HMMED: A Multimodal Model with Separate Head and Payload Processing for Malicious Encrypted Traffic Detection

4区计算机科学 Q3 Computer Science

Security and Communication Networks Pub Date : 2024-05-30 DOI:10.1155/2024/8725832

Peng Xiao, Ying Yan, Jian Hu, Zhenhong Zhang

{"title":"HMMED: A Multimodal Model with Separate Head and Payload Processing for Malicious Encrypted Traffic Detection","authors":"Peng Xiao, Ying Yan, Jian Hu, Zhenhong Zhang","doi":"10.1155/2024/8725832","DOIUrl":null,"url":null,"abstract":"Malicious encrypted traffic detection is a critical component of network security management. Previous detection methods can be categorized into two classes as follows: one is to use the feature engineering method to construct traffic features for classification and the other is to use the end-to-end method that directly inputs the original traffic to obtain traffic features for classification. Both of the abovementioned two methods have the problem that the obtained features cannot fully characterize the traffic. To this end, this paper proposes a hierarchical multimodal deep learning model (HMMED) for malicious encrypted traffic detection. This model adopts the abovementioned two feature generation methods to learn the features of payload and header, respectively, then fuses the features to get the final traffic features, and finally inputs the final traffic features into the softmax classifier for classification. In addition, since traditional deep learning is highly dependent on the training set size and data distribution, resulting in a model that is not very generalizable and difficult to adapt to unseen encrypted traffic, the model proposed in this paper uses a large amount of unlabeled encrypted traffic in the pretraining layer to pretrain a submodel used to obtain a generic packet payload representation. The test results on the USTC-TFC2016 dataset show that the proposed model can effectively solve the problem of insufficient feature extraction of traditional detection methods and improve the ACC of malicious encrypted traffic detection.","PeriodicalId":49554,"journal":{"name":"Security and Communication Networks","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2024-05-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Security and Communication Networks","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1155/2024/8725832","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"Computer Science","Score":null,"Total":0}

引用次数: 0

Abstract

Malicious encrypted traffic detection is a critical component of network security management. Previous detection methods can be categorized into two classes as follows: one is to use the feature engineering method to construct traffic features for classification and the other is to use the end-to-end method that directly inputs the original traffic to obtain traffic features for classification. Both of the abovementioned two methods have the problem that the obtained features cannot fully characterize the traffic. To this end, this paper proposes a hierarchical multimodal deep learning model (HMMED) for malicious encrypted traffic detection. This model adopts the abovementioned two feature generation methods to learn the features of payload and header, respectively, then fuses the features to get the final traffic features, and finally inputs the final traffic features into the softmax classifier for classification. In addition, since traditional deep learning is highly dependent on the training set size and data distribution, resulting in a model that is not very generalizable and difficult to adapt to unseen encrypted traffic, the model proposed in this paper uses a large amount of unlabeled encrypted traffic in the pretraining layer to pretrain a submodel used to obtain a generic packet payload representation. The test results on the USTC-TFC2016 dataset show that the proposed model can effectively solve the problem of insufficient feature extraction of traditional detection methods and improve the ACC of malicious encrypted traffic detection.

查看原文本刊更多论文

HMMED：分别处理头部和有效载荷的多模态模型，用于恶意加密流量检测

恶意加密流量检测是网络安全管理的重要组成部分。以往的检测方法可分为以下两类：一类是使用特征工程方法构建流量特征进行分类，另一类是使用端到端方法直接输入原始流量获取流量特征进行分类。上述两种方法都存在一个问题，即获得的特征不能完全表征流量。为此，本文提出了一种用于恶意加密流量检测的分层多模态深度学习模型（HMMED）。该模型采用上述两种特征生成方法，分别学习有效载荷和头部特征，然后将特征融合得到最终流量特征，最后将最终流量特征输入 softmax 分类器进行分类。此外，由于传统的深度学习高度依赖于训练集的大小和数据分布，导致模型的通用性不强，难以适应未见过的加密流量，因此本文提出的模型在预训练层使用大量未标记的加密流量来预训练一个子模型，用于获得通用的数据包有效载荷表示。在 USTC-TFC2016 数据集上的测试结果表明，本文提出的模型能有效解决传统检测方法特征提取不足的问题，提高恶意加密流量检测的 ACC。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Security and Communication Networks COMPUTER SCIENCE, INFORMATION SYSTEMS-TELECOMMUNICATIONS

自引率

0.00%

发文量

1274

审稿时长

11.3 months

期刊介绍： Security and Communication Networks is an international journal publishing original research and review papers on all security areas including network security, cryptography, cyber security, etc. The emphasis is on security protocols, approaches and techniques applied to all types of information and communication networks, including wired, wireless and optical transmission platforms. The journal provides a prestigious forum for the R&D community in academia and industry working at the inter-disciplinary nexus of next generation communications technologies for security implementations in all network layers. Answering the highly practical and commercial importance of network security R&D, submissions of applications-oriented papers describing case studies and simulations are encouraged as well as research analysis-type papers.