Load characterization and anomaly detection for voice over IP traffic

We consider the problem of traffic anomaly detection in IP networks. Traffic anomalies typically arise when there is focused overload or when a network element fails and it is desired to infer these purely from the measured traffic. We derive new general formulae for the variance of the cumulative traffic over a fixed time interval and show how the derived analytical expression simplifies for the case of voice over IP traffic, the focus of this paper. To detect load anomalies, we show it is sufficient to consider cumulative traffic over relatively long intervals such as 5 min. We also propose simple anomaly detection tests including detection of over/underload. This approach substantially extends the current practice in IP network management where only the first-order statistics and fixed thresholds are used to identify abnormal behavior. We conclude with the application of the scheme to field data from an operational network.     

Effective network intrusion detection using stacking-based ensemble approach

The increasing demand for communication between networked devices connected either through an intranet or the internet increases the need for a reliable and accurate network defense mechanism. Network intrusion detection systems (NIDSs), which are used to detect malicious or anomalous network traffic, are an integral part of network defense. This research aims to address some of the issues faced by anomaly-based network intrusion detection systems. In this research, we first identify some limitations of the legacy NIDS datasets, including a recent CICIDS2017 dataset, which lead us to develop our novel dataset, CIPMAIDS2023-1. Then, we propose a stacking-based ensemble approach that outperforms the overall state of the art for NIDS. Various attack scenarios were implemented along with benign user traffic on the network topology created using graphical network simulator-3 (GNS-3). Key flow features are extracted using cicflowmeter for each attack and are evaluated to analyze their behavior. Several different machine learning approaches are applied to the features extracted from the traffic data, and their performance is compared. The results show that the stacking-based ensemble approach is the most promising and achieves the highest weighted F1-score of 98.24%.

     

A study on the monitoring model development for quality measurement of internet traffic

The recent trend of integration among new network services such as the long-term evolution (LTE) based on internet protocol (IP) needs reputable analyses and prediction information on the internet traffic. The IP along with increased internet traffics due to expanding new service platforms such as smartphones will reflect policies such as network QoS according to new services. The establishment of monitoring methods and analysis plans is thus required for the development of internet traffics that will analyze their status and predict their future. The paper with the speed of Internet traffic model is developed for monitoring the state of the experiment and verified. The problem is that the proposed service Internet service provider (ISP) to resolve the conflict between the occurrences can be considerably Internet traffic and that the state of data may be helpful in understanding. The paper advancement policy to reflect the network traffic volume of Internet services and users irradiation with increased traffic due to the development and management of the analysis was carried out experimental measurements.     

TLSmell: Direct Identification on Malicious HTTPs Encryption Traffic with Simple Connection-Specific Indicators

Internet traffic encryption is a very common traffic protection method. Most internet traffic is protected by the encryption protocol called transport layer security (TLS). Although traffic encryption can ensure the security of communication, it also enables malware to hide its information and avoid being detected. At present, most of the malicious traffic detection methods are aimed at the unencrypted ones. There are some problems in the detection of encrypted traffic, such as high false positive rate, difficulty in feature extraction, and insufficient practicability. The accuracy and effectiveness of existing methods need to be improved. In this paper, we present TLSmell, a framework that conducts malicious encrypted HTTPs traffic detection with simple connection-specific indicators by using different classifiers based online training. We perform deep packet analysis of encrypted traffic through data pre-processing to extract effective features, and then the online training algorithm is used for training and prediction. Without decrypting the original traffic, high-precision malicious traffic detection and analysis are realized, which can guarantee user privacy and communication security. At the same time, since there is no need to decrypt the traffic in advance, the efficiency of detecting malicious HTTPs traffic will be greatly improved. Combined with the traditional detection and analysis methods, malicious HTTPs traffic is screened, and suspicious traffic is further analyzed by the expert through the context of suspicious behaviors, thereby improving the overall performance of malicious encrypted traffic detection.     

基于LSTM循环神经网络的恶意加密流量检测

加密流量已经成为互联网中的主要流量,攻击者使用加密技术可以逃避传统的检测方法。在不对应用流量进行解密的情况下,网络管理者对传输内容进行深度包解析和恶意字符匹配进而检测恶意通信。针对该问题,在不对流量解密的情况下使用网络层的传输包序列和时间序列识别流量行为,使用过采样方法处理不平衡的黑白样本,基于LSTM循环神经网络建立检测模型。使用清华2017年-2018年边界网关的正常流量数据,在沙箱中采集恶意样本产生的流量数据进行检测实验,结果表明该模型能够较好地检测恶意软件的加密通信流量。     

A method for identifying compromised clients based on DNS traffic analysis

DNS is widely abused by Internet criminals in order to provide reliable communication within malicious network infrastructure as well as flexible and resilient hosting of malicious content. This paper presents a novel detection method that can be used for identifying potentially compromised clients based on DNS traffic analysis. The proposed method identifies suspicious agile DNS mappings, i.e., mappings characterized by fast changing domain names or/and IP addresses, often used by malicious services. The approach discovers clients that have queried domains contained within identified suspicious domain-to-IP mappings, thus assisting in pinpointing potentially compromised clients within the network. The proposed approach targets compromised clients in large-scale operational networks. We have evaluated the proposed approach using an extensive set of DNS traffic traces from different operational ISP networks. The evaluation illustrates a great potential of accurately identifying suspicious domain-to-IP mappings and potentially compromised clients. Furthermore, the achieved performance indicate that the novel detection approach is promising in view of the adoption in operational ISP networks. Finally, the proposed approach targets both Fast-flux and Domain-flux, thus having an advantage over existing detection methods that identify compromised clients.     

A machine learning approach for feature selection traffic classification using security analysis

Class imbalance has become a big problem that leads to inaccurate traffic classification. Accurate traffic classification of traffic flows helps us in security monitoring, IP management, intrusion detection, etc. To address the traffic classification problem, in literature, machine learning (ML) approaches are widely used. Therefore, in this paper, we also proposed an ML-based hybrid feature selection algorithm named WMI_AUC that make use of two metrics: weighted mutual information (WMI) metric and area under ROC curve (AUC). These metrics select effective features from a traffic flow. However, in order to select robust features from the selected features, we proposed robust features selection algorithm. The proposed approach increases the accuracy of ML classifiers and helps in detecting malicious traffic. We evaluate our work using 11 well-known ML classifiers on the different network environment traces datasets. Experimental results showed that our algorithms achieve more than 95% flow accuracy results.     

2011年4月网络安全监测数据分析

该文根据CNCERT监测结果,2011年4月,我国网页篡改数量、境内木马和僵尸网络受控主机数量较3月略有下降。其中,被篡改政府网站数量大幅减少,木马和僵尸网络境外受控主机数量数量明显增加。     

2011年3月网络安全监测数据分析

根据CNCERT监测结果,2011年3月,中国境内僵尸网络受控主机数量和木马受控主机数量较2月大幅增长,网页篡改数量下降明显。恶意代码活动情况方面,中国大陆地区约有153.8万个IP地址对应的主机被木马程序控制,较2月增长134;中国大陆地区约有25.7万个IP地址对应的主机被僵尸程序控制,较2月增长343;网站安全方面,3月中国大陆地区被篡改网站数量为3280个,较2月下降32,其中被篡改政府网站数量为318个,较2月的288个增长10%。     

2011年2月网络安全监测数据分析

根据CNCERT监测结果,2011年2月,我国境内僵尸网络受控主机数量有所下降,境内木马受控主机和网页篡改数量略有增长。①恶意代码活动情况方面,我国大陆地区约有66万个IP地址对应的主机被木马程序控制,较2010年1月增长25;我国大陆地区约有5.8万个IP地址对应的主机被僵尸程序控制,较1月下降60;②网站安全方面,我国大陆地区被篡改网站数量为4796个,较1月下降14,其中被篡改政府网站数量为288个,较1月的337个下降15。     

2011年5月网络安全监测数据分析

根据CNCERT监测结果,2011年5月,中国境内僵尸网络受控主机数量和木马受控主机数量较4月大幅下降,网页篡改数量下降.恶意代码活动情况方面,中国大陆地区约有40万个IP地址对应的主机被木马或僵尸程序控制,较4月下降75％；网站安全方面,5月中国大陆地区被篡改网站数量为3358个,较4月增加5％,其中被篡改政府网站数量为212个、较4月减少7％.     

2011年6月网络安全监测数据分析

2011年6月,中国境内僵尸网络受控主机数量和木马受控主机数量较5月稍有下降,网页篡改数量下降。恶意代码活动情况方面,中国大陆地区约有38万个IP地址对应的主机被木马或僵尸程序控制,较5月下降6%;网站安全方面,6月中国大陆地区被篡改网站数量为3164个,较5月下降6%,其中被篡改政府网站数量为333个,较5月增长57%。     

2011年1月网络安全监测数据分析

根据CNCERT监测结果,2011年1月,中国境内僵尸网络受控主机数量略有增长,境内木马受控主机和网页篡改数量有所下降。恶意代码活动情况方面,中国大陆地区约有46万个IP地址对应的主机被木马程序控制,较2010年12月下降51%[1];中国大陆地区约有14万个IP地址对应的主机被僵尸程序控制,较上月增长1%;网站安全方面,中国大陆地区被篡改网站数量为5596个,较上月下降5%,其中被篡改政府网站数量为337个,较上月的544个下降38%,占大陆被篡改网站比例由9.23%减少到6.02%     

基于深度生成对抗网络的恶意TLS流量识别

恶意加密流量识别公开数据集中存在的类不平衡问题,严重影响着恶意流量预测的性能。本文提出使用深度生成对抗网络DGAN中的生成器和鉴别器,模拟真实数据集生成并扩展小样本数据,形成平衡数据集。此外,针对传统机器学习方法依赖人工特征提取导致分类准确度下降等问题,提出一种基于双向门控循环单元BiGRU与注意力机制相融合的恶意流量识别模型,由深度学习算法自动获取数据集不同时序的重要特征向量,进行恶意流量得识别。实验表明,与常用恶意流量识别算法相比,该模型在精度、召回率、F1等指标上都有较好的提升,能有效实现恶意加密流量的识别。     

3G无线网络条件下的用户行为分析

随着无线通信技术和计算机网络技术的快速发展,通过移动手持设备快速有效地接入互联网成为广大用户的迫切需求,了解和分析无线用户的行为模式显得十分必要。对一个小区内通过3G无线上网用户的数据进行记录,处理后以此为基础估计数据之间的关系,得出流量、IP数和用户数之间随着时间变化的潜在关系,进一步得出反映无线互联网用户行为习惯的活跃指数。分析结果为无线互联网的性能的改进和提高,以及无线网络服务商合理决策提供了数据依据,具有重要的商业价值。     

高速网络环境下恶意代码的监测技术

高速网络环境下恶意代码的监测技术是实现对计算机病毒和网络攻击事件动态监测、应急处置的重要手段,是有效防范计算机病毒传播、及时发现重大网络攻击事件苗头的重要措施,进一步增强了我国互联网络信息安全的整体防御能力。通过高速网络环境下恶意代码的监测技术,可以掌握我国各个地区的网络病毒传播情况,可以为信息安全主管机关提供准确的病毒疫情。开发过程中主要技术包括零拷贝报文捕获技术;采取多线程TCP/IP协议栈的方法来提高系统的整体性能;基于大流量的未知恶意代码检测技术。     

Metaheuristic approaches for IP/MPLS network design

This work introduces metaheuristic approaches for designing resilient and cost‐effective multiprotocol label switching (MPLS) networks, a technology that is gaining prominent importance since most of the global data traffic is Internet traffic, and most internet protocol (IP) traffic within service provider backbones is being supported upon the IP/MPLS technology. Our approach is innovative because it integrates an overlay network design problem with the effective usage of traffic‐engineering features of this technology. Due to the resulting complexity and a high level of technological detail, we decided to use metaheuristics to find solutions to prospective scenarios for two real‐world applications. The best results were achieved using evolutionary algorithms and GRASP (Greedy Randomized Adaptive Search Procedure). The relative improvements for some of these scenarios are outstanding and reveal how using the protection mechanisms provided by newer technologies may advance efficiency standards more than legacy protection schemas.     

基于不定长卷积神经网络的恶意流量分类算法

在当今信息爆炸、网络快速发展的时代,网络攻击与网络威胁日益增多,恶意流量识别在网络安全中发挥着非常重要的作用。深度学习在图像处理、自然语言处理上已经展现出优越的性能,因此有诸多研究将深度学习应用于流量分类中。将深度学习应用于流量识别时,部分研究对原始流量数据进行截断或者补零操作,截断操作容易造成流量信息的部分丢失,补零操作容易引入对模型训练无用的信息。针对这一问题,本文提出了一种用于恶意流量分类的不定长输入卷积神经网络(Indefinite Length Convolutional Neural Network, ILCNN),该网络模型基于不定长输入,在输入时使用未截断未补零的原始流量数据,利用池化操作将不定长特征向量转化为定长的特征向量,最终达到对恶意流量分类的目的。基于CICIDS-2017数据集的实验结果表明, ILCNN模型在F1-Score上的分类准确率能够达到0.999208。相较于现有的恶意流量分类工作,本文所提出的不定长输入卷积神经网络ILCNN在F1-Score和准确率上均有所提升。     

2010年12月网络安全监测数据分析

根据CNCEILT监测结果,2010年12月,中国境内木马、僵尸受控主机数量、网页篡改数量等均有不同程度的增长;全国公共互联网网络安全状况的主要指标情况如下：1）恶意代码活动情况方面,中国大陆约有94万个IP地址对应的主机被木马程序控制,同种类木马感染量较上月增长33％;中国大陆约有14万个IP地址对应的主机被僵尸程序控制,同种类僵尸程序感染量较上月增长1148％（注：CNCERT增大了僵尸程序监测范围）;2）网站安全方面,12月中国大陆被篡改网站数量为5897个,较上月增长37％,其中被篡改政府网站数量为544个,较上月的331个增长64％,占中国大陆被篡改网站比例由7．67％上升到9．23％。     

Designing an Internet Traffic Predictive Model by Applying a Signal Processing Method

Detection of abnormal internet traffic has become a significant area of research in network security. Due to its importance, many predictive models are designed by utilizing machine learning algorithms. The models are well designed to show high performances in detecting abnormal internet traffic behaviors. However, they may not guarantee reliable detection performances for new incoming abnormal internet traffic because they are designed using raw features from imbalanced internet traffic data. Since internet traffic is non-stationary time-series data, it is difficult to identify abnormal internet traffic with the raw features. In this study, we propose a new approach to detecting abnormal internet traffic. Our approach begins with extracting hidden, but important, features by utilizing discrete wavelet transformation. Then, statistical analysis is performed to filter out irrelevant and less important features. Only statistically significant features are used to design a reliable predictive model with logistic regression. A comparative analysis is conducted to determine the importance of our approach by measuring accuracy, sensitivity, and the Area Under the receiver operating characteristic Curve. From the analysis, we found that our model detects abnormal internet traffic successfully with high accuracy.