Enhanced detection of obfuscated HTTPS tunnel traffic using heterogeneous information network

IF 4.4 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Computer Networks Pub Date : 2025-02-01 DOI:10.1016/j.comnet.2024.110975

Mengyan Liu, Gaopeng Gou, Gang Xiong, Junzheng Shi, Zhong Guan, Hanwen Miao, Yang Li

{"title":"Enhanced detection of obfuscated HTTPS tunnel traffic using heterogeneous information network","authors":"Mengyan Liu, Gaopeng Gou, Gang Xiong, Junzheng Shi, Zhong Guan, Hanwen Miao, Yang Li","doi":"10.1016/j.comnet.2024.110975","DOIUrl":null,"url":null,"abstract":"<div><div>HTTPS tunnel-based VPN services are increasingly used for malicious activities, such as remote control and data exfiltration. As detection mechanisms improve, some adversaries employ obfuscation techniques to evade detection. However, existing research mainly focuses on identifying HTTPS tunnel traffic and lacks specific studies on obfuscated traffic. In this paper, we propose HINT, a novel method that transforms HTTPS tunnel traffic detection into a graph node classification problem. Specifically, we construct a heterogeneous information graph to model the connections between clients and the VPN services. To enrich the graph’s semantics, we incorporate distinctive characteristics that are challenging to disguise and encapsulate them into specialized fingerprint nodes. Then we apply a hierarchical attention mechanism to automatically discern the significance of different nodes. Experimental results and extended analysis reveal that by integrating host topology, service statistics, and client traffic features, HINT maintains robust classification power when traffic shaping and padding techniques are employed. It is particularly effective without relying on packet sequences or payload information and maintains high detection capability even with added network noise.</div></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":"257 ","pages":"Article 110975"},"PeriodicalIF":4.4000,"publicationDate":"2025-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Networks","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1389128624008077","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

HTTPS tunnel-based VPN services are increasingly used for malicious activities, such as remote control and data exfiltration. As detection mechanisms improve, some adversaries employ obfuscation techniques to evade detection. However, existing research mainly focuses on identifying HTTPS tunnel traffic and lacks specific studies on obfuscated traffic. In this paper, we propose HINT, a novel method that transforms HTTPS tunnel traffic detection into a graph node classification problem. Specifically, we construct a heterogeneous information graph to model the connections between clients and the VPN services. To enrich the graph’s semantics, we incorporate distinctive characteristics that are challenging to disguise and encapsulate them into specialized fingerprint nodes. Then we apply a hierarchical attention mechanism to automatically discern the significance of different nodes. Experimental results and extended analysis reveal that by integrating host topology, service statistics, and client traffic features, HINT maintains robust classification power when traffic shaping and padding techniques are employed. It is particularly effective without relying on packet sequences or payload information and maintains high detection capability even with added network noise.

查看原文本刊更多论文

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Networks 工程技术-电信学

CiteScore

10.80

自引率

3.60%

发文量

434

审稿时长

8.6 months

期刊介绍： Computer Networks is an international, archival journal providing a publication vehicle for complete coverage of all topics of interest to those involved in the computer communications networking area. The audience includes researchers, managers and operators of networks as well as designers and implementors. The Editorial Board will consider any material for publication that is of interest to those groups.