Traffic Packet Research Articles

ML-based Intrusion Detection System for Precise APT Cyber-clustering

As more and more documents are converted from hard copies to digital formats and move to cloud storage, securing data access has become a critical and emergent security concern. Without a doubt, intrusion detection system (IDS) has become the primary defense mechanism for governments and enterprises to identify network attacks. However, the emergence of Advanced Persistent Threat (APT) has brought heightened challenges for an IDS, since malicious hackers can deploy various attacks to penetrate information systems invisibly over extended periods of time. Thus, the authors aim to design a High Discrimination APT Intrusion Detection System (HDAPT-IDS); consisting of Cyber Clustering Module (CCM) and Clustering Analysis Module (CAM). CCM conducts a preliminary classification of traffic packets and utilizes the random forest algorithm to predict the main-class, while CAM selects the applicable Deep Neural Network (DNN) based on the prediction results of CCM to derive the sub-class of traffic packets as the final result. Aside from laying out a high detection rate, HDAPT-IDS can effectively reduce the number of categories during classification to achieve better performance.

Evaluating the cost of classifier discrimination choices for IoT sensor attack detection

The intrusion detection of IoT devices through the classification of malicious traffic packets have become more complex and resource intensive as algorithm design and the scope of the problems have changed. In this research, we compare the cost of a traditional supervised pattern recognition algorithm (k-Nearest Neighbor (KNN)), with the cost of a current deep learning (DL) unsupervised algorithm (Convolutional Neural Network (CNN)) in their simplest forms. The classifier costs are calculated based on the attributes of design, computation, scope, training, use, and retirement. We find that the DL algorithm is applicable to a wider range of problem-solving tasks, but it costs more to implement and operate than a traditional classifier. This research proposes an economic classifier model for deploying suitable AI-based intrusion detection classifiers in IoT environments. The model was empirically validated on the IoT-23 dataset using KNN and CNN. This study closes a gap in prior research that mostly concentrated on technical elements by incorporating economic factors into the evaluation of AI algorithms for IoT intrusion detection. This research thus evaluated the economic implications of deploying AI-based intrusion detection systems in IoT environments, considering performance metrics, implementation costs, and the cost of classifier discrimination choices. Researchers and practitioners should focus on the cost–benefit trade-offs of any artificial intelligence application for intrusion detection, recommending an economic evaluation and task fit assessment before adopting automated solutions or classifiers for IoT intrusion detection, particularly in large-scale industrial settings that involve active attacks.

A novel approach for application classification with encrypted traffic using BERT and packet headers

Recent years have seen substantial advancements in Internet technology along with environmental changes, which have led to the emergence of various security issues. There is also a trend of explosive growth in applications that encrypt network traffic for various types of services. Therefore, the classification of applications within encrypted traffic represents an important research issue for both secure network management and efficient bandwidth management. In such encrypted traffic, the payload itself is encrypted, and it is no longer viable to classify applications based on signatures extracted from plaintext. Most applications in public datasets for encrypted traffic classification are collected with the same IP address and port number, which makes the 5-tuple information a strong identifier. However, this 5-tuple contains many characteristics related to both the traffic collection environment and user-specific traits, rather than intrinsic features of the applications themselves. Therefore, when addressing the problem of encrypted traffic application classification, it is advisable to utilize header information excluding the 5-tuple and payload. Therefore, this paper proposes a novel service type and application classification system based on the Bidirectional Encoding Representation Transformer (BERT), which utilizes packet header information from encrypted traffic. The proposed system ensures the accuracy and generalization performance of the classification model by using only the header information from traffic packets, excluding the 5-tuple and payload. Further, to preserve the characteristics and semantic meaning of an encrypted traffic packet, sentences embedded with 2-byte tokens were used as input for BERT. The proposed system was designed to exclude labeling information from all sentences during the pre-training phase before proceeding with training. Fine-tuning was then conducted to align the system with the objectives of the service type and application classification. This experiment utilized the publicly available ISCX VPN-nonVPN dataset, and the proposed model achieved remarkable accuracy in the key performance measure, i.e., F1-scores, with values of 99.24 % in service type classification and 98.74 % in application classification. This capability can be used in maintaining the confidentiality of encrypted traffic, network security monitoring, Quality of Service (QoS), and traffic management in complex IT environments.

Sketching of interactive VoIP traffic with multivariate statistical learning-based classification

Classifying VoIP (Voice over Internet Protocol) traffic is vital for optimizing network performance and Quality of Service (QoS). This study introduces the Multivariate Statistical-Based Classification (MVSC) system, designed to classify network traffic with high accuracy and efficiency. As traditional methods struggle in the diverse and complex landscape of today’s network traffic, which includes voice, video, gaming, and data, the MVSC algorithm rises to the challenge. It employs Statistical Dissemination and leverages various statistical features such as Packet Size, Inter-Arrival Statistics, Packet and Data rates, Flow Length, and Five-tuple information to create nuanced profiles of network traffic packets. These packets are then grouped into distinct clusters based on their statistical attributes through Application Flow Cluster Grouping. A unique aspect of the MVSC system is its approach to representing each application flow as points in a two-dimensional space, where distances to predefined application profiles are calculated. The nearest profile then determines the type of VoIP traffic. Experimental results using university traffic data (KU-IDS) underscore the system’s high accuracy, consistently around 98-99%. These findings affirm the system’s suitability for real-time deployment. In summary, the MVSC system offers a robust and efficient solution for VoIP traffic classification, significantly boosting network performance and QoS, and proving to be an invaluable asset in contemporary network management.

A Review: Machine Learning Approaches for Zero-Day Attacks Recognition

Advancements and rapid technological developments in information age promoted computerization of day to day activities in all walks of life. As technology is growing rapidly, the cybercrime rate also increases both in number and complexity. Since a variety of attacks evolves regularly with complex patterns and varied signatures the task of securing cyberspace becomes more and more difficult and challenging. To minimize the impact of cybercrime through early detection of intrusions, network activity in terms of network traffic, is monitored in real-time thus accumulating huge data which is sometimes erroneous. Therefore, synergizing the concepts of cybersecurity and data analytics is essential to develop effective security algorithms for attack detection. Existing security measures like firewalls are no longer sufficient to deal with these emerging attacks. Because the firewall only checks the header of the data packet, it doesn't go through the details of the packet. Intrusion Detection Systems (IDSs) are the systems introduced as a second line of security after firewalls to handle cyber intrusions more efficiently. IDSs play a key role in protecting cyberspace by examining the entire details of the traffic packets to detect intrusions.

Estimation of the Noise Immunity Characteristics of Telecommunication Network

The harmful impacts of various interference sources in the communication channel of data transmission systems and an increasing noise immunity in linear distortion conditions are important problems in the development of information transmission systems. To improve reliability and the data receiving accuracy, a mathematical model is developed, which allows to assessment of the survivability of telecommunication systems to interference at incoherent receiving. In this case is assumed that system impact the unintentional sources. The mathematical model considers the communication quality, spectral efficiency, coding method, and modulation principle used during the multimedia services. Presently, the development of the corporate multiservice communication networks is in conditions where the size of user and service traffic packets is rapidly increase. To ensure transmission reliability is promising of an implementation of the coherent modem. It will allow a decrease in the failures of such systems. To increase the transmission rate used coherent modem with noise-resistant characteristics. However, the communication quality in this case is decreased, due to more influence of the inter-symbol interference to the data quality receiving. The synthesis of optimal signals based on rectangular pulses with different shapes by the coherent modem for the data transmission system aims is solved by using of matching filter that has a pulse transient response. To obtain this the frequency limiter is used at the output of the channel digital demodulator. One of the ways to properly solve the problem noted above is by applying in the development of telecommunication multiservice networks the mathematical model with correction ability. This one can be developed based on the optimal signal-receiving theory.

Detecting Network Intrusion Anomalies with RNN (LSTM)- Based Deep Learning Models

As more and more network devices and services are used, there is a growingneed for security measures as hackers attempt to take down or steal data from target systems. One of the key components of network perimetersecurity isthe intrusion detectionsystem (IDS), which looks through operating system logs or network traffic packets to identify threats. Although previous research has shown the effectiveness of several machine learning algorithms, relatively few of these studies have made use of the time-series information included in network traffic data. Neural network-based methods have notincorporated category data either. In this paper, we offer models for network intrusion detection based on categorical information using the embedding technique and sequential information using the long short-term memory (LSTM) network. Using the extensive networktraffic dataset KDD CUP 99, we have tested the models. The findings of the trial confirm that the suggested strategy improves performance, with a 99.72% binary classification accuracy. Keywords: Machine Learning, Deep Learning ,Network Intrusion Detection, Long Short-Term Memory ,Feature Selection

DATA MINING IMPLEMENTATION FOR DETECTION OF ANOMALIES IN NETWORK TRAFFIC PACKETS USING OUTLIER DETECTION APPROACH

The large number of data packet records of network traffic can be used to evaluate the quality of a network as well as to analyze the occurrence of anomalies in the network, both related to network security and network performance. Based on the data obtained, the occurrence of anomalies in computer networks can not be detected specifically on which traffic packets. Meanwhile, to monitor network traffic packets manually will require a lot of time and resources, making it difficult to detect potential anomaly events more specifically. This study analyzes network packet traffic data to see records that include anomalies with an outlier detection approach, using the Isolation Forest algorithm to detect outliers on network traffic packet data, with the result that minority data are of the outliers type of 1,643 records (4.86%), while inliers are 32,098 records (95.13%). Then check and filter the expert attributes that contain expert information. The outlier detection results were classified using 5 algorithms as comparison, namely Random Forest Classifier, Support Vector Machine, Decision Tree Classifier, K-Nearest Neighbor, and Bernoulli Naive Bayes. The Random Forest algorithm has the highest score for accuracy, macro average precision, and macro average f1-score, namely 0.9962067330488383; 0.78; and 0.82. The classification model can be used to classify samples with labels "inliers", "outliers", "Error", and "warning outliers". There are labels that have scores for precision, recall, and f1-scrore that are not too high, namely the labels “error” (0.50; 1.00; and 0.67) and “warning outlier” (0.64; 0 .70; 0.67). The resulting classification model is used for prototype development that facilitates the process of investigating potential network traffic packet anomalies more specifically.

Framework for identifying network attacks through packet inspection using machine learning

Abstract In every network, traffic anomaly detection system is an essential field of study. In the communication system, there are various protocols and intrusions. It is still a testing area to find high precision to boost the correct distribution ratio. Many authors have worked on various algorithms such as simple classification, K-Means, Genetic Algorithm, and Support Vector Machine approaches, and they presented the efficiency and accuracy of these algorithms. In this article, we have proposed a feature extraction technique known as “k-means clustering,” which has its roots in signal processing and is employed to divide a set of n observations into k clusters, each of which has its origin from the observation with the closest mean. K-Means method is applied in this study to investigate the stream and its implementation and applications using Python and the dataset on the KDDcup99. The effectiveness of the outcome indicates the planned work’s efficiency in relation to other widely available alternatives. Apart from the applied method, a web-based framework is designed, which can inspect an actual network traffic packet for identifying network attacks. Instead of using a static file for testing the network attack, a web page-based solution uses database to collect and test the information. Real-time packet inspection is provided in the proposed work for identifying new attacks.

Semisupervised Graph Neural Networks for Traffic Classification in Edge Networks

Edge networking brings computation and data storage as close to the point of request as possible. Various intelligent devices are connected to the edge nodes where traffic packets flow. Traffic classification tasks are thought to be a keystone for network management; researchers can analyze packets captured to understand the traffic as it hits their network. However, the existing traffic classification framework needs to conduct a unified analysis, which leads to the huge bandwidth resources required in the process of transferring all captured packet files to train a global classifier. In this paper, a semisupervised graph neural network traffic classifier is proposed for cloud-edge architecture so that cloud servers and edge nodes could cooperate to perform the traffic classification tasks in order to deliver low latency and save bandwidth on the edge nodes. To preserve the structural information and interrelationships conveyed in packets within a session, we transform traffic sessions into graphs. We segment the frequently combined consecutive packets into granules, which are later transformed into the nodes in graphs. Edges could extract the adjacency of the granules in the sessions; the edge node side then selects the highly representative samples and sends them to the cloud server; the server side uses graph neural networks to perform semisupervised classification tasks on the selected training set. Our method has been trained and tested on several datasets, such as the VPN-nonVPN dataset, and the experimental results show good performance on accuracy, recall, and F-score.

Cloud-edge coordinated traffic anomaly detection for industrial cyber-physical systems

Industrial cyber-physical systems (ICPSs) are facing increasing cyber threats that can cause catastrophes in the physical systems. Efficient network traffic anomaly detection is essential for guaranteeing the system’s security and reliability. However, existing research on network traffic anomaly detection for ICPS has several limitations. First, most traffic anomaly detection models focus on centralized detection. Thus, all traffic packets have to be uploaded to the control center for detection, which leads to a heavy traffic load. However, real-time and reliable communication is crucial to ICPSs. The heavy traffic load may cause communication delays or packets lost by corruption. Second, Seasonal AutoRegressive Integrated Moving Average (SARIMA) is popular in ICPS network traffic anomaly detection. However, most SARIMA-based detection models can only detect anomalous traffic once. Thus, they are unable to detect anomalies continuously and are not suitable for actual ICPS. Third, the features extracted from network traffic affect the classification performance. However, most existing feature extraction models cannot sufficiently extract traffic features, leading to poor detection performance. To address the limitations above, this paper proposes a cloud-edge coordinated network traffic anomaly detection approach. The proposed approach consists of a set of anomalous traffic alarm models deployed in the edge areas and an anomalous traffic analysis model deployed in the cloud. The former is implemented based on Improved Online SARIMA (IOSARIMA) algorithm that can detect anomalous traffic continuously and upload it to the cloud for further analysis, filtering massive normal traffic packets and making traffic load smaller. The anomalous traffic analysis model consists of a feature extraction algorithm and a Convolutional Neural Network (CNN) classifier, which can sufficiently extract traffic features and identify the attack types precisely. The proposed anomaly detection approach is extensively evaluated on a realistic ICPS testbed, including 3 edges (i.e., power generation, power transmission and power distribution) and a cloud consisting of an engineering workstation and a Supervisory Control And Data Acquisition (SCADA) workstation. The experimental results confirm the smaller traffic load and better detection performance, compared with the existing detection models.

A new platform for machine-learning-based network traffic classification

This study provides a new platform for classifying encrypted network traffic based on machine learning (ML) techniques. The architecture of the platform is designed for real-world network traffic classification problems with performance-oriented, practical, and up-to-date software technologies. In addition, this study introduces a new feature extraction method to the literature. The proposed platform applies ML techniques with flow-based statistical features of encrypted network traffic and new feature extraction. It takes network traffic packets as input and passes them through feature extraction, data preparation, and ML stages. In the feature extraction stage, network flows are extracted from the network traffic data by calculating their features with the NFStream tool. During the data preparation stage, the dataset is transformed into a processable state for the ML algorithm with the Apache Spark framework. This stage also includes the feature selection operation. The ML stage runs GBTree, LightGBM, and XGBoost algorithms. Moreover, we use the MLflow framework in the proposed process management to observe the ML lifecycle, including experimentation, reproducibility, and deployment. The experimental results show that the XGBoost algorithm achieves the best result with an F1 score of above 99%.

Semisupervised Federated-Learning-Based Intrusion Detection Method for Internet of Things

Federated learning (FL) has become an increasingly popular solution for intrusion detection to avoid data privacy leakage in Internet of Things (IoT) edge devices. Existing FL-based intrusion detection methods, however, suffer from three limitations: (1) model parameters transmitted in each round may be used to recover private data, which leads to security risks, (2) not independent and identically distributed (non-IID) private data seriously adversely affects the training of FL (especially distillation-based FL), and (3) high communication overhead caused by the large model size greatly hinders the actual deployment of the solution. To address these problems, this paper develops an intrusion detection method based on semi-supervised FL scheme via knowledge distillation. First, our proposed method leverages unlabeled data via distillation method to enhance the classifier performance. Second, we build a model based on convolutional neural networks (CNN) for extracting deep features of the traffic packets, and take this model as both the classifier network and discriminator network. Third, the discriminator is designed to improve the quality of each client’s predicted labels, to avoid the failure of distillation training caused by a large number of incorrect predictions under private non-IID data. Moreover, the combination of hard-label strategy and voting mechanism further reduces communication overhead. Experiments on the real-world traffic dataset with three non-IID scenarios show that our proposed method can achieve better detection performance as well as lower communication overhead than state-of-the-art methods.

Anomaly traffic detection based on feature fluctuation for secure industrial internet of things.

The detection of anomaly traffic in internet of things (IoT) is mainly based on the original binary data at the traffic packet level and the structured data at the session flow level. This kind of dataset has a single feature extraction method and relies on prior manual knowledge. It is easy to lose critical information during data processing, which reduces the validity and robustness of the dataset. In this paper, we first construct a new anomaly traffic dataset based on the traffic packet and session flow data in the Iot-23 dataset. Second, we propose a feature extraction method based on feature fluctuation. Our proposed method can effectively solve the disadvantage that the data collected in different scenarios have different characteristics, which leads to the feature containing less information. Compared with the traditional anomaly traffic detection model, experiments show that our proposed method based on feature fluctuation has stronger robustness, can improve the accuracy of anomaly traffic detection and the generalization ability of the traditional model, and is more conducive to the detection of anomalous traffic in IoT.

Enriched Model of Case Based Reasoning and Neutrosophic Intelligent System for DDoS Attack Defence in Software Defined Network based Cloud

Software Defined Networking in Cloud paradigm is most suitable for dynamic functionality and reduces the computation complexity. The routers and switches located at the network's boundaries are managed by software-defined netwrking (SDN) using open protocols and specialised open programmable interfaces. But the security threats often degrade the performance of SDN due to its constraints of resource usage. The most sensitive components which are vulnerable to DDoS attacks are controller and control plane bandwidth. The existing conventional classification algorithms lacks in detection of new or unknown traffic packets which are malicious and results in degradation of SDN performance in cloud resources. Hence, in this paper double filtering methodology is devised to detect both known and unknown pattern of malicious packets which affects the bandwidth of the control panel and the controller. The case-based reasoning is adapted for determining the known incoming traffic patterns before entering the SDN system. It classifies the packets are normal or abnormal based on the previous information gathered. The traffic patterns which is not matched from the previous patterns is treated as indeterministic packet and it is defined more precisely using the triplet representation of Neutrosophic intelligent system. The grade of belongingness, non-belongingness and indeterminacyis used as the main factors to detect the new pattern of attacking packets more effectively. From the experimental outcomes it is proved that DDoS attack detection in SDN based cloud environment is improved by adopting CBR-NIS compared to the existing classification model.

Spatial-Temporal Feature with Dual-Attention Mechanism for Encrypted Malicious Traffic Detection

While encryption ensures the confidentiality and integrity of user data, more and more attackers try to hide attack behaviours through encryption, which brings new challenges to malicious traffic identification. How to effectively detect encrypted malicious traffic without decrypting traffic and protecting user privacy has become an urgent problem to be solved. Most of the current research only uses a single CNN, RNN, and SAE network to detect encrypted malicious traffic, which does not consider the forward and backward correlation between data packets, so it is difficult to effectively identify malicious features in encrypted traffic. This study proposes an approach that combines spatial-temporal feature with dual-attention mechanism, which is called TLARNN. Specifically, first we use 1D-CNN and BiGRU to extract spatial features in encrypted traffic packets and temporal features between encrypted streams, respectively, which enriches the features of different dimensions, and then, the soft attention mechanism is focused on the encrypted data packets to extract features. Ultimately, the second layer of the soft attention mechanism is used for aggregating malicious features. Several comparative experiments are designed to prove the effectiveness of the proposed scheme. The experimental results demonstrate that the proposed scheme has a significant performance improvement compared to existing ones.

Implementation Failure Recovery Mechanism using VLAN ID in Software Defined Networks

Link failure is a common problem that occurs in software-defined networks. The most proposed approach for failure recovery is to use pre-configured backup paths in the switch. However, it may increase the number of traffic packets after the traffic is rerouted through the backup path. In this research, the proposed method is the implementation of a failure recovery mechanism by utilizing the fast failover group feature in OpenFlow to store pre-configured backup paths in the switch. The disrupted traffic packets will be labeled using the VLAN ID, which can be used as a matching field. Due to this capability, VLAN ID can aggregate traffic packets into one entry table as a match field in the forwarding rules. Through implementation and evaluation, it is shown that the system can build a backup path in the switch and reroute the disrupted traffic to the backup path. Based on the parameters used, the results show that the proposed approach achieves a recovery time of around 1.02-1.26ms. Additionally, it can reduce the number of traffic packets and has a low amount of packet loss compared to previous methods.

DDoS Detection using Deep Learning

The network's infrastructure becomes more vulnerable to cyber-attacks as the number of services offered through the internet expands. The complexity of "Distributed Denial-of-Service (DDoS)" threats on the internet has recently increased, posing a challenge to typical protection systems. As a result, early identification and separation of network data is the most crucial part of protecting against DDoS threats. A "Long Short-Term Memory (LSTM)" based model is created in this study to identify DDoS threats on a sample of network traffic packets. LSTM is a deep learning technique that includes a feature selection and extraction algorithm. When trained, it updates itself; Even with a smaller number of data points, LSTM functions swiftly and correctly. Using the "CICDDoS2019 dataset" for training and testing, the suggested LSTM model can achieve an accuracy of up to 98 percent in the current work, and Deep learning exceeds machine learning on the CICDDoS2019 dataset.

ANALYSIS OF NETWORK TRAFFIC THREATS ACROSS OSI MODEL LAYERS FOR DYNAMIC RTO CALCULATION IN THE CONTEXT OF COMBATING DDoS ATTACKS

This document provides an examination of current threats to network security, viewed through the lens of network traffic analysis at various OSI model layers. It delves into the different forms of Distributed Denial of Service (DDoS) attacks and their ramifications on the Transmission Control Protocol (TCP), with a specific focus on a critical parameter - the Retransmission Timeout (RTO). The text also divulges fundamental algorithms and techniques for calculating RTO, encompassing adaptive methodologies that harness machine learning and artificial intelligence for optimizing the TCP/IP stack. In particular, it offers insights into the functioning of the RTO calculation algorithm, a pivotal element ensuring the reliability of data transmission via TCP. The document elaborates on how this algorithm dynamically adjusts the RTO value based on network conditions and measured Round Trip Time (RTT) values. Furthermore, it furnishes formulas for computing RTO with diverse parameters. Moreover, the document explores the potential of employing machine learning and data analysis methodologies to detect and preempt DDoS attacks. It elucidates how contemporary technologies empower the use of these approaches to minimize false positives in identifying malicious traffic packets, thereby enhancing the effectiveness of safeguarding information systems. Additionally, it provides an illustration of software and hardware tools employed for the practical implementation of these algorithms in devices facilitating data transmission via Ethernet connections. In summary, this work offers insights into contemporary challenges and issues in the realm of network security, especially in the context of the escalating frequency of DDoS attacks. This information proves valuable for students and professionals engaged in the study of network security and the development of measures to fortify networks and systems.

A Efficient Method to Detect DDos Attack in Cloud Computing

Asma Harbi Alashjaee et al., International Journal of Advanced Trends in Computer Science and Engineering, 11(6), November - December 2022, 218 - 226 218 ABSTRACT Electronic networks and cloud servers face many security problems since they are vulnerable to DDOS attacks. As cloud servers are exposed to attacks similar to legitimate requests on servers, it turns out that they are healthy, but they carry an attack on the data on the servers. DDOS attacks not only affect networks, but also the data carried by servers. In this paper, we proposed a new scheme to discover DDOS attacks. By using a Principal Component Analysis (PCA) scheme for network state analysis on traffic packet data, we divide and segment the network for reducing the overall computation. Comparing the results to the sample entropy, we were able to detect DDOS attacks more accurately.