HyperEye: A Lightweight Features Fusion Model for Unknown Encrypted Malware Traffic Detection

IF 10.9 2区计算机科学 Q1 ENGINEERING, ELECTRICAL & ELECTRONIC

IEEE Transactions on Consumer Electronics Pub Date : 2025-04-08 DOI:10.1109/TCE.2025.3558353

Xiaodong Zang;Zilong Zheng;Haosheng Zheng;Xuan Liu;Muhammad Khurram Khan;Weiwei Jiang

{"title":"HyperEye: A Lightweight Features Fusion Model for Unknown Encrypted Malware Traffic Detection","authors":"Xiaodong Zang;Zilong Zheng;Haosheng Zheng;Xuan Liu;Muhammad Khurram Khan;Weiwei Jiang","doi":"10.1109/TCE.2025.3558353","DOIUrl":null,"url":null,"abstract":"Recently, effectively identifying encrypted malicious traffic without decryption in consumer applications relies heavily on high-quality labeled traffic datasets. However, this harms models for incorrect labeling and requires more efficient real-time identification of encrypted unknown ones. This paper proposes HyperEye, a real-time, unsupervised, encrypted malicious traffic detection system. It can detect unknown traffic patterns by analyzing the fused traffic features in-depth. Precisely, we extract protocol-agnostic numerical and protocol-specific text features and devise a cross-term fusion algorithm to obtain a comprehensive traffic behavior description. We designed a genetic algorithm-based DBSCAN (GA-DBSCAN) parameter optimization algorithm to enhance the quality and stability in identifying malicious traffic. Extensive experimental results with open-world and real-world datasets demonstrate that our work outperforms other state-of-the-art malware detection systems, achieving an average 11.95% improvement in the F1-score. Besides, experimental results with the real-world dataset demonstrate that our system applies to the dynamic nature of consumer applications and can safeguard users’ data and privacy.","PeriodicalId":13208,"journal":{"name":"IEEE Transactions on Consumer Electronics","volume":"71 2","pages":"5079-5089"},"PeriodicalIF":10.9000,"publicationDate":"2025-04-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Consumer Electronics","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10950437/","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"ENGINEERING, ELECTRICAL & ELECTRONIC","Score":null,"Total":0}

引用次数: 0

Abstract

Recently, effectively identifying encrypted malicious traffic without decryption in consumer applications relies heavily on high-quality labeled traffic datasets. However, this harms models for incorrect labeling and requires more efficient real-time identification of encrypted unknown ones. This paper proposes HyperEye, a real-time, unsupervised, encrypted malicious traffic detection system. It can detect unknown traffic patterns by analyzing the fused traffic features in-depth. Precisely, we extract protocol-agnostic numerical and protocol-specific text features and devise a cross-term fusion algorithm to obtain a comprehensive traffic behavior description. We designed a genetic algorithm-based DBSCAN (GA-DBSCAN) parameter optimization algorithm to enhance the quality and stability in identifying malicious traffic. Extensive experimental results with open-world and real-world datasets demonstrate that our work outperforms other state-of-the-art malware detection systems, achieving an average 11.95% improvement in the F1-score. Besides, experimental results with the real-world dataset demonstrate that our system applies to the dynamic nature of consumer applications and can safeguard users’ data and privacy.

查看原文本刊更多论文

HyperEye：用于未知加密恶意软件流量检测的轻量级特征融合模型

目前，在消费者应用中，有效识别不解密的加密恶意流量很大程度上依赖于高质量的标记流量数据集。然而，这损害了模型的不正确标记，需要更有效地实时识别加密的未知。HyperEye是一种实时、无监督、加密的恶意流量检测系统。通过深入分析融合后的流量特征，可以检测出未知的流量模式。准确地说，我们提取了与协议无关的数值特征和特定于协议的文本特征，并设计了一种跨项融合算法来获得全面的流量行为描述。为了提高恶意流量识别的质量和稳定性，设计了一种基于遗传算法的DBSCAN （GA-DBSCAN）参数优化算法。开放世界和真实世界数据集的广泛实验结果表明，我们的工作优于其他最先进的恶意软件检测系统，f1得分平均提高11.95%。此外，实际数据集的实验结果表明，我们的系统适用于消费者应用程序的动态性，可以保护用户的数据和隐私。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Consumer Electronics 工程技术-电信学

CiteScore

7.70

自引率

9.30%

发文量

审稿时长

3.3 months

期刊介绍： The main focus for the IEEE Transactions on Consumer Electronics is the engineering and research aspects of the theory, design, construction, manufacture or end use of mass market electronics, systems, software and services for consumers.