XAITrafficIntell: Interpretable Cyber Threat Intelligence for Darknet Traffic Analysis

IF 4.1 3区 计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS
Dincy R. Arikkat, P. Vinod, K. A. Rafidha Rehiman, Rabeeba Abdul Rasheed, Mauro Conti
{"title":"XAITrafficIntell: Interpretable Cyber Threat Intelligence for Darknet Traffic Analysis","authors":"Dincy R. Arikkat, P. Vinod, K. A. Rafidha Rehiman, Rabeeba Abdul Rasheed, Mauro Conti","doi":"10.1007/s10922-024-09842-8","DOIUrl":null,"url":null,"abstract":"<p>Network traffic analysis is essential for enhancing network security and management. Integrating Machine Learning and Explainable Artificial Intelligence (XAI) offers a promising avenue for exploring darknet traffic. XAI’s integration into security domains paves the way to enriching our understanding of network traffic patterns and extracting valuable insights for security purposes. This investigation delves into the intricacies of darknet traffic classification by analyzing the datasets ISCXTor2016 and CIC-Darknet2020. By employing XAI techniques, we identify the most crucial features for accurate network traffic categorization. We conduct an in-depth analysis of darknet traffic models by utilizing explainable tools such as SHAP, LIME, Permutation Importance, and Counterfactual Explanations. Our experimental results highlight <i>Protocol</i> as the crucial factor in the ISXCTor2016 traffic classification, <i>Source Port</i> in the ISCXTor2016 application identification, and <i>IdleMax</i> in the CIC-Darknet2020 traffic classification. Additionally, our analysis encompassed the extraction of Cyber Threat Intelligence from the IP addresses within the network traffic. We explored the prevalent malware types and discerned specific targeted countries. Furthermore, a comprehensive exploration was conducted on the sophisticated attack techniques employed by adversaries. Our analysis identified T1071 as a frequently employed attack technique in which adversaries utilize OSI application layer protocols to communicate, strategically evading detection and network filtering measures.</p>","PeriodicalId":50119,"journal":{"name":"Journal of Network and Systems Management","volume":"101 1","pages":""},"PeriodicalIF":4.1000,"publicationDate":"2024-09-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Network and Systems Management","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1007/s10922-024-09842-8","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

Abstract

Network traffic analysis is essential for enhancing network security and management. Integrating Machine Learning and Explainable Artificial Intelligence (XAI) offers a promising avenue for exploring darknet traffic. XAI’s integration into security domains paves the way to enriching our understanding of network traffic patterns and extracting valuable insights for security purposes. This investigation delves into the intricacies of darknet traffic classification by analyzing the datasets ISCXTor2016 and CIC-Darknet2020. By employing XAI techniques, we identify the most crucial features for accurate network traffic categorization. We conduct an in-depth analysis of darknet traffic models by utilizing explainable tools such as SHAP, LIME, Permutation Importance, and Counterfactual Explanations. Our experimental results highlight Protocol as the crucial factor in the ISXCTor2016 traffic classification, Source Port in the ISCXTor2016 application identification, and IdleMax in the CIC-Darknet2020 traffic classification. Additionally, our analysis encompassed the extraction of Cyber Threat Intelligence from the IP addresses within the network traffic. We explored the prevalent malware types and discerned specific targeted countries. Furthermore, a comprehensive exploration was conducted on the sophisticated attack techniques employed by adversaries. Our analysis identified T1071 as a frequently employed attack technique in which adversaries utilize OSI application layer protocols to communicate, strategically evading detection and network filtering measures.

Abstract Image

XAITrafficIntell:用于暗网流量分析的可解读网络威胁情报
网络流量分析对于加强网络安全和管理至关重要。整合机器学习和可解释人工智能(XAI)为探索暗网流量提供了一条大有可为的途径。XAI 与安全领域的整合为丰富我们对网络流量模式的理解以及为安全目的提取有价值的见解铺平了道路。本研究通过分析 ISCXTor2016 和 CIC-Darknet2020 数据集,深入探讨了暗网流量分类的复杂性。通过采用 XAI 技术,我们确定了准确进行网络流量分类的最关键特征。我们利用 SHAP、LIME、Permutation Importance 和 Counterfactual Explanations 等可解释工具对暗网流量模型进行了深入分析。实验结果表明,在 ISXCTor2016 流量分类中,协议是关键因素;在 ISCXTor2016 应用识别中,源端口是关键因素;在 CIC-Darknet2020 流量分类中,IdleMax 是关键因素。此外,我们的分析还包括从网络流量的 IP 地址中提取网络威胁情报。我们探索了流行的恶意软件类型,并发现了特定的目标国家。此外,我们还对对手采用的复杂攻击技术进行了全面探索。我们的分析发现,T1071 是一种经常使用的攻击技术,在这种技术中,对手利用 OSI 应用层协议进行通信,战略性地躲避检测和网络过滤措施。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
CiteScore
7.60
自引率
16.70%
发文量
65
审稿时长
>12 weeks
期刊介绍: Journal of Network and Systems Management, features peer-reviewed original research, as well as case studies in the fields of network and system management. The journal regularly disseminates significant new information on both the telecommunications and computing aspects of these fields, as well as their evolution and emerging integration. This outstanding quarterly covers architecture, analysis, design, software, standards, and migration issues related to the operation, management, and control of distributed systems and communication networks for voice, data, video, and networked computing.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信