EMTD: Efficient encrypted malware traffic detection based on adaptive meta-path guided graph propagation

IF 4.6 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Computer Networks Pub Date : 2025-08-22 DOI:10.1016/j.comnet.2025.111636

Fanyi Zeng, Dapeng Man, Yuhao Zhao, Yuchen Liu, Huanran Wang, Wu Yang

{"title":"EMTD: Efficient encrypted malware traffic detection based on adaptive meta-path guided graph propagation","authors":"Fanyi Zeng, Dapeng Man, Yuhao Zhao, Yuchen Liu, Huanran Wang, Wu Yang","doi":"10.1016/j.comnet.2025.111636","DOIUrl":null,"url":null,"abstract":"<div><div>Given the growing challenges posed by encrypted Android malware, developing effective detection methods is crucial to understanding the evolution of malware families and designing preventive security measures. Existing detection methods for encrypted malware traffic primarily focus on extracting features at the single-flow level and multi-flow context level, failing to capture the evolutionary associations within known malware families and their previously unseen variants, which compromises detection effectiveness. Graph-based modeling methods have advantages in expressing traffic association features, but scalability issues present new challenges for detection timeliness. To address these limitations, we propose a novel two-stage detection framework named <strong>Encrypted Malware Traffic Detection (EMTD)</strong>. In the first phase, our method <strong>MFGDect</strong> models encrypted traffic as a heterogeneous information network and applies a multilayer heterogeneous attention mechanism to learn semantic associations among traffic flows. This enables adaptive family-aware representation and improves detection performance under encryption. Furthermore, we design <strong>MFGDect++</strong>, an extension of our base model that introduces adaptive meta-path guided graph propagation, enabling efficient incremental detection of new traffic samples without re-graphing or model retraining. This mechanism significantly reduces the average detection time to 135 ms per sample, demonstrating strong scalability. Experiments on public datasets demonstrate that EMTD outperforms existing baselines, achieving an average improvement of 9.62% in malicious sample recall and a 2.32% increase in F1 score, while maintaining low resource overheads and strong adaptability to large-scale graph data.</div></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":"271 ","pages":"Article 111636"},"PeriodicalIF":4.6000,"publicationDate":"2025-08-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Networks","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1389128625006036","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

Given the growing challenges posed by encrypted Android malware, developing effective detection methods is crucial to understanding the evolution of malware families and designing preventive security measures. Existing detection methods for encrypted malware traffic primarily focus on extracting features at the single-flow level and multi-flow context level, failing to capture the evolutionary associations within known malware families and their previously unseen variants, which compromises detection effectiveness. Graph-based modeling methods have advantages in expressing traffic association features, but scalability issues present new challenges for detection timeliness. To address these limitations, we propose a novel two-stage detection framework named Encrypted Malware Traffic Detection (EMTD). In the first phase, our method MFGDect models encrypted traffic as a heterogeneous information network and applies a multilayer heterogeneous attention mechanism to learn semantic associations among traffic flows. This enables adaptive family-aware representation and improves detection performance under encryption. Furthermore, we design MFGDect++, an extension of our base model that introduces adaptive meta-path guided graph propagation, enabling efficient incremental detection of new traffic samples without re-graphing or model retraining. This mechanism significantly reduces the average detection time to 135 ms per sample, demonstrating strong scalability. Experiments on public datasets demonstrate that EMTD outperforms existing baselines, achieving an average improvement of 9.62% in malicious sample recall and a 2.32% increase in F1 score, while maintaining low resource overheads and strong adaptability to large-scale graph data.

查看原文本刊更多论文

基于自适应元路径引导图传播的高效加密恶意软件流量检测

鉴于加密Android恶意软件带来的挑战越来越大，开发有效的检测方法对于了解恶意软件家族的演变和设计预防性安全措施至关重要。现有的加密恶意软件流量检测方法主要侧重于提取单流级别和多流上下文级别的特征，无法捕获已知恶意软件家族及其以前未见过的变体之间的进化关联，从而影响了检测的有效性。基于图的建模方法在表达交通关联特征方面具有优势，但可扩展性问题对检测的及时性提出了新的挑战。为了解决这些限制，我们提出了一种新的两阶段检测框架，称为加密恶意软件流量检测（EMTD）。在第一阶段，我们的方法MFGDect将加密流量建模为异构信息网络，并应用多层异构注意机制来学习流量之间的语义关联。这支持自适应的家族感知表示，并提高加密下的检测性能。此外，我们设计了MFGDect++，这是我们的基本模型的扩展，引入了自适应元路径引导图传播，能够有效地增量检测新的流量样本，而无需重新绘图或模型再训练。该机制将每个样本的平均检测时间显著降低至135 ms，显示出强大的可扩展性。在公共数据集上的实验表明，EMTD优于现有基线，恶意样本召回率平均提高9.62%，F1得分平均提高2.32%，同时保持较低的资源开销和对大规模图数据的强适应性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Networks 工程技术-电信学

CiteScore

10.80

自引率

3.60%

发文量

434

审稿时长

8.6 months

期刊介绍： Computer Networks is an international, archival journal providing a publication vehicle for complete coverage of all topics of interest to those involved in the computer communications networking area. The audience includes researchers, managers and operators of networks as well as designers and implementors. The Editorial Board will consider any material for publication that is of interest to those groups.