Traffic Identification Method Research Articles

GateKeeper: An UltraLite malicious traffic identification method with dual-aspect optimization strategies on IoT gateways

The Internet of Things (IoT) landscape is booming, and a wide range of IoT endpoints has been integrated into various aspects of life, opening opportunities for malicious attacks that compromise IoT security. Consequently, effective malicious traffic identification methods play a crucial role in ensuring IoT security. However, the current lightweight methods face two main challenges. Firstly, they often generate feature sets that are time-consuming to construct and less adaptable to various scenarios. Secondly, classification models built upon inefficient neural networks incur a significant computational overhead. To address these drawbacks, in this work, we propose GateKeeper, which is an UltraLite method for malicious traffic identification on the IoT gateway. We first propose a base model as the cornerstone and target for subsequent optimization. Then we propose dual-aspect optimization strategies for reducing the input dimension and simplifying the model structure, i.e., Key Bytes Selection (KBS) and Attention Module Simplification (AMS) strategy. Finally, we obtain the optimized UltraLite model-GateKeeper, specifically tailored for integration into IoT gateway deployments, where high-speed real-time identification is paramount. Our extensive experiments demonstrate that GateKeeper performs remarkably in identifying malicious IoT traffic, achieving over 97% accuracy in all three IoT malicious traffic classification benchmark tasks, outperforming six state-of-the-art methods. Besides, GateKeeper’s parameters and FLOPs are 65% smaller than those of existing methods. Moreover, in the case of an IoT gateway platform, GateKeeper demonstrates remarkably low time overhead and hardware resource utilization, surpassing state-of-the-art methods.

An encrypted traffic identification method based on multi-scale feature fusion

As data privacy issues become more and more sensitive, increasing numbers of websites usually encrypt traffic when transmitting it. This method can largely protect privacy, but it also brings a huge challenge. Aiming at the problem that encrypted traffic classification makes it difficult to obtain a global optimal solution, this paper proposes an encrypted traffic identification model called the ET-BERT and 1D-CNN fusion network (BCFNet), based on multi-scale feature fusion. This method combines feature learning with classification tasks, unified into an end-to-end model. The local features of encrypted traffic extracted based on the improved Inception one-dimensional convolutional neural network structure are fused with the global features extracted by the ET-BERT model. The one-dimensional convolutional neural network is more suitable for the encrypted traffic of a one-dimensional sequence than the commonly used two-dimensional convolutional neural network. The proposed model can learn the nonlinear relationship between the input data and the expected label and obtain the global optimal solution with a greater probability. This paper verifies the ISCX VPN-nonVPN dataset and compares the results of the BCFNet model with the other five baseline models on accuracy, precision, recall, and F1 indicators. The experimental results demonstrate that the BCFNet model has a greater overall effect than the other five models. Its accuracy can reach 98.88%.

Deep Learning-Based Efficient Analysis for Encrypted Traffic

To safeguard user privacy, critical Internet traffic is often transmitted using encryption. While encryption is crucial for protecting sensitive information, it poses challenges for traffic identification and poses hidden dangers to network security. As a result, the precise classification of encrypted network traffic has become a crucial problem in network security. In light of this, our paper proposes an encrypted traffic identification method based on the C-LSTM model for encrypted traffic recognition by leveraging the power of deep learning. This method can effectively extract spatial and temporal features from encrypted traffic, enabling accurate identification of traffic types. Through rigorous testing and evaluation, our system has achieved an impressive accuracy rate of 96.4% on the widely used ISCXVPN2016 dataset. This achievement demonstrates the effectiveness and reliability of our method in accurately classifying encrypted network traffic. By addressing the challenges posed by encrypted traffic identification, our research contributes to enhancing network security and privacy protection.

A network traffic identification method based on AutoEncoder - a feature selection algorithm

Traffic identification methods consider a large number of traffic features, resulting in low identification efficiency. To address the efficiency problem of traffic recognition, this paper proposes an efficient network traffic recognition method, AutoEncoder-based traffic recognition (AE-NTI). The method first preprocesses the original dataset and converts it into a two-dimensional grayscale image. Then, feature selection is performed by an improved feature selection algorithm based on AutoEncoder. The algorithm consists of a feature scorer, which globally scores all features, and a feature selector, which selects the highest scoring features to reconstruct the original data. Finally, the convolutional neural network structure is adjusted so that the network traffic can be identified. The experimental results show that the method has significantly improved in recognition accuracy and model fitting speed.

AE-DTI: An Efficient Darknet Traffic Identification Method Based on Autoencoder Improvement

With the continuous expansion of the darknet and the increase in various criminal activities in the darknet, darknet traffic identification has become increasingly essential. However, existing darknet traffic identification methods rely on all traffic characteristics, which require a long computing time and a large amount of system resources, resulting in low identification efficiency. To this end, this paper proposes an autoencoder-based darknet traffic identification method (AE-DTI). First, AE-DTI maps the feature values to pixels of a two-dimensional grayscale image after deduplication and denoising of the darknet traffic dataset. Then, AE-DTI designs a new feature selection algorithm (AE-FS) to downscale the grayscale graph, and AE-FS trains a feature scoring network, which globally scores all the features based on the reconstruction error to select the features with scores greater than or equal to a set threshold value. Finally, AE-DTI uses a one-dimensional convolutional neural network with a dropout layer to identify darknet traffic on the basis of alleviating overfitting. Experimental results on the ISCXTor2016 dataset show that, compared with other dimensionality reduction methods (PCA, LLE, ISOMAP, and autoencoder), the classification model trained with the data obtained from AE-FS has a significant improvement in classification accuracy and classification efficiency. Moreover, AE-DTI also shows significant improvement in recognition accuracy compared with other models. Experimental results on the CSE-CIC-IDS2018 dataset and CIC-Darknet2020 dataset show that AE-DTI has strong generalization.

A Large-Scale Mobile Traffic Dataset For Mobile Application Identification

Abstract With Internet access shifting from desktop-driven to mobile-driven, application-level mobile traffic identification has become a research hotspot. Although considerable progress has been made in this research field, two obstacles are hindering its further development. Firstly, there is a lack of sharable labeled mobile traffic datasets. Although it is easy to capture mobile traffic, labeling traffic at the application level is non-trivial. Besides, researchers usually hold a conservative attitude toward publishing their datasets for privacy concerns. Secondly, most of the datasets used by existing studies are inadequate to evaluate the proposed methods, since they usually have the problems of inaccurate labels, small scale and simple collection configurations. To tackle these two obstacles, a mobile traffic collection is carried out in this paper. The collected traffic has the advantages of large-scale data size, accurate application-level labels and diverse collection configurations. Then, the collected traffic is anonymized carefully to make it public. Several mobile traffic identification methods are compared based on our anonymized dataset, which proves the applicability of our dataset.

Tor Anonymous Traffic Identification Based on Parallelizing Dilated Convolutional Network

The widespread use of the onion browser (Tor) has provided a breeding ground for the proliferation of cybercriminal activities and the Tor anonymous traffic identification method has been used to fingerprint anonymous web traffic and identify the websites visited by illegals. Despite the considerable progress in existing methods, problems still exist, such as high training resources required for the identification model, bias in fingerprint features due to the fast iteration of anonymous traffic and singularity in the definition of traffic direction features. On this basis, a Tor anonymous traffic identification model based on parallelizing dilated convolutions multi-feature analysis has been proposed in this paper in order to address these problems and perform better in website fingerprinting. A single-sample augmentation of the traffic data and a model combining multi-layer RBMs and parallelizing dilated convolutions are performed, and binary classification and multi-classification of websites are conducted for different scenarios. Our experiment shows that the proposed Tor anonymous traffic recognition method achieves 94.37% accuracy and gains a significant drop in training time in both closed-world and open-world scenarios. At the same time, the enhanced traffic data enhance the robustness and generalization of our model. With our techniques, our training efficiency has been improved and we are able to achieve the advantage of bi-directional deployability on the communication link.

Noise-Resistant Video Channel Identification

As the video streaming traffic grows exponentially nowadays, variable bitrate (VBR) encoding has been widely utilized by modern live video streaming service providers, such as YouTube, TikTok, and Twitch. However, video bitrate can be a delicate fingerprint of the video streaming, leading to risks of privacy leakage. There are several studies that attempt to eavesdrop the privacy from encrypted video streaming, but most of them presume strict requirements on the implementation environments and have great limitations when noise interference exists. Actually, the video traffic from the multimedia edge server is distinct from interapplication traffic flows due to device customization and can be identified even if there are noise interferences or the victim in a weak network condition. In this paper, a video traffic identification method is proposed to identify the encrypted video streaming from multimedia edge server under the interference of irrelevant traffic flows. Initially, we use an interapplication filter to identify the traffic from the edge server. Then, a longest-common-subsequence (LCS)-based method is developed for similarity matching to resist the noise interference from unpredictable burst traffic and network environment variations. In order to evaluate the system performance, we setup the prototype system with an AWS EC2 server and a raspberry pi device, then utilize the real-world trace data for pushing movies to victims. The experimental results show that the accuracy of our proposed strategy can reach 89.1% within 140 seconds eavesdropping even mixed with 14% noise interference.

A VPN-Encrypted Traffic Identification Method Based on Ensemble Learning

One of the foundational and key means of optimizing network service in the field of network security is traffic identification. Various data transmission encryption technologies have been widely employed in recent years. Wrongdoers usually bypass the defense of network security facilities through VPN to carry out network intrusion and malicious attacks. The existing encrypted traffic identification system faces a severe problem as a result of this phenomenon. Previous encrypted traffic identification methods suffer from feature redundancy, data class imbalance, and low identification rate. To address these three problems, this paper proposes a VPN-encrypted traffic identification method based on ensemble learning. Firstly, aiming at the problem of feature redundancy in VPN-encrypted traffic features, a method of selecting encrypted traffic features based on mRMR is proposed; secondly, aiming at the problem of data class imbalance, improving the Xgboost identification model by using the focal loss function for the data class imbalance problem; Finally, in order to improve the identification rate of VPN-encrypted traffic identification methods, an ensemble learning model parameter optimization method based on optimal Bayesian is proposed. Experiments revealed that our proposed VPN-encrypted traffic identification method produced more desirable VPN-encrypted traffic identification outcomes. Meanwhile, using two encrypted traffic datasets, eight common identification algorithms are compared, and the method appears to be more accurate in identifying encrypted traffic.

A Survey of techniques for fine-grained web traffic identification and classification.

After decades of rapid development, the scale and complexity of modern networks have far exceed our expectations. In many conditions, traditional traffic identification methods cannot meet the demand of modern networks. Recently, fine-grained network traffic identification has been proved to be an effective solution for managing network resources. There is a massive increase in the use of fine-grained network traffic identification in the communications industry. In this article, we propose a comprehensive overview of fine-grained network traffic identification. Then, we conduct a detailed literature review on fine-grained network traffic identification from three perspectives: wired network, mobile network, and malware traffic identification. Finally, we also draw the conclusion on the challenges of fine-grained network traffic identification and future research prospects.

Research on Topology and Security Behaviour Intelligent Analysis by Hybrid P2P Traffic

At present, most of the popular P2P topology sharing systems are based on unstructured P2P topology. This topology uses flooding method to spread query information, which has good stability, but the efficiency is very low. According to the changing characteristics of the communication attribute state of the network behavior which occupies a large network bandwidth and communicates more frequently, an attribute migration state-oriented network communication behavior analysis method is proposed. The research on the identification of P2P traffic is of great significance for the management of P2P network. In view of the shortcomings of the current P2P traffic identification methods, such as large error and unstable identification results, in order to improve the identification effect of P2P traffic, a P2P traffic identification method based on neural network is proposed. This paper proposes a network file sharing system Kapa, which is based on a hybrid hierarchical P2P topology, which combines the advantages of unstructured and structured P2P topology and has strong practicability. The recognition effect and reliability of this method for P2P applications are verified.

Urban Road Network Emergency: An Integrative Vulnerability Identification Method

The vulnerability of an urban road network is affected by many factors, such as internal road network layout, network structure strength, and external destructive events, which have great uncertainty and complexity. Thus, there is still no unified and definite vulnerability analysis scheme available to cities. This paper proposes an integrative vulnerability identification method for urban road networks, which mainly relates to the vulnerability connotation and characteristics analysis of urban road networks during emergency, and vulnerability comprehensive evaluation indices design based on urban road network connectivity, traffic efficiency and performance, and an empirical study on a vulnerability identification method of an urban road network. In the empirical case, a real road network and traffic operation data were used from Science and Technology Park of Shenzhen City, China. In the context of one certain emergency scenario, the stated preference survey method and maximum likelihood method are used to solve the road users’ random travel choice behavior parameters; subsequently, based on the traffic equilibrium distribution prediction, the traffic vulnerability identification methods of the road network in this region were verified before and after the emergency. The method presented here not only considers the impact of network topology changes on road network traffic function during emergency but also considers the impact of dynamic changes in road network traffic demand on vulnerability; therefore, it is closer to the actual distribution of urban road network traffic vulnerability.

TOR Anonymous Traffic Fingerprint Extraction and Recognition Based on Neural Network

The TOR anonymous communication system is an important means to protect network communication security and user privacy, but there are still criminals trying to destroy the confidentiality of the anonymous communication system through some special methods. Aiming at the abuse of the TOR anonymous communication system, this paper proposes a neural network-based anonymous traffic identification method, which uses a one-dimensional convolutional neural network for feature extraction, prediction and classification, and finally integration. In the experiment, nearly 100 websites were selected for the flow feature extraction and recognition based on one-dimensional convolutional neural network. The recognition accuracy rate is 87.5%, indicating that this method can effectively fingerprint TOR anonymous communication.

Airborne Network Traffic Identification Method under Small Training Samples

Due to the high cost and difficulty of traffic data set acquisition and the high time sensitivity of traffic distribution, the machine learning-based traffic identification method is difficult to be applied in airborne network environment. Aiming at this problem, a method for airborne network traffic identification based on the convolutional neural network under small traffic samples is proposed. Firstly, the pre-training of the initial model for the convolutional neural network is implemented based on the complete data set in source domain, and then the retraining of the convolutional neural network is realized through the layer frozen based fine-tuning learning algorithm of convolutional neural network on the incomplete dataset in target domain, and the convolutional neural network model based feature representing transferring(FRT-CNN) is constructed to realize online traffic identification. The experiment results on the actual airborne network traffic dataset show that the proposed method can guarantee the accuracy of traffic identification under limited traffic samples, and the classification performance is significantly improved comparing with the existing small-sample learning methods.

Computer Network Flow Recognition Method Based on Improved Support Vector Machine

Computer network traffic recognition based on improved support vector machine is a defect of current mainstream network traffic algorithm, designed a network traffic prediction algorithm based on improved support vector machine. This paper mainly introduces the computer network traffic identification method based on improved support vector machine. This article mainly analyzes the related content of network traffic prediction, including the linear and nonlinear characteristics of network traffic, the theoretical basis of network traffic prediction and the method of obtaining traffic data. This paper studies support vector machine theory and least square support vector machine, and proposes an improved algorithm for least square support vector machine. The purpose of this article is to design a network traffic identification and analysis system. On the one hand, by monitoring the network traffic, we will be able to grasp the operation of the entire network in real time;on the other hand, the system statistically analyzes the results of different stages, We have a more comprehensive understanding of the operational efficiency of network resources, network performance and the rationality of network configuration. The experimental results in this paper show that the recognition efficiency of traffic based on the improved support vector machine method has been significantly improved. Under this method, the security problem of traffic has been increased by 14%, and the efficiency of traffic has been increased by 24%. The improved support vector machine will be the future computer network The development trend of traffic identification direction.

Short Text Classification and Clustering based Mobile Application Traffic Identification Method

With the rapid development of mobile network, mobile traffic accounts for a large proportion of network traffic nowadays, and mobile application traffic identification is becoming increasingly important in network security. For mobile application traffic identification, recent works have focused on proposing supervised classifiers that have shown promising performance. However, it is difficult to obtain labeled traffic in practice and most of the traffic is unlabeled. In this paper, we propose a semi-supervised mobile application traffic identification method based on short text classification and clustering, which requires only a small number of labeled samples to classify traffic. First, plain text in mobile traffic is regarded as short text and its features are extracted using a short text classification algorithm. Then K-Means++ is used to cluster the samples and give the predictions. Experimental results show that the proposed method is more effective than the semi-supervised traffic identification methods that use statistical features.

A Timeliness-Enhanced Traffic Identification Method in Airborne Network

High dynamic topology and limited bandwidth of the airborne network make it difficult to provide reliable information interaction services for diverse combat mission of aviation swarm operations. Therefore, it is necessary to identify the elephant flows in the network in real time to optimize the process of traffic control and improve the performance of airborne network. Aiming at this problem, a timeliness-enhanced traffic identification method based on machine learning Bayesian network model is proposed. Firstly, the data flow training subset is obtained by preprocessing the original traffic dataset, and the sub-classifier is constructed based on Bayesian network model. Then, the multi-window dynamic Bayesian network classifier model is designed to enable the early identification of elephant flow. The simulation results show that compared with the existing elephant flow identification method, the proposed method can effectively improve the timeliness of identification under the condition of ensuring the accuracy of identification.

Deep learning-based real-time VPN encrypted traffic identification methods

With the widespread application of virtual private network (VPN) technology, real-time VPN traffic identification has become an increasingly important task in network management and security maintenance. Since traditional encrypted traffic identification technology is not effective in feature extraction and selection, this paper proposes two deep learning-based models to classify the traffic into VPN and non-VPN traffic, identify VPN traffic generated by six different applications much further. Our models utilize convolutional auto-encoding (CAE) and convolutional neural network (CNN), respectively, preprocessing the traffic samples into session pictures, to accomplish the experiment objectives. The CAE-based method, utilizing the unsupervised nature of CAE to extract the hidden layer features, can automatically learn the nonlinear relationship between original input and expected output. The CNN-based method performs well in extracting two-dimensional local features of images. Experimental results show that our models perform better than traditional identification methods. In the two-category identification, the best result comes from the CAE-based model; the overall identification accuracy rate is 98.77%. Among the six-category identification, the best result comes from CNN-based model; the overall identification accuracy rate is 92.92%.

Detecting Proxy User Based on Communication Behavior Portrait

Abstract Proxies can help users to bypass the network filtering system, leaving the network open to banned content, and can also enable users to anonymize themselves for terminal security protection. Proxies are widely used in the current network environment. However, certain spy proxies record user information for privacy theft. In addition, attackers can use such technologies to anonymize malicious behaviors and hide identities. Such behaviors have posed serious challenges to the internal defense and security threat assessment of an organization; however, the anonymity of the proxy makes it consistent with normal network communication, and general network traffic identification methods are not able to detect it. To accurately and effectively discover proxy users in the organization based on s, a proxy user detection method based on communication behavior portrait offers the following: (1) analysis of the communication behavior from the perspective of the portrait. Based on not abandoning the effective information of the traffic itself, the label system is established by introducing exogenous data to identify the difference between proxy communication and normal communication. (2) Construction of the portrait feature set of proxy user detection based on the traffic file and external data by studying the differences between the attribute sets of communication behavior labels for proxy users and non-proxy users. (3) Design and implementation a data-driven machine learning method to supply guidance for automatic recognition of such behavior. The experimental results show that, compared with state-of-the-art methods, the detection accuracy for the proxy user exceeds 95%, and that of real network traffic environment exceeds 85%. These results indicate that the detection method proposed in this paper can accurately distinguish proxy communication and normal communication and thus achieves precise proxy user detection.

Intelligent VNFs Selection Based on Traffic Identification in Vehicular Cloud Networks

Internet of Vehicles (IoV) has become a significant research area due to its specific features and applications such as efficient traffic management, road safety, and entertainment. Vehicles are expected to carry relatively more communication systems, onboard computing facilities, storage, and increased sensing power. Vehicular Cloud Network (VCN) is a hybrid technology that has a remarkable impact on IoV by instantly using vehicular resources. Merging software-defined networking with VCN is valuable to vehicular networks. Network function virtualization can be deployed across the servers and vehicles within the VCN to provide customized agile services. Its deployment requires an appropriate management strategy that often manifests as the difficult online decision making tasks. This paper proposes an intelligent Virtualized Network Functions (VNFs) selection strategy. For satisfying the quality requirements of different vehicular services, this strategy is based on the results of traffic identification that utilizes deep neural network and Multi-Grained Cascade Forest to distinguish service behaviors. According to the order of VNFs, the vehicular network is divided into several layers where each arrived packet needs to be queued. The scheduler of each layer selects a layer to host the next VNF for the packets in the queue. Our experiments demonstrate that the proposed traffic identification method increases the precision by 7.7% and improves the real-time performance. Furthermore, the proposed model of VNFs selection reduces network congestion compared to traditional scheduling models.