Anomaly Detection in Imbalanced Encrypted Traffic with Few Packet Metadata-Based Feature Extraction
作者机构:Department of Financial Information SecurityKookmin UniversitySeoul02707Republic of Korea Department of Information Security Cryptography MathematicsKookmin UniversitySeoul02707Republic of Korea
出 版 物:《Computer Modeling in Engineering & Sciences》 (工程与科学中的计算机建模(英文))
年 卷 期:2024年第141卷第10期
页 面:585-607页
核心收录:
学科分类:0809[工学-电子科学与技术(可授工学、理学学位)] 08[工学] 0701[理学-数学]
基 金:supported by Institute of Information&Communications Technology Planning&Evaluation(IITP)grant funded by the Korea government(MSIT)(No.RS-2023-00235509 Development of Security Monitoring Technology Based Network Behavior against Encrypted Cyber Threats in ICT Convergence Environment)
主 题:One-class anomaly detection feature extraction auto-encoder encrypted traffic CICIoT2023
摘 要:In the IoT(Internet of Things)domain,the increased use of encryption protocols such as SSL/TLS,VPN(Virtual Private Network),and Tor has led to a rise in attacks leveraging encrypted *** research on anomaly detection using AI(Artificial Intelligence)is actively progressing,the encrypted nature of the data poses challenges for labeling,resulting in data imbalance and biased feature extraction toward specific *** study proposes a reconstruction error-based anomaly detection method using an autoencoder(AE)that utilizes packet metadata excluding specific node *** proposed method omits biased packet metadata such as IP and Port and trains the detection model using only normal data,leveraging a small amount of packet *** makes it well-suited for direct application in IoT environments due to its low resource *** experiments comparing feature extraction methods for AE-based anomaly detection,we found that using flowbased features significantly improves accuracy,precision,F1 score,and AUC(Area Under the Receiver Operating Characteristic Curve)score compared to packet-based ***,for flow-based features,the proposed method showed a 30.17%increase in F1 score and improved false positive rates compared to Isolation Forest and ***,the proposedmethod demonstrated a 32.43%higherAUCwhen using packet features and a 111.39%higher AUC when using flow features,compared to previously proposed oversampling *** study highlights the impact of feature extraction methods on attack detection in imbalanced,encrypted traffic environments and emphasizes that the one-class method using AE is more effective for attack detection and reducing false positives compared to traditional oversampling methods.