Adapting to the Evolution: Enhancing Intrusion Detection Through Machine Learning in the QUIC Protocol Era

IF 4.7 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

IEEE Transactions on Network and Service Management Pub Date : 2025-02-21 DOI:10.1109/TNSM.2025.3540753

Adam Kadi;Lyes Khoukhi;Jouni Viinikka;Pierre-Edouard Fabre

{"title":"Adapting to the Evolution: Enhancing Intrusion Detection Through Machine Learning in the QUIC Protocol Era","authors":"Adam Kadi;Lyes Khoukhi;Jouni Viinikka;Pierre-Edouard Fabre","doi":"10.1109/TNSM.2025.3540753","DOIUrl":null,"url":null,"abstract":"The advent of the QUIC protocol may herald a significant shift in the composition of online traffic in the years to come. The transport layer encryption of the QUIC protocol is one of its main evolutions, especially for metadata that was previously transmitted over TCP traffic without encryption. This new protocol has the potential to require significant alterations in future Internet traffic analysis methods and impact network intrusion detection. On the other side, Machine learning has been used in several research projects to identify network intrusions, with positive outcomes. However, we must take into account new evolution of network traffic. In this paper, we propose a new approach that employs supervised machine learning algorithms to identify flows generated by bots interacting with a Web server during a DDoS attack, focusing on the challenges posed by the QUIC protocol and its implications for effective intrusion detection and cybersecurity. Our contribution in this work is divided into three main parts: 1) A guided process with model architecture for emulating and collecting traffic that depict a range of situations our system may encounter; 2) an analysis module that consists on the creation of two labeled datasets, where observations represent the traffic flows detected in PCAP files. We studied the relevance of different features for these datasets, contributing to a thorough understanding of the quality of the data used; 3) a real world experimention for evaluating the effectiveness of several supervised machine learning algorithms on our datasets. This experimentation allows us to determine which algorithm provides the best prediction results.","PeriodicalId":13423,"journal":{"name":"IEEE Transactions on Network and Service Management","volume":"22 2","pages":"1929-1944"},"PeriodicalIF":4.7000,"publicationDate":"2025-02-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Network and Service Management","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10899873/","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

The advent of the QUIC protocol may herald a significant shift in the composition of online traffic in the years to come. The transport layer encryption of the QUIC protocol is one of its main evolutions, especially for metadata that was previously transmitted over TCP traffic without encryption. This new protocol has the potential to require significant alterations in future Internet traffic analysis methods and impact network intrusion detection. On the other side, Machine learning has been used in several research projects to identify network intrusions, with positive outcomes. However, we must take into account new evolution of network traffic. In this paper, we propose a new approach that employs supervised machine learning algorithms to identify flows generated by bots interacting with a Web server during a DDoS attack, focusing on the challenges posed by the QUIC protocol and its implications for effective intrusion detection and cybersecurity. Our contribution in this work is divided into three main parts: 1) A guided process with model architecture for emulating and collecting traffic that depict a range of situations our system may encounter; 2) an analysis module that consists on the creation of two labeled datasets, where observations represent the traffic flows detected in PCAP files. We studied the relevance of different features for these datasets, contributing to a thorough understanding of the quality of the data used; 3) a real world experimention for evaluating the effectiveness of several supervised machine learning algorithms on our datasets. This experimentation allows us to determine which algorithm provides the best prediction results.

查看原文本刊更多论文

适应演变：在 QUIC 协议时代通过机器学习加强入侵检测

QUIC协议的出现可能预示着未来几年在线流量构成的重大转变。QUIC协议的传输层加密是其主要演变之一，特别是对于以前通过TCP流量传输而不加密的元数据。这种新协议有可能要求对未来互联网流量分析方法进行重大修改，并影响网络入侵检测。另一方面，机器学习已经在几个研究项目中用于识别网络入侵，并取得了积极的成果。然而，我们必须考虑到网络流量的新演变。在本文中，我们提出了一种新方法，该方法采用监督机器学习算法来识别DDoS攻击期间机器人与Web服务器交互产生的流，重点关注QUIC协议带来的挑战及其对有效入侵检测和网络安全的影响。我们在这项工作中的贡献分为三个主要部分：1)用于模拟和收集描述系统可能遇到的一系列情况的流量的模型架构的指导过程；2)一个分析模块，由两个标记数据集的创建组成，其中观测值代表PCAP文件中检测到的交通流量。我们研究了这些数据集的不同特征的相关性，有助于全面了解所使用数据的质量；3)一个真实世界的实验，用于评估几种监督机器学习算法在我们的数据集上的有效性。这个实验使我们能够确定哪种算法提供了最好的预测结果。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Network and Service Management Computer Science-Computer Networks and Communications

CiteScore

9.30

自引率

15.10%

发文量

325

期刊介绍： IEEE Transactions on Network and Service Management will publish (online only) peerreviewed archival quality papers that advance the state-of-the-art and practical applications of network and service management. Theoretical research contributions (presenting new concepts and techniques) and applied contributions (reporting on experiences and experiments with actual systems) will be encouraged. These transactions will focus on the key technical issues related to: Management Models, Architectures and Frameworks; Service Provisioning, Reliability and Quality Assurance; Management Functions; Enabling Technologies; Information and Communication Models; Policies; Applications and Case Studies; Emerging Technologies and Standards.