Dincy R. Arikkat, P. Vinod, K. A. Rafidha Rehiman, Rabeeba Abdul Rasheed, Mauro Conti
{"title":"XAITrafficIntell: Interpretable Cyber Threat Intelligence for Darknet Traffic Analysis","authors":"Dincy R. Arikkat, P. Vinod, K. A. Rafidha Rehiman, Rabeeba Abdul Rasheed, Mauro Conti","doi":"10.1007/s10922-024-09842-8","DOIUrl":null,"url":null,"abstract":"<p>Network traffic analysis is essential for enhancing network security and management. Integrating Machine Learning and Explainable Artificial Intelligence (XAI) offers a promising avenue for exploring darknet traffic. XAI’s integration into security domains paves the way to enriching our understanding of network traffic patterns and extracting valuable insights for security purposes. This investigation delves into the intricacies of darknet traffic classification by analyzing the datasets ISCXTor2016 and CIC-Darknet2020. By employing XAI techniques, we identify the most crucial features for accurate network traffic categorization. We conduct an in-depth analysis of darknet traffic models by utilizing explainable tools such as SHAP, LIME, Permutation Importance, and Counterfactual Explanations. Our experimental results highlight <i>Protocol</i> as the crucial factor in the ISXCTor2016 traffic classification, <i>Source Port</i> in the ISCXTor2016 application identification, and <i>IdleMax</i> in the CIC-Darknet2020 traffic classification. Additionally, our analysis encompassed the extraction of Cyber Threat Intelligence from the IP addresses within the network traffic. We explored the prevalent malware types and discerned specific targeted countries. Furthermore, a comprehensive exploration was conducted on the sophisticated attack techniques employed by adversaries. Our analysis identified T1071 as a frequently employed attack technique in which adversaries utilize OSI application layer protocols to communicate, strategically evading detection and network filtering measures.</p>","PeriodicalId":50119,"journal":{"name":"Journal of Network and Systems Management","volume":"101 1","pages":""},"PeriodicalIF":4.1000,"publicationDate":"2024-09-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Network and Systems Management","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1007/s10922-024-09842-8","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0
Abstract
Network traffic analysis is essential for enhancing network security and management. Integrating Machine Learning and Explainable Artificial Intelligence (XAI) offers a promising avenue for exploring darknet traffic. XAI’s integration into security domains paves the way to enriching our understanding of network traffic patterns and extracting valuable insights for security purposes. This investigation delves into the intricacies of darknet traffic classification by analyzing the datasets ISCXTor2016 and CIC-Darknet2020. By employing XAI techniques, we identify the most crucial features for accurate network traffic categorization. We conduct an in-depth analysis of darknet traffic models by utilizing explainable tools such as SHAP, LIME, Permutation Importance, and Counterfactual Explanations. Our experimental results highlight Protocol as the crucial factor in the ISXCTor2016 traffic classification, Source Port in the ISCXTor2016 application identification, and IdleMax in the CIC-Darknet2020 traffic classification. Additionally, our analysis encompassed the extraction of Cyber Threat Intelligence from the IP addresses within the network traffic. We explored the prevalent malware types and discerned specific targeted countries. Furthermore, a comprehensive exploration was conducted on the sophisticated attack techniques employed by adversaries. Our analysis identified T1071 as a frequently employed attack technique in which adversaries utilize OSI application layer protocols to communicate, strategically evading detection and network filtering measures.
期刊介绍:
Journal of Network and Systems Management, features peer-reviewed original research, as well as case studies in the fields of network and system management. The journal regularly disseminates significant new information on both the telecommunications and computing aspects of these fields, as well as their evolution and emerging integration. This outstanding quarterly covers architecture, analysis, design, software, standards, and migration issues related to the operation, management, and control of distributed systems and communication networks for voice, data, video, and networked computing.