Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
4.5
2.7
Journals
Applied Sciences
Special Issues
Network Traffic Security Analysis
share announcement

Network Traffic Security Analysis

A special issue of Applied Sciences (ISSN 2076-3417). This special issue belongs to the section "Computing and Artificial Intelligence".

Deadline for manuscript submissions: closed (30 November 2022) | Viewed by 9662

Special Issue Editors

Prof. Dr. Guang Cheng

E-Mail Website1 Website2
Guest Editor
School of Cyber Science and Engineering, Southeast University, Nanjing 211189, China
Interests: network security; network measurement; traffic behavior analysis
Prof. Dr. Shui Yu

E-Mail Website
Guest Editor
School of Computer Science, University of Technology Sydney, Sydney, NSW 2007, Australia
Interests: networking theory; network security; big data
Prof. Dr. Yongning Tang

E-Mail Website
Guest Editor
School Information Technology, Illinois State University, Normal, IL 61790, USA
Interests: network security; artificial intelligence; adaptive learning
Special Issues, Collections and Topics in MDPI journals

Special Issue Information

Dear Colleagues,

The illustrious international open-access journal Applied Sciences (ISSN 2076-3417, IF 2.679) is pleased to announce a new Special Issue entitled “Network Traffic Security Analysis”.

Network traffic security analysis is an essential basis for network security. Traditional network traffic analysis is mainly based on the analysis of plaintext information in traffic. With the improvement of user privacy awareness and data security requirements, encrypted communication technology and security protocols are widely used in network communication, making traffic encryption a general trend. Traffic encryption provides security for users, but it also hides malicious traffic through encryption communication technologies. Malicious traffic even disguises itself as benign traffic, invalidating traditional firewalls or intrusion detection systems. This phenomenon creates new challenges for network security. In addition to encryption, VPN tunnel technology, anonymous network communication technology, and other technologies related to encrypted traffic are being increasingly used by malicious traffic and for illegal network behavior. In addition, network security threats may also exist in the applications and content behind encrypted traffic. Diversified network security threats make network traffic security analysis under encrypted traffic a new key research field.

This Special Issue welcomes theoretical studies on network traffic security analysis and the realization of their engineering systems. We encourage researchers to share new findings and new data sets in the field. This Special Issue is focused on but is not restricted to the following areas related to network traffic security analysis:

  • Network measurement;
  • Network protocol analysis and reverse engineering;
  • Encrypted traffic classification;
  • Encrypted traffic content identification;
  • Encrypted traffic QoS / QoE;
  • VPN traffic analysis;
  • Anonymous traffic analysis;
  • Encrypted malicious traffic identification;
  • Adversarial research in network traffic security analysis.

Prof. Dr. Guang Cheng
Prof. Dr. Shui Yu
Prof. Dr. Yongning Tang
Guest Editors

Manuscript Submission Information

Manuscripts should be submitted online at www.mdpi.com by registering and logging in to this website. Once you are registered, click here to go to the submission form. Manuscripts can be submitted until the deadline. All submissions that pass pre-check are peer-reviewed. Accepted papers will be published continuously in the journal (as soon as accepted) and will be listed together on the special issue website. Research articles, review articles as well as short communications are invited. For planned papers, a title and short abstract (about 100 words) can be sent to the Editorial Office for announcement on this website.

Submitted manuscripts should not have been published previously, nor be under consideration for publication elsewhere (except conference proceedings papers). All manuscripts are thoroughly refereed through a single-blind peer-review process. A guide for authors and other relevant information for submission of manuscripts is available on the Instructions for Authors page. Applied Sciences is an international peer-reviewed open access semimonthly journal published by MDPI.

Please visit the Instructions for Authors page before submitting a manuscript. The Article Processing Charge (APC) for publication in this open access journal is 2400 CHF (Swiss Francs). Submitted papers should be well formatted and use good English. Authors may use MDPI's English editing service prior to publication or during author revisions.

Keywords

  • network measurement
  • network protocol analysis
  • encrypted traffic classification
  • encrypted traffic content identification (web, stream media,…)
  • encrypted traffic QoS / QoE
  • VPN traffic analysis
  • anonymous traffic analysis (Tor, I2P, Zeronet,…)
  • encrypted malicious traffic identification
  • adversarial research in network traffic security analysis

Published Papers (6 papers)

Download All Papers
Order results
Result details
Show export options expand_more Show export options expand_less
Select all
Export citation of selected articles as:

Research

22 pages, 3923 KiB  
Article
Accurate Encrypted Malicious Traffic Identification via Traffic Interaction Pattern Using Graph Convolutional Network
by Guoqiang Ren, Guang Cheng and Nan Fu
Appl. Sci. 2023, 13(3), 1483; https://doi.org/10.3390/app13031483 - 23 Jan 2023
Cited by 2 | Viewed by 1826
Abstract
Telecommuting and telelearning have gradually become mainstream lifestyles in the post-epidemic era. The extensive interconnection of massive terminals gives attackers more opportunities, which brings more significant challenges to network traffic security analysis. The existing attacks, often using encryption technology and distributed attack methods, [...] Read more.
Telecommuting and telelearning have gradually become mainstream lifestyles in the post-epidemic era. The extensive interconnection of massive terminals gives attackers more opportunities, which brings more significant challenges to network traffic security analysis. The existing attacks, often using encryption technology and distributed attack methods, increase the number and complexity of attacks. However, the traditional methods need more analysis of encrypted malicious traffic interaction patterns and cannot explore the potential correlations of interaction patterns in a macroscopic and comprehensive manner. Anyway, the changes in interaction patterns caused by attacks also need further study. Therefore, to achieve accurate and effective identification of attacks, it is essential to comprehensively describe the interaction patterns of malicious traffic and portray the relations of interaction patterns with the appearance of attacks. We propose a method for classifying attacks based on the traffic interaction attribute graph, named G-TIAG. At first, the G-TIAG studies interaction patterns of traffic describes the construction rule of the graphs and selects the attributive features of nodes in each graph. Then, it uses a convolutional graph network with a GRU and self-attention to classify benign data and different attacks. Our approach achieved the best classification results, with 89% accuracy and F1-Score, 88% recall, respectively, on publicly available datasets. The improvement is about 7% compared to traditional machine learning classification results and about 6% compared to deep learning classification results, which finally successfully achieved the classification of attacks. Full article
(This article belongs to the Special Issue Network Traffic Security Analysis)
Show Figures

Figure 1

26 pages, 2926 KiB  
Article
Development of Fingerprint Identification Based on Device Flow in Industrial Control System
by Jun Tao, Xin Yuan, Shengze Zhang and Yifan Xu
Appl. Sci. 2023, 13(2), 731; https://doi.org/10.3390/app13020731 - 04 Jan 2023
Viewed by 1740
Abstract
With the rapid development of industrial automation technology, a large number of industrial control devices have emerged in cyberspace, but the security of open cyberspace is difficult to guarantee. Attacks on industrial control devices can directly endanger the environment and even life safety. [...] Read more.
With the rapid development of industrial automation technology, a large number of industrial control devices have emerged in cyberspace, but the security of open cyberspace is difficult to guarantee. Attacks on industrial control devices can directly endanger the environment and even life safety. Therefore, how to monitor the industrial control system in real time has become the primary problem, and device identification is the basic guarantee of safety monitoring. There are limitations in building device identification model based on IP address or machine learning. The paper aim at the development of a device traffic fingerprint model and identify the device based on the periodicity of device traffic. The model generates device fingerprints based on pattern sequences abstracted from the traffic and suffix array algorithm. In the process of recognition, the exact pattern matching algorithm is used for preliminary judgment. If the exact pattern matching fails to hit, the final judgment is made by combination fuzzy pattern matching. This paper also proposes a diagonal jump algorithm to optimize the updating of the distance matrix, which saves on the computational cost of fuzzy pattern matching. Simulation results show that compared with SVM, random forest, and LSTM model, the device traffic fingerprint model has good performance advantages in accuracy, recall and precision. Full article
(This article belongs to the Special Issue Network Traffic Security Analysis)
Show Figures

Figure 1

29 pages, 4753 KiB  
Article
MSLCFinder: An Algorithm in Limited Resources Environment for Finding Top-k Elephant Flows
by Xianlong Dai, Guang Cheng, Ziyang Yu, Ruixing Zhu and Yali Yuan
Appl. Sci. 2023, 13(1), 575; https://doi.org/10.3390/app13010575 - 31 Dec 2022
Viewed by 1095
Abstract
Encrypted traffic accounts for 95% of the total traffic in the backbone network environment with Tbps bandwidth. As network traffic becomes more and more encrypted and link rates increase in modern networks, the measurement of encrypted traffic relies more on collecting and analyzing [...] Read more.
Encrypted traffic accounts for 95% of the total traffic in the backbone network environment with Tbps bandwidth. As network traffic becomes more and more encrypted and link rates increase in modern networks, the measurement of encrypted traffic relies more on collecting and analyzing massive network traffic data that can be separated from the support of high-speed network traffic measurement technology. Finding top-k elephant flows is a critical task with many applications in congestion control, anomaly detection, and traffic engineering. Owing to this, designing accurate and fast algorithms for online identification of elephant flows becomes more and more challenging. Existing methods either use large-size counters, i.e., 20 bit, to prevent overflows when recording flow sizes or require significant space overhead to measure the sizes of all flows. Thus, we adopt a novel strategy, called count-with-uth-level-sampling, in this paper, to find top-k elephant flows in limited resource environments. Moreover, the proposed algorithm, called MSLCFinder, incurs lightweight counter and uth-level multi-sampling with small, constant processing for millions of flows. Experimental results show that MSLCFinder can achieve more than 97% precision with an extremely limited hardware resource. Compared to the state-of-the-art, our method realizes the statistics and filtering of millions of data streams with less memory. Full article
(This article belongs to the Special Issue Network Traffic Security Analysis)
Show Figures

Figure 1

27 pages, 7994 KiB  
Article
FF-MR: A DoH-Encrypted DNS Covert Channel Detection Method Based on Feature Fusion
by Yongjie Wang, Chuanxin Shen, Dongdong Hou, Xinli Xiong and Yang Li
Appl. Sci. 2022, 12(24), 12644; https://doi.org/10.3390/app122412644 - 09 Dec 2022
Cited by 2 | Viewed by 1612
Abstract
In this paper, in order to accurately detect Domain Name System (DNS) covert channels based on DNS over HTTPS (DoH) encryption and to solve the problems of weak single-feature differentiation and poor performance in the existing detection methods, we have designed a DoH-encrypted [...] Read more.
In this paper, in order to accurately detect Domain Name System (DNS) covert channels based on DNS over HTTPS (DoH) encryption and to solve the problems of weak single-feature differentiation and poor performance in the existing detection methods, we have designed a DoH-encrypted DNS covert channel detection method based on features fusion, called FF-MR. FF-MR is based on a Multi-Head Attention and Residual Neural Network. It fuses session statistical features with multi-channel session byte sequence features. Some important features that play a key role in the detection task are screened out of the fused features through the calculation of the Multi-Head Attention mechanism. Finally, a Multi-Layer Perceptron (MLP) is used to detect encrypted DNS covert channels. By considering both global and focused features, the main idea of FF-MR is that the degree of correlation between each feature and all other features is expressed as an attention weight. Thus, features are re-represented as the result of the weighted fusion of all features using the Multi-Head Attention mechanism. Focusing on certain important features according to the distribution of attention weights improves the detection performance. While detecting the traffic in encrypted DNS covert channels, FF-MR can also accurately identify encrypted traffic generated by the three DNS covert channel tools. Experiments on the CIRA-CIC-DoHBrw-2020 dataset show that the macro-averaging recall and precision of the FF-MR method reach 99.73% and 99.72%, respectively, and the macro-averaging F1-Score reached 0.9978, which is up to 4.56% higher than the existing methods compared in the paper. FF-MR achieves at most an 11.32% improvement in macro-averaging F1-Score in identifying three encrypted DNS covert channels, indicating that FF-MR has a strong ability to detect and identify DoH-encrypted DNS covert channels. Full article
(This article belongs to the Special Issue Network Traffic Security Analysis)
Show Figures

Figure 1

26 pages, 4562 KiB  
Article
A3C System: One-Stop Automated Encrypted Traffic Labeled Sample Collection, Construction and Correlation in Multi-Systems
by Zihan Chen, Guang Cheng, Ziheng Xu, Keya Xu, Yuhang Shan and Jiakang Zhang
Appl. Sci. 2022, 12(22), 11731; https://doi.org/10.3390/app122211731 - 18 Nov 2022
Cited by 4 | Viewed by 1508
Abstract
Encrypted traffic classification can essentially support network QoS (Quality of Service) and user QoE (Quality of Experience). However, as a typical supervised learning problem, it requires sufficiently labeled samples, which should be frequently updated. The current gateway-based labeled sample acquisition methods can only [...] Read more.
Encrypted traffic classification can essentially support network QoS (Quality of Service) and user QoE (Quality of Experience). However, as a typical supervised learning problem, it requires sufficiently labeled samples, which should be frequently updated. The current gateway-based labeled sample acquisition methods can only be carried out under TLS traffic. It relies on the Server Name Indication, a confused optional field that can be tampered with. The current end-based methods carried out manually or automatically have low efficiency and lack sample integrity, category purity, and label authenticity. In addition, they may have colossal packet loss and violate device security and user privacy. To solve these problems, we propose a one-stop automated encrypted traffic labeled sample collection, construction, and correlation system, A3C. First, we carry out the automated process-isolated traffic collection and labeled sample construction in the mixed application scenario, which can be used on Windows, Linux, and Android systems. Then, we propose the Segmented Entropy Distribution Capsule Neural Network (SED-CapsNet) to validate the encryption of the collected samples. We also propose optional authenticity validation and context flow correlation methods. Experimental results show that the system can effectively achieve one-stop encrypted traffic labeled dataset acquisition. It is superior to the existing methods. Full article
(This article belongs to the Special Issue Network Traffic Security Analysis)
Show Figures

Figure 1

30 pages, 8062 KiB  
Article
Fine-Grained High-Utility Dynamic Fingerprinting Extraction for Network Traffic Analysis
by Xueying Sun, Junkai Yi, Fei Yang and Lin Liu
Appl. Sci. 2022, 12(22), 11585; https://doi.org/10.3390/app122211585 - 15 Nov 2022
Viewed by 998
Abstract
Previous network feature extraction methods used for network anomaly detection have some problems, such as being unable to extract features from the original network traffic, or that they can only extract coarse-grained features, as well as that they are highly dependent on manual [...] Read more.
Previous network feature extraction methods used for network anomaly detection have some problems, such as being unable to extract features from the original network traffic, or that they can only extract coarse-grained features, as well as that they are highly dependent on manual analysis. To solve these problems, this paper proposes a fine-grained and highly practical dynamic application fingerprint extraction method. By putting forward a fine-grained high-utility dynamic fingerprinting (Huf) algorithm to build a Huf-Tree based on the N-gram (every substring of a larger string, of a fixed length n) model, combining it with the network traffic segment-IP address transition (IAT) method to achieve dynamic application fingerprint extraction, and through the utility of fingerprint, the calculation was performed to obtain a more valuable fingerprint, to achieve fine-grained and efficient flow characteristic extraction, and to solve the problem of this method being highly dependent on manual analysis. The experimental results show that the Huf algorithm can realize the dynamic application of fingerprint extraction and solve the existing problems. Full article
(This article belongs to the Special Issue Network Traffic Security Analysis)
Show Figures

Figure 1

Show export options expand_more Show export options expand_less
Select all
Export citation of selected articles as:
 
Displaying articles 1-6
Back to TopTop