pilot power that minimizes the MSE of the data symbols does not depend on the number of antennas and that the new linear MMSE receiver outperforms previously proposed MIMO receivers when the autocorrelation coefficient of the channel is high.

Enabling Secure and Versatile Packet Inspection With Probable Cause Privacy for Outsourced Middlebox

Middlebox is an intermediary network equipment which can be outsourced to remote cloud servers for low-cost and customizable network services, such as load balancer and intrusion detection. A fundamental function of the middlebox is packet inspection, where both the packet header and payload are extracted and analyzed based on inspection rules. However, as the packet may contain sensitive individual or organizational information, it may raise severe privacy concerns without proper countermeasures. In this article, we propose a secure and versatile packet inspection scheme for outsourced middlebox. The proposed scheme builds upon two non-collusion cloud servers, where the first server conducts the inspection task over the ciphertext domain and the second reveal the inspection results. By doing so, the proposed scheme achieves versatile inspection functionalities: range-query-based header inspection and token-based payload inspection, while preserving the privacy of packet header, payload, and inspection rules. Moreover, we identify and address two challenging issues in the state-of-the-art literatures. First, we tailor the design of mis-operation resistant searchable homomorphic encryption (MR-SHE) and somewhat homomorphic encryption in the two-server model, to resist <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">offline dictionary attack on payload headers</i> . Second, we propose a key management mechanism with compelled access for the middlebox, to achieve <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">fine-grained probable cause privacy</i> . We also conduct extensive experiments and compare the results with existing schemes to demonstrate the feasibility of the proposed scheme.

Acceleration of Intrusion Detection in Encrypted Network Traffic Using Heterogeneous Hardware.

More than 75% of Internet traffic is now encrypted, and this percentage is constantly increasing. The majority of communications are secured using common encryption protocols such as SSL/TLS and IPsec to ensure security and protect the privacy of Internet users. However, encryption can be exploited to hide malicious activities, camouflaged into normal network traffic. Traditionally, network traffic inspection is based on techniques like deep packet inspection (DPI). Common applications for DPI include but are not limited to firewalls, intrusion detection and prevention systems, L7 filtering, and packet forwarding. With the widespread adoption of network encryption though, DPI tools that rely on packet payload content are becoming less effective, demanding the development of more sophisticated techniques in order to adapt to current network encryption trends. In this work, we present HeaderHunter, a fast signature-based intrusion detection system even for encrypted network traffic. We generate signatures using only network packet metadata extracted from packet headers. In addition, we examine the processing acceleration of the intrusion detection engine using different heterogeneous hardware architectures.

CNN-based anomaly detection for packet payloads of industrial control system

Industrial control systems (ICSs) are more vulnerable to cyber threats owing to their network connectivity. The intrusion detection system(IDS) has been deployed to detect sophisticated cyber-attack but the existing IDS uses the packet header information for traffic flow detection. IDS is inefficient to detect packet deformation; therefore, we propose the adoption of packet payload in IDS to respond to a variety of attacks and high performance. Our proposed model detects packet modification and traffic flowby inspecting each packet and sequence of packets. For evaluation, cross verification is conducted to increase the reliability of the statistics.