Detection of Malicious Activity in Encrypted Traffic Presented as a Time Series
Abstract
At the moment, traffic on the Internet is mostly encrypted; malware is also increasingly using encryption. To scan encrypted traffic for malicious activity, its metadata is used. For that purpose, traffic is divided into flows – sessions between two hosts. This paper is devoted to machine learning for analysis of encrypted traffic presented in the form of time series. This approach is considered in comparison with a more traditional approach to flow classification. The task is considered in the context of both supervised and unsupervised machine learning. Regarding decision-making on whether the host is infected as a whole, a model of a malware detector is proposed.
The experiments were conducted on the case study of the network activity of ransomware. Specialized tools were used to analyze time series: recurrent and convolutional neural networks, dynamic time warping.
References
2. Susto G.A., Cenedese A., Terzi M. Chapter 9: Time-Series Classification Methods: Review and Applications to Power Systems Data. In: Arghandeh R., Zhou Y. (eds.). Big Data Application in Power Systems. Elsevier Inc.; 2018. p. 179-220. (In Eng.) doi: https://doi.org/10.1016/B978-0-12-811968-6.00009-7
3. Wang W., Zhu M., Zeng X., Ye X., Sheng Y. Malware traffic classification using convolutional neural network for representation learning. 2017 International Conference on Information Networking (ICOIN). IEEE Press, Da Nang, Vietnam; 2017. p. 712-717. (In Eng.) doi: https://doi.org/10.1109/ICOIN.2017.7899588
4. Alom Z., Bontupalli V.R., Taha T.M. Intrusion Detection Using Deep Belief Network and Extreme Learning Machine. In: Artificial Intelligence: Concepts, Methodologies, Tools, and Applications; ed. by Management Association, Information Resources. Hershey, PA: IGI Global; 2017. p. 357-378. (In Eng.) doi: https://doi.org/10.4018/978-1-5225-1759-7.ch014
5. Kim Ji., Kim Ja., Thi Thu H.L., Kim H. Long Short Term Memory Recurrent Neural Network Classifier for Intrusion Detection. 2016 International Conference on Platform Technology and Service (PlatCon). IEEE Press, Jeju, Korea (South); 2016. p. 1-5. (In Eng.) doi: https://doi.org/10.1109/PlatCon.2016.7456805
6. Anderson B., McGrew D. Identifying Encrypted Malware Traffic with Contextual Flow Data. Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security (AISec'16). Association for Computing Machinery, New York, NY, USA; 2016. p. 35-46. (In Eng.) doi: https://doi.org/10.1145/2996758.2996768
7. Ahmad Z., Khan A.S., Shiang C., Ahmad F. Network intrusion detection system: A systematic study of machine learning and deep learning approaches. Transactions on Emerging Telecommunications Technologies. 2021; 32(1):e4150. (In Eng.) doi: https://doi.org/10.1002/ett.4150
8. Wang Z., Fok K.W., Thing V.L.L. Machine learning for encrypted malicious traffic detection: Approaches, datasets and comparative study. Computers and Security. 2022; 113(C). 22 p. (In Eng.) doi: https://doi.org/10.1016/j.cose.2021.102542
9. Anderson B., Paul S., McGrew D. Deciphering malware's use of TLS (without decryption). Journal of Computer Virology and Hacking Techniques. 2018; 14(3):195-211. (In Eng.) doi: https://doi.org/10.1007/s11416-017-0306-6
10. Gentry C., Halevi S. Implementing Gentry's Fully-Homomorphic Encryption Scheme. In: Paterson K.G. (ed.) Advances in Cryptology ‒ EUROCRYPT 2011. EUROCRYPT 2011. Lecture Notes in Computer Science. Vol. 6632. Springer, Berlin, Heidelberg; 2011. p. 129-148. (In Eng.) doi: https://doi.org/10.1007/978-3-642-20465-4_9
11. Brakerski Z., Gentry C., Vaikuntanathan V. (Leveled) Fully Homomorphic Encryption without Bootstrapping. ACM Transactions on Computation Theory. 2014; 6(3):13. (In Eng.) doi: https://doi.org/10.1145/2633600
12. Kang H., Lee D.H. Security Assessment for Application Network Services Using Fault Injection. In: Yang C.C., et al. (eds.). Intelligence and Security Informatics. PAISI 2007. Lecture Notes in Computer Science. Vol. 4430. Springer, Berlin, Heidelberg; 2007. p. 172-183. (In Eng.) doi: https://doi.org/10.1007/978-3-540-71549-8_15
13. Domingo-Ferrer J. A Provably Secure Additive and Multiplicative Privacy Homomorphism. In: Chan A.H., Gligor V. (eds.). Information Security. ISC 2002. Lecture Notes in Computer Science. Vol. 2433. Springer, Berlin, Heidelberg; 2002. p. 471-483. (In Eng.) doi: https://doi.org/10.1007/3-540-45811-5_37
14. Yao A.C. Protocols for secure computations. 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982). IEEE Press, Chicago, IL, USA; 1982. p. 160-164. (In Eng.) doi: https://doi.org/10.1109/SFCS.1982.38
15. Goldreich O., Micali S., Wigderson A. How to play ANY mental game. Proceedings of the nineteenth annual ACM symposium on Theory of computing (STOC'87). Association for Computing Machinery, New York, NY, USA; 1987. p. 218-229. (In Eng.) doi: https://doi.org/10.1145/28395.28420
16. Mohassel P., Zhang Y. SecureML: A System for Scalable Privacy-Preserving Machine Learning. 2017 IEEE Symposium on Security and Privacy (SP). IEEE Press, San Jose, CA, USA; 2017. p. 19-38. (In Eng.) doi: https://doi.org/10.1109/SP.2017.12
17. Peikert C., Vaikuntanathan V., Waters B. A Framework for Efficient and Composable Oblivious Transfer. In: Wagner D. (ed.). Advances in Cryptology ‒ CRYPTO 2008. CRYPTO 2008. Lecture Notes in Computer Science. Vol. 5157. Springer, Berlin, Heidelberg; 2008. p. 554-571. (In Eng.) doi: https://doi.org/10.1007/978-3-540-85174-5_31
18. Niksefat S., Sadeghiyan B., Mohassel P., Sadeghian S. ZIDS: A Privacy-Preserving Intrusion Detection System Using Secure Two-Party Computation Protocols. The Computer Journal. 2014; 57(4):494-509. (In Eng.) doi: https://doi.org/10.1093/comjnl/bxt019
19. Alhassan M.Y., Günther D., Kiss Á., et al. Efficient and Scalable Universal Circuits. Journal of Cryptology. 2020; 33(3):1216-1271. (In Eng.) doi: https://doi.org/10.1007/s00145-020-09346-z
20. Canetti R. Universally composable security: a new paradigm for cryptographic protocols. Proceedings 42nd IEEE Symposium on Foundations of Computer Science. IEEE Press, Newport Beach, CA, USA; 2001. p. 136-145. (In Eng.) doi: https://doi.org/10.1109/SFCS.2001.959888
21. Damgard I., Geisler M., Kroigard M. Homomorphic encryption and secure comparison. International Journal of Applied Cryptography. 2008; 1(1):22-31. Available at: https://www.inderscienceonline.com/doi/abs/10.1504/IJACT.2008.017048 (accessed 14.12.2021). (In Eng.)
22. Gilad-Bachrach R., Dowlin N., Laine K., Lauter K., Naehrig M., Wernsing J. Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy. Proceedings of the 33rd International Conference on Machine Learning (PMLR). New York, NY, USA. 2016; 48:201-210. Available at: https://proceedings.mlr.press/v48/gilad-bachrach16.html (accessed 14.12.2021). (In Eng.)
23. Dhote Y., Agrawal S., Deen A.J. A Survey on Feature Selection Techniques for Internet Traffic Classification. 2015 International Conference on Computational Intelligence and Communication Networks (CICN). IEEE Press, Jabalpur, India; 2015. p. 1375-1380. (In Eng.) doi: https://doi.org/10.1109/CICN.2015.267
24. Gao N., Gao L., Gao Q., Wang H. An Intrusion Detection Model Based on Deep Belief Networks. 2014 Second International Conference on Advanced Cloud and Big Data. IEEE Press, Huangshan, China; 2014. p. 247-252. (In Eng.) doi: https://doi.org/10.1109/CBD.2014.41
25. Koukis D., Antonatos S., Antoniades D., Markatos E.P., Trimintzios P. A Generic Anonymization Framework for Network Traffic. 2006 IEEE International Conference on Communications. IEEE Press, Istanbul, Turkey; 2006. p. 2302-2309. (In Eng.) doi: https://doi.org/10.1109/ICC.2006.255113

This work is licensed under a Creative Commons Attribution 4.0 International License.
Publication policy of the journal is based on traditional ethical principles of the Russian scientific periodicals and is built in terms of ethical norms of editors and publishers work stated in Code of Conduct and Best Practice Guidelines for Journal Editors and Code of Conduct for Journal Publishers, developed by the Committee on Publication Ethics (COPE). In the course of publishing editorial board of the journal is led by international rules for copyright protection, statutory regulations of the Russian Federation as well as international standards of publishing.
Authors publishing articles in this journal agree to the following: They retain copyright and grant the journal right of first publication of the work, which is automatically licensed under the Creative Commons Attribution License (CC BY license). Users can use, reuse and build upon the material published in this journal provided that such uses are fully attributed.