To see the other types of publications on this topic, follow the link: Encrypted Traffic Inspection.
Journal articles on the topic 'Encrypted Traffic Inspection'
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 50 journal articles for your research on the topic 'Encrypted Traffic Inspection.'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse journal articles on a wide variety of disciplines and organise your bibliography correctly.
1
Jia, Xi, and Meng Zhang. "Encrypted Packet Inspection Based on Oblivious Transfer." Security and Communication Networks 2022 (August 24, 2022): 1–13. http://dx.doi.org/10.1155/2022/4743078.
Full textAbstract:
Deep packet inspection (DPI) is widely used in detecting abnormal traffic and suspicious activities in networks. With the growing popularity of secure hypertext transfer protocol (HyperText Transfer Protocol over Secure Socket Layer, HTTPS), inspecting the encrypted traffic is necessary. The traditional decryption-and-then-encryption method has the drawback of privacy leaking. Decrypting encrypted packets for inspection violates the confidentiality goal of HTTPS. Now, people are faced with a dilemma: choosing between the middlebox’s ability to perform detection functions and protecting the privacy of their communications. We propose OTEPI, a system that simultaneously provides both of those properties. The approach of OTEPI is to perform the deep packet inspection directly on the encrypted traffic. Unlike machine and deep learning methods that can only classify traffic, OTEPI is able to accurately identify which detection rule was matched by the encrypted packet. It can facilitate network managers to manage their networks at a finer granularity. OTEPI achieves the function through a new protocol and new encryption schemes. Compared with previous works, our approach achieves rule encryption with oblivious transfer (OT), which allows our work to achieve a better balance between communication traffic consumption and computational resource consumption. And our design of Oblivious Transfer and the use of Natural Language Processing tools make OTEPI outstanding in terms of computational consumption.
2
Nagwani, Karan. "AI-Powered Dynamic Web Filtering for Encrypted Traffic." INTERNATIONAL JOURNAL OF SCIENTIFIC RESEARCH IN ENGINEERING AND MANAGEMENT 09, no. 04 (2025): 1–9. https://doi.org/10.55041/ijsrem46497.
Full textAbstract:
Abstract— The exponential growth of encrypted web traffic through SSL/TLS protocols poses new challenges for traditional web filtering systems. Conventional methods like blacklist filtering, keyword blocking, and static content analysis are increasingly ineffective against encrypted traffic. This research paper proposes an AI-powered dynamic web filtering framework for encrypted traffic, leveraging machine learning, behavioral analysis, and traffic metadata inspection to identify harmful or inappropriate content while preserving user privacy. Previous research in traditional filtering techniques and modern solutions is referenced to support the proposed methodology. Keywords: AI Web Filtering, Encrypted Traffic, SSL/TLS Inspection, Machine Learning, Privacy-Preserving Filtering, Cybersecurity
3
Huang, Yung-Fa, Chuan-Bi Lin, Chien-Min Chung, and Ching-Mu Chen. "Research on QoS Classification of Network Encrypted Traffic Behavior Based on Machine Learning." Electronics 10, no. 12 (2021): 1376. http://dx.doi.org/10.3390/electronics10121376.
Full textAbstract:
In recent years, privacy awareness is concerned due to many Internet services have chosen to use encrypted agreements. In order to improve the quality of service (QoS), the network encrypted traffic behaviors are classified based on machine learning discussed in this paper. However, the traditional traffic classification methods, such as IP/ASN (Autonomous System Number) analysis, Port-based and deep packet inspection, etc., can classify traffic behavior, but cannot effectively handle encrypted traffic. Thus, this paper proposed a hybrid traffic classification (HTC) method based on machine learning and combined with IP/ASN analysis with deep packet inspection. Moreover, the majority voting method was also used to quickly classify different QoS traffic accurately. Experimental results show that the proposed HTC method can effectively classify different encrypted traffic. The classification accuracy can be further improved by 10% with majority voting as K = 13. Especially when the networking data are using the same protocol, the proposed HTC can effectively classify the traffic data with different behaviors with the differentiated services code point (DSCP) mark.
4
Alwhbi, Ibrahim A., Cliff C. Zou, and Reem N. Alharbi. "Encrypted Network Traffic Analysis and Classification Utilizing Machine Learning." Sensors 24, no. 11 (2024): 3509. http://dx.doi.org/10.3390/s24113509.
Full textAbstract:
Encryption is a fundamental security measure to safeguard data during transmission to ensure confidentiality while at the same time posing a great challenge for traditional packet and traffic inspection. In response to the proliferation of diverse network traffic patterns from Internet-of-Things devices, websites, and mobile applications, understanding and classifying encrypted traffic are crucial for network administrators, cybersecurity professionals, and policy enforcement entities. This paper presents a comprehensive survey of recent advancements in machine-learning-driven encrypted traffic analysis and classification. The primary goals of our survey are two-fold: First, we present the overall procedure and provide a detailed explanation of utilizing machine learning in analyzing and classifying encrypted network traffic. Second, we review state-of-the-art techniques and methodologies in traffic analysis. Our aim is to provide insights into current practices and future directions in encrypted traffic analysis and classification, especially machine-learning-based analysis.
5
Papadogiannaki, Eva, and Sotiris Ioannidis. "A Survey on Encrypted Network Traffic Analysis Applications, Techniques, and Countermeasures." ACM Computing Surveys 54, no. 6 (2021): 1–35. http://dx.doi.org/10.1145/3457904.
Full textAbstract:
The adoption of network traffic encryption is continually growing. Popular applications use encryption protocols to secure communications and protect the privacy of users. In addition, a large portion of malware is spread through the network traffic taking advantage of encryption protocols to hide its presence and activity. Entering into the era of completely encrypted communications over the Internet, we must rapidly start reviewing the state-of-the-art in the wide domain of network traffic analysis and inspection, to conclude if traditional traffic processing systems will be able to seamlessly adapt to the upcoming full adoption of network encryption. In this survey, we examine the literature that deals with network traffic analysis and inspection after the ascent of encryption in communication channels. We notice that the research community has already started proposing solutions on how to perform inspection even when the network traffic is encrypted and we demonstrate and review these works. In addition, we present the techniques and methods that these works use and their limitations. Finally, we examine the countermeasures that have been proposed in the literature in order to circumvent traffic analysis techniques that aim to harm user privacy.
6
Papadogiannaki, Eva, and Sotiris Ioannidis. "A Survey on Encrypted Network Traffic Analysis Applications, Techniques and Countermeasures." ACM Computing Surveys 54, no. 6 (2021): 1–35. https://doi.org/10.1145/3457904.
Full textAbstract:
The adoption of network traffic encryption is continually growing. Popular applications use encryption protocols to secure com- munications and protect the privacy of users. In addition, a large portion of malware is spread through the network traffic taking advantage of encryption protocols to hide its presence and activity. Entering into the era of completely encrypted communications over the Internet, we must rapidly start reviewing the state-of-the-art in the wide domain of network traffic analysis and inspection, to conclude if traditional traffic processing systems will be able to seamlessly adapt to the upcoming full adoption of network encryption. In this survey, we examine the literature that deals with network traffic analysis and inspection after the ascent of encryption in communication channels. We notice that the research community has already started proposing solutions on how to perform inspection even when the network traffic is encrypted and we demonstrate and review these works. In addition, we present the techniques and methods that these works use and their limitations. Finally, we examine the countermeasures that have been proposed in the literature in order to circumvent traffic analysis techniques that aim to harm user privacy.
7
Eva, Papadogiannaki, and Ioannidis Sotiris. "A Survey on Encrypted Network Traffic Analysis Applications, Techniques, and Countermeasures." ACM Computing Surveys 54, no. 6 (2021): 1–35. https://doi.org/10.1145/3475936.
Full textAbstract:
The adoption of network traffic encryption is continually growing. Popular applications use encryption protocols to secure communications and protect the privacy of users. In addition, a large portion of malware is spread through the network traffic taking advantage of encryption protocols to hide its presence and activity. Entering into the era of completely encrypted communications over the Internet, we must rapidly start reviewing the state-of-the-art in the wide domain of network traffic analysis and inspection, to conclude if traditional traffic processing systems will be able to seamlessly adapt to the upcoming full adoption of network encryption. In this survey, we examine the literature that deals with network traffic analysis and inspection after the ascent of encryption in communication channels. We notice that the research community has already started proposing solutions on how to perform inspection even when the network traffic is encrypted and we demonstrate and review these works. In addition, we present the techniques and methods that these works use and their limitations. Finally, we examine the countermeasures that have been proposed in the literature in order to circumvent traffic analysis techniques that aim to harm user privacy.
8
Oh, Chaeyeon, Joonseo Ha, and Heejun Roh. "A Survey on TLS-Encrypted Malware Network Traffic Analysis Applicable to Security Operations Centers." Applied Sciences 12, no. 1 (2021): 155. http://dx.doi.org/10.3390/app12010155.
Full textAbstract:
Recently, a majority of security operations centers (SOCs) have been facing a critical issue of increased adoption of transport layer security (TLS) encryption on the Internet, in network traffic analysis (NTA). To this end, in this survey article, we present existing research on NTA and related areas, primarily focusing on TLS-encrypted traffic to detect and classify malicious traffic with deployment scenarios for SOCs. Security experts in SOCs and researchers in academia can obtain useful information from our survey, as the main focus of our survey is NTA methods applicable to malware detection and family classification. Especially, we have discussed pros and cons of three main deployment models for encrypted NTA: TLS interception, inspection using cryptographic functions, and passive inspection without decryption. In addition, we have discussed the state-of-the-art methods in TLS-encrypted NTA for each component of a machine learning pipeline, typically used in the state-of-the-art methods.
9
Farooq, Irfan, Syed Aale Ahmed, Asfar Ali, Muhammad Ali Warraich, Muhammad Aqeel, and Hamayun Khan. "Enhanced Classification of Networks Encrypted Traffic: A Conceptual Analysis of Security Assessments, Implementation, Trends and Future Directions." Asian Bulletin of Big Data Management 4, no. 4 (2024): 500–522. https://doi.org/10.62019/abbdm.v4i4.287.
Full textAbstract:
Encryption is a fundamental security measure to safeguard data during transmission to ensure confidentiality while at the same time posing a great challenge for traditional packet and traffic inspection. With the widespread use of encrypted data transport, network traffic encryption is becoming a standard nowadays. This presents a challenge for traffic measurement, especially for analysis and anomaly detection methods, which are dependent on the type of network traffic. In this paper, we survey existing approaches for classification and analysis of encrypted trafficIn response to the proliferation of diverse network traffic patterns from IOT devices, websites, and mobile applications, understanding and classifying encrypted traffic are crucial for network administrators, cybersecurity professionals, and policy enforcement entities. This paper presents a comprehensive exploration of recent advancements in numerous virtual private network and machine-learning-driven encrypted security protocols, that examines their critical role in modern networking and the protection of sensitive data across untrusted networks its traffic analysis and classification. We present the overall procedure and provide a detailed explanation of utilizing machine learning in analyzing and classifying encrypted network traffic. As VPN technologies have evolved over time, and today, they are essential in ensuring secure communications for both personal and enterprise use. This study also delves into various VPN protocols such as PPTP, L2TP/IPsec, OpenVPN, IKEv2/IPsec, and the newer WireGuard, evaluating their security features, strengths, and weaknesses in different network environments and reviewed state-of-the-art techniques and methodologies in traffic analysis. Our aim is to provide insights into current practices and future directions in encrypted traffic analysis and classification, that focusing on the integration of AI for enhanced VPN security and the adaptation of VPN protocols to a post-quantum world especially machine-learning-based analysis.
10
Jiang, Ziyu. "Bidirectional Flow-Based Image Representation Method for Detecting Network Traffic Service Categories." Highlights in Science, Engineering and Technology 85 (March 13, 2024): 89–95. http://dx.doi.org/10.54097/mwyge502.
Full textAbstract:
Network traffic identification is crucial for network resource management and improving service quality. Traditional methods, such as port-based and deep packet inspection approaches, face challenges due to the increasing complexity of network environments, privacy concerns, and the emergence of encrypted traffic. This paper aims to address the issues of low accuracy and slow operation speed in encrypted traffic classification while ensuring the protection of user privacy. We propose a data processing method that transforms network traffic into images representing bidirectional flow packet arrival timestamps and packet sizes. By employing this data processing approach and utilizing deep recognition algorithms, the study conducts service analysis on network traffic. Experimental results demonstrate that the bidirectional flow-based image representation method achieves a 90.9% accuracy rate for the traffic analysis task on a TOR-encrypted imbalanced dataset, surpassing the accuracy of the unidirectional flow image method. Furthermore, the method also shows improvements in operation speed, enabling online network traffic detection.
11
Papadogiannaki, Eva, and Sotiris Ioannidis. "Acceleration of Intrusion Detection in Encrypted Network Traffic Using Heterogeneous Hardware." Sensors 21, no. 4 (2021): 1140. http://dx.doi.org/10.3390/s21041140.
Full textAbstract:
More than 75% of Internet traffic is now encrypted, and this percentage is constantly increasing. The majority of communications are secured using common encryption protocols such as SSL/TLS and IPsec to ensure security and protect the privacy of Internet users. However, encryption can be exploited to hide malicious activities, camouflaged into normal network traffic. Traditionally, network traffic inspection is based on techniques like deep packet inspection (DPI). Common applications for DPI include but are not limited to firewalls, intrusion detection and prevention systems, L7 filtering, and packet forwarding. With the widespread adoption of network encryption though, DPI tools that rely on packet payload content are becoming less effective, demanding the development of more sophisticated techniques in order to adapt to current network encryption trends. In this work, we present HeaderHunter, a fast signature-based intrusion detection system even for encrypted network traffic. We generate signatures using only network packet metadata extracted from packet headers. In addition, we examine the processing acceleration of the intrusion detection engine using different heterogeneous hardware architectures.
12
K., Geetharani, Kowsalya K., and M. SenthilKumar |. M. S. Vijaykumar |. M. Saravanakumar A. "Defensing Confidentiality During Complete Packet Inspection On A Middlebox." International Journal of Trend in Scientific Research and Development 2, no. 3 (2018): 82–84. https://doi.org/10.31142/ijtsrd10725.
Full textAbstract:
In Internet to encrypt traffic, HTTPS provides secure and private data communication between clients and servers. Network operators often deploy middleboxes to perform deep packet inspection DPI to detect attacks using techniques ranging from simple keyword matching to more advanced machine learning and data mining analysis. But this approach cannot protect users' private information from a service provider who deploys middleboxes. SPABox, a middlebox based system that supports both keyword based and data analysis based DPI functions over encrypted traffic. SPABox preserves privacy by using a novel protocol with a limited connection setup overhead. In this paper to further improve the performance, we are working on the network performance requirements. K. Geetharani | K. Kowsalya | A. M. SenthilKumar | M. S. Vijaykumar | M. Saravanakumar "Defensing Confidentiality During Complete Packet Inspection On A Middlebox" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-2 | Issue-3 , April 2018, URL: https://www.ijtsrd.com/papers/ijtsrd10725.pdf
13
Misra, Udit. "TLENVOY - A Tool for TLS Termination and Inspection." Eastasouth Journal of Information System and Computer Science 2, no. 03 (2025): 200–204. https://doi.org/10.58812/esiscs.v2i03.489.
Full textAbstract:
With the increasing adaption on encrypted communication over the internet, ensuring the security over network traffic has become very crucial. Transport Layer Security (TLS) is now widely used to secure data in transit, but at the same time it also poses challenges for network administrators who need to inspect traffic for malicious content or policy violations. This paper explores the use of Envoy, an open-source edge and service proxy, as a forward proxy to inspect TLS traffic. By leveraging Envoy's capabilities, organizations can maintain a secure environment for all nodes behind the proxy. We discuss the architecture, implementation, security considerations, and potential challenges of using Envoy for TLS inspection. The paper concludes with recommendations for deploying such a system in a secure and efficient manner.
14
Ndichu, Samuel, Sylvester McOyowo, Henry Okoyo, and Cyrus Wekesa. "Detecting Remote Access Network Attacks Using Supervised Machine Learning Methods." International Journal of Computer Network and Information Security 15, no. 2 (2023): 48–61. http://dx.doi.org/10.5815/ijcnis.2023.02.04.
Full textAbstract:
Remote access technologies encrypt data to enforce policies and ensure protection. Attackers leverage such techniques to launch carefully crafted evasion attacks introducing malware and other unwanted traffic to the internal network. Traditional security controls such as anti-virus software, firewall, and intrusion detection systems (IDS) decrypt network traffic and employ signature and heuristic-based approaches for malware inspection. In the past, machine learning (ML) approaches have been proposed for specific malware detection and traffic type characterization. However, decryption introduces computational overheads and dilutes the privacy goal of encryption. The ML approaches employ limited features and are not objectively developed for remote access security. This paper presents a novel ML-based approach to encrypted remote access attack detection using a weighted random forest (W-RF) algorithm. Key features are determined using feature importance scores. Class weighing is used to address the imbalanced data distribution problem common in remote access network traffic where attacks comprise only a small proportion of network traffic. Results obtained during the evaluation of the approach on benign virtual private network (VPN) and attack network traffic datasets that comprise verified normal hosts and common attacks in real-world network traffic are presented. With recall and precision of 100%, the approach demonstrates effective performance. The results for k-fold cross-validation and receiver operating characteristic (ROC) mean area under the curve (AUC) demonstrate that the approach effectively detects attacks in encrypted remote access network traffic, successfully averting attackers and network intrusions.
15
Sancho, Jorge, José García, and Álvaro Alesanco. "Oblivious Inspection: On the Confrontation between System Security and Data Privacy at Domain Boundaries." Security and Communication Networks 2020 (September 22, 2020): 1–9. http://dx.doi.org/10.1155/2020/8856379.
Full textAbstract:
In this work, we introduce the system boundary security vs. privacy dilemma, where border devices (e.g., firewall devices) require unencrypted data inspection to prevent data exfiltration or unauthorized data accesses, but unencrypted data inspection violates data privacy. To shortcut this problem, we present Oblivious Inspection, a novel approach based on garbled circuits to perform a stateful application-aware inspection of encrypted network traffic in a privacy-preserving way. We also showcase an inspection algorithm for Fast Healthcare Interoperability Resources (FHIR) standard compliant packets along with its performance results. The results point out the importance of the inspection function being aligned with the underlying garbled circuit protocol. In this line, mandatory encryption algorithms for TLS 1.3 have been analysed observing that packets encrypted using Chacha20 can be filtered up to 17 and 25 times faster compared with AES128-GCM and AES256-GCM, respectively. All together, this approach penalizes performance to align system security and data privacy, but it could be appropriate for those scenarios where this performance degradation can be justified by the sensibility of the involved data such as healthcare scenarios.
16
Sancho, Jorge, José García, and Álvaro Alesanco. "Oblivious Inspection: On the Confrontation between System Security and Data Privacy at Domain Boundaries." Security and Communication Networks 2020 (June 7, 2020): 8856379. https://doi.org/10.1155/2020/8856379.
Full textAbstract:
In this work, we introduce the system boundary security vs. privacy dilemma, where border devices (e.g., firewall devices) require unencrypted data inspection to prevent data exfiltration or unauthorized data accesses, but unencrypted data inspection violates data privacy. To shortcut this problem, we present Oblivious Inspection, a novel approach based on garbled circuits to perform a stateful application-aware inspection of encrypted network traffic in a privacy-preserving way. We also showcase an inspection algorithm for Fast Healthcare Interoperability Resources (FHIR) standard compliant packets along with its performance results. The results point out the importance of the inspection function being aligned with the underlying garbled circuit protocol. In this line, mandatory encryption algorithms for TLS 1.3 have been analysed observing that packets encrypted using Chacha20 can be filtered up to 17 and 25 times faster compared with AES128-GCM and AES256-GCM, respectively. All together, this approach penalizes performance to align system security and data privacy, but it could be appropriate for those scenarios where this performance degradation can be justified by the sensibility of the involved data such as healthcare scenarios.
17
Iliyasu, Auwal Sani, Ibrahim Abba, Badariyya Sani Iliyasu, and Abubakar Sadiq Muhammad. "A Review of Deep Learning Techniques for Encrypted Traffic Classification." Computational Intelligence and Machine Learning 3, no. 2 (2022): 15–21. http://dx.doi.org/10.36647/ciml/03.02.a003.
Full textAbstract:
Network traffic classification is significant for task such as Quality of Services (QoS) provisioning, resource usage planning, pricing as well as in the context of security such as in Intrusion detection systems. The field has received considerable attention in the industry as well as research communities where approaches such as Port based, Deep packet Inspection (DPI), and Classical machine learning techniques were thoroughly studied. However, the emergence of new applications and encryption protocols as a result of continuous transformation of Internet has led to the rise of new challenges. Recently, researchers have employed deep learning techniques in the domain of network traffic classification in order to leverage the inherent advantages offered by deep learning models such as the ability to capture complex pattern as well as automatic feature learning. This paper reviews deep learning based encrypted traffic classification techniques, as well as highlights the current research gap in the literature. Index Terms : Traffic classification, Encrypted traffic, Deep learning, Machine learning.
18
Çelebi, Merve, and Uraz Yavanoğlu. "Accelerating Pattern Matching Using a Novel Multi-Pattern-Matching Algorithm on GPU." Applied Sciences 13, no. 14 (2023): 8104. http://dx.doi.org/10.3390/app13148104.
Full textAbstract:
Nowadays, almost all network traffic is encrypted. Attackers hide themselves using this traffic and attack over encrypted channels. Inspections performed only on packet headers and metadata are insufficient for detecting cyberattacks over encrypted channels. Therefore, it is important to analyze packet contents in applications that require control over payloads, such as content filtering, intrusion detection systems (IDSs), data loss prevention systems (DLPs), and fraud detection. This technology, known as deep packet inspection (DPI), provides full control over the communication between two end stations by keenly analyzing the network traffic. This study proposes a multi-pattern-matching algorithm that reduces the memory space and time required in the DPI pattern matching compared to traditional automaton-based algorithms with its ability to process more than one packet payload character at once. The pattern-matching process in the DPI system created to evaluate the performance of the proposed algorithm (PA) is conducted on the graphics processing unit (GPU), which accelerates the processing of network packets with its parallel computing capability. This study compares the PA with the Aho-Corasick (AC) and Wu–Manber (WM) algorithms, which are widely used in the pattern-matching process, considering the memory space required and throughput obtained. Algorithm tables created with a dataset containing 500 patterns use 425 and 688 times less memory space than those of the AC and WM algorithms, respectively. In the pattern-matching process using these tables, the PA is 3.5 and 1.5 times more efficient than the AC and WM algorithms, respectively.
19
Alshammari, Riyad, and A. Nur Zincir-Heywood. "Can encrypted traffic be identified without port numbers, IP addresses and payload inspection?" Computer Networks 55, no. 6 (2011): 1326–50. http://dx.doi.org/10.1016/j.comnet.2010.12.002.
Full text
20
Ji, Il Hwan, Ju Hyeon Lee, Min Ji Kang, Woo Jin Park, Seung Ho Jeon, and Jung Taek Seo. "Artificial Intelligence-Based Anomaly Detection Technology over Encrypted Traffic: A Systematic Literature Review." Sensors 24, no. 3 (2024): 898. http://dx.doi.org/10.3390/s24030898.
Full textAbstract:
As cyber-attacks increase in unencrypted communication environments such as the traditional Internet, protected communication channels based on cryptographic protocols, such as transport layer security (TLS), have been introduced to the Internet. Accordingly, attackers have been carrying out cyber-attacks by hiding themselves in protected communication channels. However, the nature of channels protected by cryptographic protocols makes it difficult to distinguish between normal and malicious network traffic behaviors. This means that traditional anomaly detection models with features from packets extracted a deep packet inspection (DPI) have been neutralized. Recently, studies on anomaly detection using artificial intelligence (AI) and statistical characteristics of traffic have been proposed as an alternative. In this review, we provide a systematic review for AI-based anomaly detection techniques over encrypted traffic. We set several research questions on the review topic and collected research according to eligibility criteria. Through the screening process and quality assessment, 30 research articles were selected with high suitability to be included in the review from the collected literature. We reviewed the selected research in terms of dataset, feature extraction, feature selection, preprocessing, anomaly detection algorithm, and performance indicators. As a result of the literature review, it was confirmed that various techniques used for AI-based anomaly detection over encrypted traffic were used. Some techniques are similar to those used for AI-based anomaly detection over unencrypted traffic, but some technologies are different from those used for unencrypted traffic.
21
Meghdouri, Fares, Tanja Zseby, and Félix Iglesias. "Analysis of Lightweight Feature Vectors for Attack Detection in Network Traffic." Applied Sciences 8, no. 11 (2018): 2196. http://dx.doi.org/10.3390/app8112196.
Full textAbstract:
The consolidation of encryption and big data in network communications have made deep packet inspection no longer feasible in large networks. Early attack detection requires feature vectors which are easy to extract, process, and analyze, allowing their generation also from encrypted traffic. So far, experts have selected features based on their intuition, previous research, or acritically assuming standards, but there is no general agreement about the features to use for attack detection in a broad scope. We compared five lightweight feature sets that have been proposed in the scientific literature for the last few years, and evaluated them with supervised machine learning. For our experiments, we use the UNSW-NB15 dataset, recently published as a new benchmark for network security. Results showed three remarkable findings: (1) Analysis based on source behavior instead of classic flow profiles is more effective for attack detection; (2) meta-studies on past research can be used to establish satisfactory benchmarks; and (3) features based on packet length are clearly determinant for capturing malicious activity. Our research showed that vectors currently used for attack detection are oversized, their accuracy and speed can be improved, and are to be adapted for dealing with encrypted traffic.
22
YALDA, Khirota, Diyar Jamal HAMAD, and Nicolae TAPUS. "Network Traffic Prediction Performance Using LSTM." Romanian Journal of Information Science and Technology 27, no. 3-4 (2024): 336–47. http://dx.doi.org/10.59277/romjist.2024.3-4.07.
Full textAbstract:
As networks expand to support various applications involving text, audio, video, and images, data traffic increases correspondingly. Traffic classification, which identifies the origin of observed traffic, has multiple applications, including dynamic bandwidth allocation, traffic analysis, quality of service, and network security. Traditional network traffic classification methods like deep packet inspection rely on manually creating and maintaining communication profiles for various applications. However, these methods face challenges such as dynamic port changes and encrypted traffic. Machine Learning (ML) classifiers offer effective solutions to these issues, providing accurate network traffic classification. Due to these advancements, deep learning models are now utilized for network traffic classification and prediction. Long Short-Term Memory (LSTM) has emerged as a highly effective deep learning technique for addressing time series prediction challenges. This study aims to analyze the performance of forecasting network traffic using LSTM, with different activation functions and optimizers with Mean Absolute Error (MAE), Mean Absolute Percentage Error (MAPE), Mean Squared Error (MSE), Root Mean Squared Error (RMSE) and Coefficient of Determination (R-Squared) parameters as the model evaluation index. This demonstrates how these parameters impact network traffic forecasting performance.
23
ФЕДЧУК, ТАРАС, та ТЕТЯНА КОРОБЕЙНІКОВА. "ГІБРИДНИЙ МЕТОД АНАЛІЗУ ТА ІДЕНТИФІКАЦІЇ ШКІДЛИВОГО DOH-ТРАФІКУ". Herald of Khmelnytskyi National University. Technical sciences 341, № 5 (2024): 438–47. https://doi.org/10.31891/2307-5732-2024-341-5-64.
Full textAbstract:
This study addresses the challenges associated with detecting DNS over HTTPS (DoH) traffic, a relatively new protocol that has not been extensively researched. The detection methods discussed include TLS inspection, application logging, and open-source tools such as Zeek and RITA. TLS inspection, which involves decrypting and analyzing traffic, is the most intrusive and requires full control over the network and client configurations. Application logging, such as that available in Mozilla Firefox, necessitates administrative control over client systems, which may be impractical. Zeek analyzes network logs to identify domains accessed without regular DNS queries, while JA3 fingerprints and RITA focus on detecting malicious DoH traffic by analyzing TLS handshake parameters and beacon-like activities, respectively. Additionally, maintaining up-to-date blacklists of IP addresses and SNI values can help identify DoH traffic but faces scalability and evasion challenges. The study highlights that no current solution is entirely feasible, with many requiring excessive administrative overhead or failing to scale effectively. A hybrid approach using machine learning models and traffic analysis, as illustrated by the CIRA-CIC-DoHBrw-2020 dataset, is proposed for more effective detection of malicious DoH traffic. This approach involves the architecture of a two-stage DoH traffic identification system is presented, consisting of three subsystems: traffic, training and evaluation, and identification. They operate sequentially, with the system's function being traffic identification, training, testing, and information processing within the DoH protocol. The next step is process of cross-validation, which involves training a machine learning model K times, with each iteration using a different fold as the validation set, while the remaining folds serve as the training set. The aim of this work: Development and implementation a DoH traffic identification system, which, unlike existing solutions, is based on a hybrid approach to identifying malicious traffic using open tools for detecting encrypted DNS traffic and specialized machine learning models.
24
Hsu, Fu-Hau, Chih-Wen Ou, Yan-Ling Hwang, Ya-Ching Chang, and Po-Ching Lin. "Detecting Web-Based Botnets Using Bot Communication Traffic Features." Security and Communication Networks 2017 (2017): 1–11. http://dx.doi.org/10.1155/2017/5960307.
Full textAbstract:
Web-based botnets are popular nowadays. A Web-based botnet is a botnet whose C&C server and bots use HTTP protocol, the most universal and supported network protocol, to communicate with each other. Because the botnet communication can be hidden easily by attackers behind the relatively massive HTTP traffic, administrators of network equipment, such as routers and switches, cannot block such suspicious traffic directly regardless of costs. Based on the clients constituent of a Web server and characteristics of HTTP responses sent to clients from the server, this paper proposes a traffic inspection solution, called Web-based Botnet Detector (WBD). WBD is able to detect suspicious C&C (Command-and-Control) servers of HTTP botnets regardless of whether the botnet commands are encrypted or hidden in normal Web pages. More than 500 GB real network traces collected from 11 backbone routers are used to evaluate our method. Experimental results show that the false positive rate of WBD is 0.42%.
25
Zain ul Abideen, Muhammad, Shahzad Saleem, and Madiha Ejaz. "VPN Traffic Detection in SSL-Protected Channel." Security and Communication Networks 2019 (October 29, 2019): 1–17. http://dx.doi.org/10.1155/2019/7924690.
Full textAbstract:
In recent times, secure communication protocols over web such as HTTPS (Hypertext Transfer Protocol Secure) are being widely used instead of plain web communication protocols like HTTP (Hypertext Transfer Protocol). HTTPS provides end-to-end encryption between the user and service. Nowadays, organizations use network firewalls and/or intrusion detection and prevention systems (IDPS) to analyze the network traffic to detect and protect against attacks and vulnerabilities. Depending on the size of organization, these devices may differ in their capabilities. Simple network intrusion detection system (NIDS) and firewalls generally have no feature to inspect HTTPS or encrypted traffic, so they rely on unencrypted traffic to manage the encrypted payload of the network. Recent and powerful next-generation firewalls have Secure Sockets Layer (SSL) inspection feature which are expensive and may not be suitable for every organizations. A virtual private network (VPN) is a service which hides real traffic by creating SSL-protected channel between the user and server. Every Internet activity is then performed under the established SSL tunnel. The user inside the network with malicious intent or to hide his activity from the network security administration of the organization may use VPN services. Any VPN service may be used by users to bypass the filters or signatures applied on network security devices. These services may be the source of new virus or worm injected inside the network or a gateway to facilitate information leakage. In this paper, we have proposed a novel approach to detect VPN activity inside the network. The proposed system analyzes the communication between user and the server to analyze and extract features from network, transport, and application layer which are not encrypted and classify the incoming traffic as malicious, i.e., VPN traffic or standard traffic. Network traffic is analyzed and classified using DNS (Domain Name System) packets and HTTPS- (Hypertext Transfer Protocol Secure-) based traffic. Once traffic is classified, the connection based on the server’s IP, TCP port connected, domain name, and server name inside the HTTPS connection is analyzed. This helps in verifying legitimate connection and flags the VPN-based traffic. We worked on top five freely available VPN services and analyzed their traffic patterns; the results show successful detection of the VPN activity performed by the user. We analyzed the activity of five users, using some sort of VPN service in their Internet activity, inside the network. Out of total 729 connections made by different users, 329 connections were classified as legitimate activity, marking 400 remaining connections as VPN-based connections. The proposed system is lightweight enough to keep minimal overhead, both in network and resource utilization and requires no specialized hardware.
26
Gomez, Gibran, Platon Kotzias, Matteo Dell’Amico, Leyla Bilge, and Juan Caballero. "Unsupervised Detection and Clustering of Malicious TLS Flows." Security and Communication Networks 2023 (January 12, 2023): 1–17. http://dx.doi.org/10.1155/2023/3676692.
Full textAbstract:
Malware abuses TLS to encrypt its malicious traffic, preventing examination by content signatures and deep packet inspection. Network detection of malicious TLS flows is important, but it is a challenging problem. Prior works have proposed supervised machine learning detectors using TLS features. However, by trying to represent all malicious traffic, supervised binary detectors produce models that are too loose, thus introducing errors. Furthermore, they do not distinguish flows generated by different malware. On the other hand, supervised multiclass detectors produce tighter models and can classify flows by the malware family but require family labels, which are not available for many samples. To address these limitations, this work proposes a novel unsupervised approach to detect and cluster malicious TLS flows. Our approach takes input network traces from sandboxes. It clusters similar TLS flows using 90 features that capture properties of the TLS client, TLS server, certificate, and encrypted payload and uses the clusters to build an unsupervised detector that can assign a malicious flow to the cluster it belongs to, or determine if it is benign. We evaluate our approach using 972K traces from a commercial sandbox and 35M TLS flows from a research network. Our clustering shows very high precision and recall with an F1 score of 0.993. We compare our unsupervised detector with two state-of-the-art approaches, showing that it outperforms both. The false detection rate of our detector is 0.032% measured over four months of traffic.
27
Amamra, Abdelfattah, and Vincent Terrelonge. "Multiple Kernel Transfer Learning for Enhancing Network Intrusion Detection in Encrypted and Heterogeneous Network Environments." Electronics 14, no. 1 (2024): 80. https://doi.org/10.3390/electronics14010080.
Full textAbstract:
Conventional supervised machine learning is widely used for intrusion detection without packet payload inspection, showing good accuracy in detecting known attacks. However, these methods require large labeled datasets, which are scarce due to privacy concerns, and struggle with generalizing to real-world traffic and adapting to domain shifts. Additionally, they are ineffective against zero-day attacks and need frequent retraining, making them difficult to maintain in dynamic network environments. To overcome the limitations of traditional machine learning methods, we propose novel Deterministic (DetMKTL) and Stochastic Multiple-Kernel Transfer Learning (StoMKTL) algorithms that are based on transfer learning. These algorithms leverage multiple kernel functions to capture complex, non-linear relationships in network traffic, enhancing adaptability and accuracy while reducing dependence on large labeled datasets. The proposed algorithms demonstrated good accuracy, particularly in cross-domain evaluations, achieving accuracy rates exceeding 90%. This highlights the robustness of the models in handling diverse network environments and varying data distributions. Moreover, our models exhibited superior performance in detecting multiple types of cyber attacks, including zero-day threats. Specifically, the detection rates reached up to 87% for known attacks and approximately 75% for unseen attacks or their variants. This emphasizes the ability of our algorithms to generalize well to novel and evolving threat scenarios, which are often overlooked by traditional systems. Additionally, the proposed algorithms performed effectively in encrypted traffic analysis, achieving an accuracy of 86%. This result demonstrates the possibility of our models to identify malicious activities within encrypted communications without compromising data privacy.
28
Ponomarenko, Roman Evgenevich, Vladislav Igorevich Egorov, and Aleksandr Igorevich Getman. "Challenges in the implementation of systems for deep packet inspection by the method of full protocol decoding." Proceedings of the Institute for System Programming of the RAS 35, no. 4 (2023): 45–64. http://dx.doi.org/10.15514/ispras-2023-35(4)-2.
Full textAbstract:
This paper presents a summary of experience in developing the deep packet inspection system using full protocol decoding. The paper reviews the challenges encountered during implementation and provides a high-level overview of the solutions to these issues. The challenges can be grouped into two groups. The first group is related to the fundamental tasks which must be addressed when implementing full protocol decoding systems. This includes ensuring correct protocol parsing, which involves identifying and interpreting protocol headers and fields correctly. Moreover, it is necessary to ensure the processing of fragmented packets and the assembly of fragments into the original message. Additionally, the processing and analysis of encrypted traffic is a crucial task that may require the use of specialized algorithms and tools. The second group of problems is related to optimizing the process of full protocol decoding to ensure high-speed traffic processing, as well as supporting new protocols and the ability to add user-defined extensions. While there are open-source systems that address some of the primary issues associated with full protocol decoding, there may be a need for additional effort and specialized solutions to efficiently operate and expand the functionality of such systems. Although implementing deep network traffic analysis tools using full protocol decoding requires the use of advanced hardware and software technologies, the benefits of such analysis are significant. This approach provides a more complete understanding of network traffic patterns and enables more effective detection and prevention of cyber-attacks. It also allows for more accurate monitoring of network performance and the identification of potential bottlenecks or other issues that may impact network efficiency. In this article, we also emphasize the importance of system architecture development and implementation to ensure the successful deployment of deep network traffic analysis tools using full protocol decoding. At last, we conducted an experiment where several advanced optimizations were implemented in the system that had already solved primary issues. These optimizations related to working with memory, based on the features of the traffic processing scheme. By results, we evaluated significant performance improvement in solving secondary tasks, described in this work.
29
Tarek, Ayad H. Shaladi, Taher R. Nashnosh Mohamed, and Mahmoud Alkabir Mohamed. "Forest Tree AI-SDN Firewall: A Hierarchical Architecture for Adaptive Network Security." International Journal of Current Science Research and Review 08, no. 05 (2025): 2519–30. https://doi.org/10.5281/zenodo.15525898.
Full textAbstract:
Abstract : The rapidly evolving of digital environment prompts advanced network security solutions with essential defend against complex cyber threats. However, network security receives a promising boost from the combination of Software-Defined Networking (SDN) and Artificial Intelligence (AI) because which enables real-time control and intelligent decision-making. Real-time management of network resources through SDN allows flexible control while AI boosts the detection of anomalies in large datasets. In this paper we proposed a Forest Tree AI-SDN Firewall with an innovative hierarchical framework that combines these two powerful technologies to provide adaptive network security solutions with scalable and resilient capabilities. The framework draws its design principles from SDN infrastructure based on three separate layers, Root Layer, Trunk Layer and Canopy Layer. Real-time traffic filtering at the Root Layer uses lightweight edge sensors to achieve 98.2% accuracy while its FPGA-accelerated TLS 1.3 inspection system handles 40 Gbps of data. The Trunk Layer uses reinforcement learning algorithms with a federated SDN control plane to achieve dynamic policy optimization through 12ms response times. The Canopy Layer uses deep learning ensemble technology that combines CNN, LSTM and GNN architectures to detect zero-day threats effectively with 99.4% recall and 92% coverage of encrypted traffic analysis. The system achieves 99.2% threat detection precision during benchmark tests while generating 0.8% incorrect alerts and allowing policy updates at speeds 5.2 times faster than conventional security systems. The proposed system evaluating encrypted information and strengthening adversarial resistance together with cross-domain coordination and achieving 38 Gbps/W energy efficiency.
30
Talabani, Hardi Sabah, Zrar Khalid Abdul, and Hardi Mohammed Mohammed Saleh. "DNS over HTTPS Tunneling Detection System Based on Selected Features via Ant Colony Optimization." Future Internet 17, no. 5 (2025): 211. https://doi.org/10.3390/fi17050211.
Full textAbstract:
DNS over HTTPS (DoH) is an advanced version of the traditional DNS protocol that prevents eavesdropping and man-in-the-middle attacks by encrypting queries and responses. However, it introduces new challenges such as encrypted traffic communication, masking malicious activity, tunneling attacks, and complicating intrusion detection system (IDS) packet inspection. In contrast, unencrypted packets in the traditional Non-DoH version remain vulnerable to eavesdropping, privacy breaches, and spoofing. To address these challenges, an optimized dual-path feature selection approach is designed to select the most efficient packet features for binary class (DoH-Normal, DoH-Malicious) and multiclass (Non-DoH, DoH-Normal, DoH-Malicious) classification. Ant Colony Optimization (ACO) is integrated with machine learning algorithms such as XGBoost, K-Nearest Neighbors (KNN), Random Forest (RF), and Convolutional Neural Networks (CNNs) using CIRA-CIC-DoHBrw-2020 as the benchmark dataset. Experimental results show that the proposed model selects the most effective features for both scenarios, achieving the highest detection and outperforming previous studies in IDS. The highest accuracy obtained for binary and multiclass classifications was 0.9999 and 0.9955, respectively. The optimized feature set contributed significantly to reducing computational costs and processing time across all utilized classifiers. The results provide a robust, fast, and accurate solution to challenges associated with encrypted DNS packets.
31
Sudhanshu, Sekhar Tripathy, and Behera Bichitrananda. "EVALUATION OF FUTURE PERSPECTIVES ON SNORT AND WIRESHARK AS TOOLS AND TECHNIQUES FOR INTRUSION DETECTION SYSTEM." Industrial Engineering Journal 53, no. 10 (2024): 18–40. https://doi.org/10.5281/zenodo.14213834.
Full textAbstract:
The increasing reliance on inter-organizational information exchange has raised significant concerns about the security of data and network infrastructures. Network monitoring plays a crucial role in mitigating these concerns, with tools like Wireshark and Snort forming the backbone of Intrusion Detection Systems (IDS). Initially developed as a packet inspection application, Wireshark is widely regarded for its user-friendly interface and intuitive packet-enhancement features, making it effective for classifying various types of network traffic. This research explores the practical application of Wireshark for network investigation, evaluating its role in conjunction with Snort to enhance IDS capabilities. The study examines potential improvements in these tools for heightened network security and their adaptability to emerging cyber threats. An experiment was conducted to assess the effectiveness of intrusion detection through real-time packet analysis, demonstrating the reliability of intrusive packet authentication within network environments. Wireshark was employed for real-time traffic inspection, capturing and analyzing packets, while Snort was used as the primary tool for detecting intrusions. The integration of Syslog and Snort facilitates the exchange of critical intrusion-related data, including packet counts, analysis of IPv4 packet conversations, and expert data on suspicious traffic. This study also focuses on the analysis of RSA-encrypted traffic and the evaluation of Local Area Networks (LAN) for signs of intrusion. Further, Wireshark's capabilities in monitoring and analyzing network activity were used to inspect TCP flags, generate I/O graphs for transmitted packet data, and produce TCP stream flow graphs for detecting intrusions. Additionally, the study includes TLS handshake analysis to identify abnormal or malicious network behavior. The use of ping requests from the attacker’s IP address to the victim’s IP address is highlighted as a method for detecting ongoing malicious activity. Through packet analysis, network traffic is classified as either malformed or well-formed, aiding in the identification of security breaches. Wireshark's in-depth packet inspection enables the detection of unauthorized access from both secure and insecure devices. This research not only explores Wireshark's utility in network intrusion detection but also evaluates emerging trends and challenges associated with IDS technologies. The findings contribute valuable insights for advancing future IDS research, particularly in adapting to the evolving landscape of network security threats. This technical evaluation highlights the importance of continuous development in tools like Wireshark and Snort to keep pace with the dynamic nature of cyberattacks, ensuring robust defense mechanisms for secure data transmission and network integrity.
32
HASANI, Anri, and Malvina NIKLEKAJ. "Security of VPNs in High-Surveillance Environments - A Comparative Study of VPN Alternatives." INGENIOUS 5, no. 1 (2025): 108–16. https://doi.org/10.58944/cwql3216.
Full textAbstract:
Virtual Private Networks (VPNs) play a crucial role in ensuring secure communication over public networks. They are widely used for protecting online privacy, circumventing censorship, and enabling secure remote access to networks. However, despite their increasing adoption, VPNs face significant security vulnerabilities, misconfigurations, and performance-related challenges, particularly in high-surveillance environments. The growing sophistication of surveillance technologies, such as deep packet inspection (DPI) and metadata analysis has made it increasingly difficult for VPNs to provide true anonymity and confidentiality. This paper provides a comprehensive analysis of VPN security, examining traditional protocols such as IPSec and SSL/TLS, alongside newer alternatives like WireGuard and QUIC. While traditional VPNs offer robust encryption and authentication mechanisms, they are often susceptible to traffic fingerprinting and blocking by state-controlled ISPs or corporate firewalls. More modern VPN protocols, such as WireGuard, aim to address some of these issues by providing faster performance and improved cryptographic security, yet they too remain vulnerable to sophisticated detection techniques. Additionally, this study presents a comparative assessment of VPN alternatives, including OpenSSH tunneling and Radmin VPN, evaluating their security, performance, and practical usability. OpenSSH tunneling, for instance, leverages SSH protocols to create encrypted tunnels that are more difficult to detect compared to conventional VPNs. Radmin VPN, a peer-to-peer VPN solution, provides encrypted network connections without requiring a centralized VPN provider, making it an attractive option for users seeking an alternative networking solution. However, these approaches come with their own set of limitations, including usability challenges and reliance on specific network configurations. Our experimental analysis evaluates the effectiveness of these alternatives in mitigating surveillance threats and their resilience against DPI and traffic fingerprinting technologies. The findings emphasize the need for robust and adaptive tunneling solutions to enhance privacy and security in modern networks, ensuring reliable protection against sophisticated surveillance mechanisms. This research underscores the importance of combining multiple privacy-enhancing technologies and adapting networking strategies based on the evolving landscape of digital surveillance.
33
Veicht, Alexander, Cedric Renggli, and Diogo Barradas. "DeepSE-WF: Unified Security Estimation for Website Fingerprinting Defenses." Proceedings on Privacy Enhancing Technologies 2023, no. 2 (2023): 188–205. http://dx.doi.org/10.56553/popets-2023-0047.
Full textAbstract:
Website fingerprinting (WF) attacks, usually conducted with the help of a machine learning-based classifier, enable a network eavesdropper to pinpoint which website a user is accessing through the inspection of traffic patterns. These attacks have been shown to succeed even when users browse the Internet through encrypted tunnels, e.g., through Tor or VPNs. To assess the security of new defenses against WF attacks, recent works have proposed feature-dependent theoretical frameworks that estimate the Bayes error of an adversary's features set or the mutual information leaked by manually-crafted features. Unfortunately, as WF attacks increasingly rely on deep learning and latent feature spaces, our experiments show that security estimations based on simpler (and less informative) manually-crafted features can no longer be trusted to assess the potential success of a WF adversary in defeating such defenses. In this work, we propose DeepSE-WF, a novel WF security estimation framework that leverages specialized kNN-based estimators to produce Bayes error and mutual information estimates from learned latent feature spaces, thus bridging the gap between current WF attacks and security estimation methods. Our evaluation reveals that DeepSE-WF produces tighter security estimates than previous frameworks, reducing the required computational resources to output security estimations by one order of magnitude.
34
Researcher. "THE ROLE OF NEXT-GENERATION FIREWALLS IN MODERN NETWORK SECURITY: A COMPREHENSIVE ANALYSIS." International Journal of Advanced Research in Engineering and Technology (IJARET) 15, no. 4 (2024): 135–54. https://doi.org/10.5281/zenodo.13643404.
Full textAbstract:
In the context of the modern world, where the threats are increasing at a very high pace, conventional firewalls cannot secure the networks. This article aims to describe the Next-Generation Firewalls (NGFWs) and their importance in modern networks. NGFWs, therefore, stand as a remarkable improvement of traditional firewalls since some of their attributes include DPI, application awareness, integrated IPS, SSL/TLS inspection, awareness of user identity, and enhanced threat prevention. All these features help the NGFWs in threats that a conventional firewall cannot identify or prevent and thus are crucial in combating modern, sophisticated threats. The article also discusses some of the issues involved in NGFW deployment and management that are related to the complexity of its deployment, the impact on performance, and how it handles encrypted traffic. In addition, the evolution of NGFW is also discussed, with a focus on innovative features of NGFW, including artificial intelligence and machine learning. The relationships between NGFWs and other security solutions, as well as their impact on regulatory compliance, are also examined. It is expected that as organizations transform and incorporate more of the cloud and hybrid setups, NGFWs will similarly become more crucial in their security plans. As exemplified in this analysis, NGFWs play a critical role in today’s network security, and further challenges need to be addressed as the networks evolve.
35
Sharma M, Prof Sahana. "Encrypted Flow Intelligence: A Literature Review of AI Models for Traffic-Based Threat Detection." INTERNATIONAL JOURNAL OF SCIENTIFIC RESEARCH IN ENGINEERING AND MANAGEMENT 09, no. 05 (2025): 1–9. https://doi.org/10.55041/ijsrem47998.
Full textAbstract:
Abstract The growth of encrypted online communication has strengthened user privacy but also introduced major obstacles for threat detection systems. Since traditionally intrusion detection relies heavily on inspecting readable data, these systems often fail when faced with encrypted traffic. To address this issue, recent studies have turned toward artificial intelligence, particularly approaches using machine and deep learning, which can infer suspicious behavior without decrypting data. This review consolidates findings from recent literature, evaluating model architectures, training techniques, and detection effectiveness. Emphasis is placed on models that can be deployed in real-world environments while maintaining performance and protecting data confidentiality. Keywords: Systematic review; encrypted traffic; intrusion detection; deep learning; machine learning; network security.
36
Jo, Minwoo, Hayong Jeong, Binwon Song, and Heeseung Jo. "Encrypted Traffic Decryption Tools: Comparative Performance Analysis and Improvement Guidelines." Electronics 13, no. 14 (2024): 2876. http://dx.doi.org/10.3390/electronics13142876.
Full textAbstract:
With the exponential growth of encrypted communication over the internet, research into systems capable of analyzing large volumes of encrypted traffic is essential. This study focuses on evaluating the performance of two prominent tools, ssldump and tshark, in decrypting and inspecting encrypted network traffic, assuming an environment where decryption keys are available. The performance of ssldump and tshark was assessed using various metrics, including execution time, and the ability to handle different file sizes and session counts. The results showed that tshark exhibited faster processing speeds for smaller file sizes and a higher number of sessions, while ssldump demonstrated better performance for larger file sizes and fewer sessions. However, notable performance differences were not observed based solely on the type of cipher suite or encryption method used. To enhance performance, the study proposes the session-based split and conquer (SSC) technique for automating parallelization using a multi-process approach. SSC shows up to a 39× improvement in performance, depending on system capabilities and workload.
37
Ji, Xiaoyu, Yushi Cheng, Wenyuan Xu, and Xinyan Zhou. "User Presence Inference via Encrypted Traffic of Wireless Camera in Smart Homes." Security and Communication Networks 2018 (September 25, 2018): 1–10. http://dx.doi.org/10.1155/2018/3980371.
Full textAbstract:
Wireless cameras are widely deployed in smart homes for security guarding, baby monitoring, fall detection, and so on. Those security cameras, which are supposed to protect users, however, may in turn leak a user’s personal privacy. In this paper, we reveal that attackers are able to infer whether users are at home or not, that is, the user presence, by eavesdropping the traffic of wireless cameras from distance. We propose HomeSpy, a system that infers user presence by inspecting the intrinsic pattern of the wireless camera traffic. To infer the user presence, HomeSpy first eavesdrops the wireless traffic around the target house and detects the existence of wireless cameras with a Long Short-Term Memory (LSTM) network. Then, HomeSpy infers the user presence using the bitrate variation of the wireless camera traffic based on a cumulative sum control chart (CUSUM) algorithm. We implement HomeSpy on the Android platform and validate it on 20 cameras. The evaluation results show that HomeSpy can achieve a successful attack rate of 97.2%.
38
Subahi, Alanoud, and George Theodorakopoulos. "Detecting IoT User Behavior and Sensitive Information in Encrypted IoT-App Traffic." Sensors 19, no. 21 (2019): 4777. http://dx.doi.org/10.3390/s19214777.
Full textAbstract:
Many people use smart-home devices, also known as the Internet of Things (IoT), in their daily lives. Most IoT devices come with a companion mobile application that users need to install on their smartphone or tablet to control, configure, and interface with the IoT device. IoT devices send information about their users from their app directly to the IoT manufacturer’s cloud; we call this the ”app-to-cloud way”. In this research, we invent a tool called IoT-app privacy inspector that can automatically infer the following from the IoT network traffic: the packet that reveals user interaction type with the IoT device via its app (e.g., login), the packets that carry sensitive Personal Identifiable Information (PII), the content type of such sensitive information (e.g., user’s location). We use Random Forest classifier as a supervised machine learning algorithm to extract features from network traffic. To train and test the three different multi-class classifiers, we collect and label network traffic from different IoT devices via their apps. We obtain the following classification accuracy values for the three aforementioned types of information: 99.4%, 99.8%, and 99.8%. This tool can help IoT users take an active role in protecting their privacy.
39
Mohd Fuzi, Mohd Faris, Mohamad Ridzuan Mohd Alias, Naginder Kaur, and Iman Hazwam Abd Halim. "SafeSearch: Obfuscated VPN Server using Raspberry Pi for Secure Network." Journal of Computing Research and Innovation 6, no. 4 (2021): 90–101. http://dx.doi.org/10.24191/jcrinn.v6i4.230.
Full textAbstract:
Virtual Private Network (VPN) is a private network that uses public network to tunnel the connection from the users’ end to the VPN server. VPN allows users to create a secure connection to another network over the public Internet. VPNs can be used to shield users’ browsing activity and encrypts data transmitted over the network to prevent sniffing attack. Nowadays, users can either pay a premium price for a good VPN service or risk their privacy using free browser-based VPN. Thus, SafeSearch is developed to address these issues in mind. With SafeSearch, users will not need to fork out a lot of money for premium VPN subscription services or expose themselves to targeted advertising when utilising free browser-based VPN. In this study, open VPN protocol was used to create the VPN server on a microcomputer called Raspberry Pi. The software used was mostly open-source except for the VPN client. Obfuscation technique was used to hide VPN traffic by disguising it as just another normal Internet traffic against Deep Packet Inspection when passing through firewall. After the VPN server was established, tests were carried out to evaluate the functionality and reliability of the VPN server in “real-world” environment. The tests conducted were network restriction penetration assessment, network performance and user acceptance test. Penetration assessment result showed that SafeSearch is capable of bypassing web filtering and deep packet inspection. Network performance during SafeSearch connection has slight latency and bandwidth decline, although it is not overly affected. The outcome of the user acceptance test was positive as the majority of participants of the study were confident that SafeSearch can secure their connection and protect their privacy when browsing the web. To conclude, both objectives of this project were fully achieved and the scope of study was followed thoroughly.
40
Jyoti Pandey, Shruti Rai, and Srivaramangai R. "Assessment of Deep Packet Inspection System of Network traffic and Anomaly Detection." International Journal of Scientific Research in Science, Engineering and Technology, June 6, 2023, 680–88. http://dx.doi.org/10.32628/ijsrset23103108.
Full textAbstract:
Deep packet SSL inspection is a process that involves decrypting and inspecting SSL encrypted network traffic in order to detect and prevent security threats. With the increasing use of SSL encryption, it has become difficult for traditional network security solutions to inspect encrypted traffic for threats. Deep packet SSL inspection addresses this problem by decrypting the SSL traffic, inspecting it for threats, and then re-encrypting it before forwarding it to its destination. This process involves the use of SSL certificates that mimic the real ones used by the servers, as well as SSL inspection rules that specify which traffic should be decrypted and inspected. Deep packet SSL inspection can be a complex and resource- intensive process, and must be performed carefully to avoid legal or ethical issues related to the interception and inspection of encrypted traffic. However, it is a powerful tool for protecting networks from security threats, and can help organizations detect and prevent attacks that would otherwise go unnoticed.
41
Liu, Qin, Yu Peng, Hongbo Jiang, et al. "SlimBox: Lightweight Packet Inspection Over Encrypted Traffic." IEEE Transactions on Dependable and Secure Computing, 2022, 1–12. http://dx.doi.org/10.1109/tdsc.2022.3222533.
Full text
42
Pham, Vinh, Eunil Seo, and Tai-Myoung Chung. "Lightweight Convolutional Neural Network Based Intrusion Detection System." Journal of Communications, 2020, 808–17. http://dx.doi.org/10.12720/jcm.15.11.808-817.
Full textAbstract:
Identifying threats contained within encrypted network traffic poses a great challenge to Intrusion Detection Systems (IDS). Because traditional approaches like deep packet inspection could not operate on encrypted network traffic, machine learning-based IDS is a promising solution. However, machine learning-based IDS requires enormous amounts of statistical data based on network traffic flow as input data and also demands high computing power for processing, but is slow in detecting intrusions. We propose a lightweight IDS that transforms raw network traffic into representation images. We begin by inspecting the characteristics of malicious network traffic of the CSE-CIC-IDS2018 dataset. We then adapt methods for effectively representing those characteristics into image data. A Convolutional Neural Network (CNN) based detection model is used to identify malicious traffic underlying within image data. To demonstrate the feasibility of the proposed lightweight IDS, we conduct three simulations on two datasets that contain encrypted traffic with current network attack scenarios. The experiment results show that our proposed IDS is capable of achieving 95% accuracy with a reasonable detection time while requiring relatively small size training data.
43
Papadogiannaki, Eva, and Sotiris Ioannidis. "Acceleration of Intrusion Detection in Encrypted Network Traffic Using Heterogeneous Hardware." Sensors 2021, 21(4), 1140, January 26, 2021. https://doi.org/10.3390/s21041140.
Full textAbstract:
More than 75% of Internet traffic is now encrypted, and this percentage is constantly increasing. The majority of communications are secured using common encryption protocols such as SSL/TLS and IPsec to ensure security and protect the privacy of Internet users. However, encryption can be exploited to hide malicious activities, camouflaged into normal network traffic. Traditionally, network traffic inspection is based on techniques like deep packet inspection (DPI). Common applications for DPI include but are not limited to firewalls, intrusion detection and prevention systems, L7 filtering, and packet forwarding. With the widespread adoption of network encryption though, DPI tools that rely on packet payload content are becoming less effective, demanding the development of more sophisticated techniques in order to adapt to current network encryption trends. In this work, we present HeaderHunter, a fast signature-based intrusion detection system even for encrypted network traffic. We generate signatures using only network packet metadata extracted from packet headers. In addition, we examine the processing acceleration of the intrusion detection engine using different heterogeneous hardware architectures.
44
Eva, Papadogiannaki, and Ioannidis Sotiris. "Acceleration of Intrusion Detection in Encrypted Network Traffic Using Heterogeneous Hardware." MDPI Journal "Sensors" - Special Issue: "Selected Papers from the IEEE International Workshop on Computer Aided Modeling and Design of Communication Links and Networks, CAMAD 2020, February 1, 2021. https://doi.org/10.5281/zenodo.6787351.
Full textAbstract:
More than 75% of Internet traffic is now encrypted, and this percentage is constantly increasing. The majority of communications are secured using common encryption protocols such as SSL/TLS and IPsec to ensure security and protect the privacy of Internet users. However, encryption can be exploited to hide malicious activities, camouflaged into normal network traffic. Traditionally, network traffic inspection is based on techniques like deep packet inspection (DPI). Common applications for DPI include but are not limited to firewalls, intrusion detection and prevention systems, L7 filtering, and packet forwarding. With the widespread adoption of network encryption though, DPI tools that rely on packet payload content are becoming less effective, demanding the development of more sophisticated techniques in order to adapt to current network encryption trends. In this work, we present HeaderHunter, a fast signature-based intrusion detection system even for encrypted network traffic. We generate signatures using only network packet metadata extracted from packet headers. In addition, we examine the processing acceleration of the intrusion detection engine using different heterogeneous hardware architectures
45
Chen, Dajiang, Hao Wang, Ning Zhang, et al. "Privacy-Preserving Encrypted Traffic Inspection with Symmetric Cryptographic Techniques in IoT." IEEE Internet of Things Journal, 2022, 1. http://dx.doi.org/10.1109/jiot.2022.3155355.
Full text
46
Zhang, Kai, Minjun Deng, Bei Gong, Yinbin Miao, and Jianting Ning. "Privacy-Preserving Traceable Encrypted Traffic Inspection in Blockchain-based Industrial IoT." IEEE Internet of Things Journal, 2023, 1. http://dx.doi.org/10.1109/jiot.2023.3297601.
Full text
47
Seok, Byoungjin, and Kiwook Sohn. "Adversarial Attacks on Pre-trained Deep Learning Models for Encrypted Traffic Analysis." Journal of Web Engineering, November 4, 2024, 749–68. http://dx.doi.org/10.13052/jwe1540-9589.2361.
Full textAbstract:
For web security, it’s essential to accurately classify traffic across various web applications to detect malicious activities lurking within network traffic. However, the encryption protocols for privacy protection, such as TLS 1.3 and IPSec, make it difficult to apply traditional traffic classification methods like deep packet inspection (DPI). Recently, the advent of deep learning has significantly advanced the field of encrypted traffic analysis (ETA), outperforming traditional traffic analysis approaches. Notably, pre-trained deep learning based ETA models have demonstrated superior analytical capabilities. However, the security aspects of these deep learning models are often overlooked during the design and development process. In this paper, we conducted adversarial attacks to evaluate the security of pre-trained ETA models. We targeted ET-BERT, a state-of-the-art model demonstrating superior performance, to generate adversarial traffic examples. To carry out the adversarial example generation, we drew inspiration from adversarial attacks on discrete data, such as natural language, defining fluency from a network traffic perspective and proposing a new attack algorithm that can preserve this fluency. Finally, in our experiments, we showed our target model is vulnerable to the proposed adversarial attacks.
48
ÇELEBİ, Merve, Alper ÖZBİLEN, and Uraz YAVANOĞLU. "Modern ağ trafiği analizi için derin paket incelemesi hakkında kapsamlı bir çalışma: sorunlar ve zorluklar." Ömer Halisdemir Üniversitesi Mühendislik Bilimleri Dergisi, November 14, 2022. http://dx.doi.org/10.28948/ngumuh.1184020.
Full textAbstract:
Deep Packet Inspection (DPI) provides full visibility into network traffic by performing detailed analysis on both packet header and packet payload. Accordingly, DPI has critical importance as it can be used in applications i.e network security or government surveillance. In this paper, we provide an extensive survey on DPI. Different from the previous studies, we try to efficiently integrate DPI techniques into network analysis mechanisms by identifying performance-limiting parameters in the analysis of modern network traffic. Analysis of the network traffic model with complex behaviors is carried out with powerful hybrid systems by combining more than one technique. Therefore, DPI methods are studied together with other techniques used in the analysis of network traffic. Security applications of DPI on Internet of Things (IoT) and Software-Defined Networking (SDN) architectures are discussed and Intrusion Detection Systems (IDS) mechanisms, in which the DPI is applied as a component of the hybrid system, are examined. In addition, methods that perform inspection of encrypted network traffic are emphasized and these methods are evaluated from the point of security, performance and functionality. Future research issues are also discussed taking into account the implementation challenges for all DPI processes.
49
Shaladi, Tarek Ayad H., Mohamed Taher R. Nashnosh, and Mohamed Mahmoud Alkabir. "Forest Tree AI-SDN Firewall: A Hierarchical Architecture for Adaptive Network Security." International Journal of Current Science Research and Review 08, no. 05 (2025). https://doi.org/10.47191/ijcsrr/v8-i5-62.
Full textAbstract:
The rapidly evolving of digital environment prompts advanced network security solutions with essential defend against complex cyber threats. However, network security receives a promising boost from the combination of Software-Defined Networking (SDN) and Artificial Intelligence (AI) because which enables real-time control and intelligent decision-making. Real-time management of network resources through SDN allows flexible control while AI boosts the detection of anomalies in large datasets. In this paper we proposed a Forest Tree AI-SDN Firewall with an innovative hierarchical framework that combines these two powerful technologies to provide adaptive network security solutions with scalable and resilient capabilities. The framework draws its design principles from SDN infrastructure based on three separate layers, Root Layer, Trunk Layer and Canopy Layer. Real-time traffic filtering at the Root Layer uses lightweight edge sensors to achieve 98.2% accuracy while its FPGA-accelerated TLS 1.3 inspection system handles 40 Gbps of data. The Trunk Layer uses reinforcement learning algorithms with a federated SDN control plane to achieve dynamic policy optimization through 12ms response times. The Canopy Layer uses deep learning ensemble technology that combines CNN, LSTM and GNN architectures to detect zero-day threats effectively with 99.4% recall and 92% coverage of encrypted traffic analysis. The system achieves 99.2% threat detection precision during benchmark tests while generating 0.8% incorrect alerts and allowing policy updates at speeds 5.2 times faster than conventional security systems. The proposed system evaluating encrypted information and strengthening adversarial resistance together with cross-domain coordination and achieving 38 Gbps/W energy efficiency.
50
Patel, Vishva, Hitasvi Shukla, and Aashka Raval. "Enhancing Botnet Detection With Machine Learning And Explainable AI: A Step Towards Trustworthy AI Security." International Journal For Multidisciplinary Research 7, no. 2 (2025). https://doi.org/10.36948/ijfmr.2025.v07i02.39353.
Full textAbstract:
The rapid proliferation of botnets, armies of compromised machines controlled by malicious actors remotely, has played a pivotal role in the increase in cyber-attacks, such as Distributed Denial-of-Service (DDoS) attacks, credential theft, data exfiltration, command-and-control (C2) activity, and automated exploitation of vulnerabilities. Legacy botnet detection methods, founded on signature matching and deep packet inspection (DPI), are rapidly becoming a relic of the past because of the prevalence of encryption schemes like TLS 1.3, DNS-over-HTTPS (DoH), and encrypted VPN tunneling. These encryption mechanisms conceal packet payloads, making traditional network monitoring technology unsuitable for botnet detection. Faced with the challenge, ML-based botnet detection mechanisms have risen to the top. Existing ML-based approaches, however, are marred by two inherent weaknesses: (1) Lack of granularity in detection because most models are based on binary classification, with no distinction of botnet attack variants, and (2) Uninterpretability, where high-performing AI models behave like black-box mechanisms, which limits trust in security automation and leads to high false positives, thereby making threat analysis difficult for security practitioners. To overcome these challenges, this study proposes an AI-based, multi-class classification botnet detection system for encrypted network traffic that includes Explainable AI (XAI) techniques for improving model explainability and decision transparency. Two datasets, CICIDS-2017 and CTU-NCC, are used in this study, where a systematic data preprocessing step was employed to maximise data quality, feature representation, and model performance. Preprocessing included duplicate record removal, missing and infinite value imputation, categorical feature transformation, and removal of highly correlated and zero-variance features to minimise model bias. Dimensionality reduction was performed using Principal Component Analysis (PCA), lowering features of CICIDS-2017 from 70 to 34 and those of CTU-NCC from 17 to 4 for maximizing computational efficiency. Additionally, to deal with skewed class distributions, Synthetic Minority Over-Sampling Technique (SMOTE) was employed to synthesise minority class samples to offer balanced representation of botnet attack types. For CICIDS-2017, we used three machine learning algorithms: Random Forest (RF) with cross-validation (0.98 accuracy, 100K samples per class), eXtreme Gradient Boosting (XGB) with Bayesian optimisation (0.997 accuracy, 180K samples per class), and our recently introduced Hybrid K-Nearest Neighbours(KNN) + Random Forest (RF) model, resulting in state-of-the-art accuracy of 0.99 (180K samples per class). The CTU-NCC dataset was divided across three network sensors and processed separately. Random Forest (RF), Decision Tree (DT), and KNN models were trained independently for each sensor, and to enhance performance, ensemble learning methods such as stacking and voting were applied to combine the results from each of the sensors. The resulting accuracies were as follows: (Random Forest Stacking: 99.38%, Random Forest Voting: 99.35% ), (Decision Tree Stacking: 99.68%, Decision Tree Voting: 91.65%), and (KNN Stacking: 97.53%, KNN Voting: 97.11%). Explainable AI (XAI) techniques like SHAP (SHapley Additive exPlanations) and LIME (Local Interpretable Model agnostic Explanation) were integrated to provide enhanced interpretability in eXtreme Gradient Boosting and our Hybrid KNN+Random Forest model, which provided explanations for model decisions and enhanced analyst confidence in the system prediction. Our key contribution is the Hybrid KNN+Random Forest system with 0.99 accuracy and provision of explainability. We illustrate an accurate, scalable, and deployable AI-based solution for botnet attacks. Our experimentation shows that the multi-class classification method greatly assists in botnet attack discrimination, and Explainable AI (XAI) helps enhance clarity and is thus a strong, practical solution in the real case of botnet detection in an encrypted network scenario.