{"title":"使用机器学习检测加密的恶意网络流量","authors":"Michael J. De Lucia, Chase Cotton","doi":"10.1109/MILCOM47813.2019.9020856","DOIUrl":null,"url":null,"abstract":"The proliferation of encrypted network traffic necessitates an innovative machine learning traffic analysis approach which does not rely on pattern matching or the payload content of the packets to detect malicious / suspicious communications. Encryption of Internet traffic has increasingly become a typical best practice, making network packet content analysis yield diminishing returns. A majority of internet traffic is now protected using the cryptographic protocol known as Transport Layer Security (TLS). Malware authors have also followed this trend with the use of TLS to hide malicious network communications. We propose a malicious communication detection mechanism using a Support Vector Machine (SVM) and an alternative with a Convolutional Neural Network (CNN). Both methods achieve respectable results and a low False Positive Rate (FPR). However, the SVM method outperforms the CNN method in all evaluation metrics presented. Lastly, we propose future work to experiment with transport layer size and direction as features and automate feature engineering by using raw packet traffic with a CNN augmented with a Long Short-term Memory (LSTM) for detection of malicious traffic.","PeriodicalId":371812,"journal":{"name":"MILCOM 2019 - 2019 IEEE Military Communications Conference (MILCOM)","volume":"27 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"22","resultStr":"{\"title\":\"Detection of Encrypted Malicious Network Traffic using Machine Learning\",\"authors\":\"Michael J. De Lucia, Chase Cotton\",\"doi\":\"10.1109/MILCOM47813.2019.9020856\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The proliferation of encrypted network traffic necessitates an innovative machine learning traffic analysis approach which does not rely on pattern matching or the payload content of the packets to detect malicious / suspicious communications. Encryption of Internet traffic has increasingly become a typical best practice, making network packet content analysis yield diminishing returns. A majority of internet traffic is now protected using the cryptographic protocol known as Transport Layer Security (TLS). Malware authors have also followed this trend with the use of TLS to hide malicious network communications. We propose a malicious communication detection mechanism using a Support Vector Machine (SVM) and an alternative with a Convolutional Neural Network (CNN). Both methods achieve respectable results and a low False Positive Rate (FPR). However, the SVM method outperforms the CNN method in all evaluation metrics presented. Lastly, we propose future work to experiment with transport layer size and direction as features and automate feature engineering by using raw packet traffic with a CNN augmented with a Long Short-term Memory (LSTM) for detection of malicious traffic.\",\"PeriodicalId\":371812,\"journal\":{\"name\":\"MILCOM 2019 - 2019 IEEE Military Communications Conference (MILCOM)\",\"volume\":\"27 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2019-11-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"22\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"MILCOM 2019 - 2019 IEEE Military Communications Conference (MILCOM)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/MILCOM47813.2019.9020856\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"MILCOM 2019 - 2019 IEEE Military Communications Conference (MILCOM)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/MILCOM47813.2019.9020856","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Detection of Encrypted Malicious Network Traffic using Machine Learning
The proliferation of encrypted network traffic necessitates an innovative machine learning traffic analysis approach which does not rely on pattern matching or the payload content of the packets to detect malicious / suspicious communications. Encryption of Internet traffic has increasingly become a typical best practice, making network packet content analysis yield diminishing returns. A majority of internet traffic is now protected using the cryptographic protocol known as Transport Layer Security (TLS). Malware authors have also followed this trend with the use of TLS to hide malicious network communications. We propose a malicious communication detection mechanism using a Support Vector Machine (SVM) and an alternative with a Convolutional Neural Network (CNN). Both methods achieve respectable results and a low False Positive Rate (FPR). However, the SVM method outperforms the CNN method in all evaluation metrics presented. Lastly, we propose future work to experiment with transport layer size and direction as features and automate feature engineering by using raw packet traffic with a CNN augmented with a Long Short-term Memory (LSTM) for detection of malicious traffic.