Flow Context and Host Behavior Based Shadowsocks’s Traffic Identification

Zeng, Xuemei; Chen, Xingshu; Shao, Guolin; He, Tao; Han, Zhenhui; Wen, Yi; Wang, Qixu

doi:10.1109/access.2019.2907149

Cited by 25 publications

(13 citation statements)

References 39 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Deep packet inspection (DPI) [17,18] and deep flow inspection (DFI) [19] implement analysis on packets or flows through frequent item-mining and pattern-matching methods, but it is difficult to establish matching rules for encrypted traffic. The behavior detection method [20][21][22][23][24] achieves high identification accuracy of encrypted traffic only for some special applications or protocols. The methods based on statistical features currently show relatively good performance for encrypted traffic classification, and machine learning (ML) is the most popular and effective one among them.…”

Section: Related Workmentioning

confidence: 99%

Improved KNN Algorithm for Fine-Grained Classification of Encrypted Network Flow

Cao

2020

Electronics

View full text Add to dashboard Cite

The fine-grained classification of encrypted traffic is important for network security analysis. Malicious attacks are usually encrypted and simulated as normal application or content traffic. Supervised machine learning methods are widely used for traffic classification and show good performances. However, they need a large amount of labeled data to train a model, while labeled data is hard to obtain. Aiming at solving this problem, this paper proposes a method to train a model based on the K-nearest neighbor (KNN) algorithm, which only needs a small amount of data. Due to the fact that the importance of different traffic features varies, and traditional KNN does not highlight the importance of different features, this study introduces the concept of feature weight and proposes the weighted feature KNN (WKNN) algorithm. Furthermore, to obtain the optimal feature set and the corresponding feature weight set, a feature selection and feature weight self-adaptive algorithm for WKNN is proposed. In addition, a three-layer classification framework for encrypted network flows is established. Based on the improved KNN and the framework, this study finally presents a method for fine-grained classification of encrypted network flows, which can identify the encryption status, application type and content type of encrypted network flows with high accuracies of 99.3%, 92.4%, and 97.0%, respectively.

show abstract

Section: Related Workmentioning

confidence: 99%

Improved KNN Algorithm for Fine-Grained Classification of Encrypted Network Flow

Cao

2020

Electronics

View full text Add to dashboard Cite

show abstract

“…Multiple flow-based features usually represent those that are extracted from multiple flows produced in a sliding time window. In a study on the identification of proxy application traffic based on the characteristic of flow bursts in a short time window [18], these features were designed to include the number of flow bursts, the maximum flow burst lengths, and the sum of all flow burst lengths. To detect network intrusion behaviors, Patil [19] not only applied single flowbased features but also added some multiple flow-based features, such as the number of flows with the same source IP address, and the number of flows with the same destination IP address.…”

Section: Single Flow-based and Multiple Flow-based Featurementioning

confidence: 99%

“…To verify this method, we collected all the network traffic based on the TLS protocol generated from July 1, 2019, to July 15, 2019. We collected a total of 1,655,498 TLS flows containing 18,357 TLS communication channels (18,357 unique destination IP addresses). In the experiment, we mined the benign TLS channels from the abovementioned 18,357 communication channels.…”

Section: Security and Communication Networkmentioning

confidence: 99%

Preprocessing Method for Encrypted Traffic Based on Semisupervised Clustering

Zheng

Liu

Niu

et al. 2020

Security and Communication Networks

View full text Add to dashboard Cite

The explosive growth in network traffic in recent times has resulted in increased processing pressure on network intrusion detection systems. In addition, there is a lack of reliable methods for preprocessing network traffic generated by benign applications that do not steal users’ data from their devices. To alleviate these problems, this study analyzed the differences between benign and malicious traffic produced by benign applications and malware, respectively. To fully express these differences, this study proposed a new set of statistical features for training a clustering model. Furthermore, to mine the communication channels generated by benign applications in batches, a semisupervised clustering method was adopted. Using a small number of labeled samples, our method aggregated historical network traffic into two types of clusters. The cluster that did not contain labeled malicious samples was regarded as a benign traffic cluster. The experimental results were compared using four types of clustering algorithms. The density-based spatial clustering of applications with noise (DBSCAN) clustering algorithm was selected to mine benign communication channels. We also compared our method with two other methods, and the results demonstrated that the benign channels mined through our method were more reliable. Finally, using our method, 1,811 benign transport layer security (TLS) channels were mined from 18,357 TLS communication channels. The number of flows carried by these benign channels comprised 65.37% of the entire network flows, and no malicious flow was included in our results, which proves the effectiveness of our method.

show abstract

“…They have verified that it is remarkably effective to apply machine learning to traffic detection. Zeng et al [5] have presented a Shadowsocks detection method based on flow context and host behavior. The detection model with a detection rate achieving 93.43% is built by extracting 12-dimensional features from three aspects: the relationship between flows, host's stream behaviors, and host's DNS behaviors.…”

Section: Detection For Different Anonymous Communication Softwarementioning

confidence: 99%

“…The best current performing machine learning algorithm for detecting Shadowsocks is the Random Forest algorithm. The accuracy of its detection based on network layer features using random forest algorithm has reached 85% [4], and the accuracy of the features based on flow context and host behavior has achieved 93.43%, whose method is more suitable for large-scale network environment [5].…”

Section: Introductionmentioning

confidence: 99%

ACER: detecting Shadowsocks server based on active probe technology

Jia-xing

Liu

Huang

et al. 2020

J Comput Virol Hack Tech

View full text Add to dashboard Cite

Anonymous server is created for hiding the information of hosts when they are surfing the Internet, such as Tor, Shadowsocks, etc. It is quite difficult to identify these servers, which provides potential criminals with opportunities to commit crime. Also, hackers can make use of these servers to threaten public network security, such as DDoS and Phishing attacks. Hence, the study of identifying these servers is pretty crucial. Current works on detecting Shadowsocks servers are mostly based on the features of servers' data stream combined with machine learning. However, they are passive methods because they can only be established when the servers are in connection state. Therefore, we propose a new system named ACER, which AC means active and ER means expert, to detect these servers. Besides, we introduce XGBoost algorithm to process the data stream to optimize the detection. The method can recognize more Shadowsocks servers actively instead of monitoring the communication tunnel passively to identify the servers. The experiment result has achieved an accuracy of 94.63% by taking proposed framework and 1.20% more accurate than other existing solutions. We hope to provide a novel solution for those who are conducting research in this area, and provide a detection scheme for network censors to block illegal servers at the same time.

show abstract

Flow Context and Host Behavior Based Shadowsocks’s Traffic Identification

Cited by 25 publications

References 39 publications

Improved KNN Algorithm for Fine-Grained Classification of Encrypted Network Flow

Improved KNN Algorithm for Fine-Grained Classification of Encrypted Network Flow

Preprocessing Method for Encrypted Traffic Based on Semisupervised Clustering

ACER: detecting Shadowsocks server based on active probe technology

Contact Info

Product

Resources

About