Anomaly Detection in Imbalanced Encrypted Traffic with Few Packet Metadata-Based Feature Extraction

作     者：Min-Gyu Kim Hwankuk Kim 

作者机构：Department of Financial Information SecurityKookmin UniversitySeoul02707Republic of Korea Department of Information Security Cryptography MathematicsKookmin UniversitySeoul02707Republic of Korea 

出 版 物：《Computer Modeling in Engineering & Sciences》 (工程与科学中的计算机建模（英文）)

年 卷 期：2024年第141卷第10期

页      面：585-607页

核心收录：

学科分类：0809[工学-电子科学与技术（可授工学、理学学位）] 08[工学] 0701[理学-数学] 

基　　金：supported by Institute of Information&Communications Technology Planning&Evaluation(IITP)grant funded by the Korea government(MSIT)(No.RS-2023-00235509 Development of Security Monitoring Technology Based Network Behavior against Encrypted Cyber Threats in ICT Convergence Environment) 

主　　题：One-class anomaly detection feature extraction auto-encoder encrypted traffic CICIoT2023 

摘      要：In the IoT(Internet of Things)domain,the increased use of encryption protocols such as SSL/TLS,VPN(Virtual Private Network),and Tor has led to a rise in attacks leveraging encrypted *** research on anomaly detection using AI(Artificial Intelligence)is actively progressing,the encrypted nature of the data poses challenges for labeling,resulting in data imbalance and biased feature extraction toward specific *** study proposes a reconstruction error-based anomaly detection method using an autoencoder(AE)that utilizes packet metadata excluding specific node *** proposed method omits biased packet metadata such as IP and Port and trains the detection model using only normal data,leveraging a small amount of packet *** makes it well-suited for direct application in IoT environments due to its low resource *** experiments comparing feature extraction methods for AE-based anomaly detection,we found that using flowbased features significantly improves accuracy,precision,F1 score,and AUC(Area Under the Receiver Operating Characteristic Curve)score compared to packet-based ***,for flow-based features,the proposed method showed a 30.17%increase in F1 score and improved false positive rates compared to Isolation Forest and ***,the proposedmethod demonstrated a 32.43%higherAUCwhen using packet features and a 111.39%higher AUC when using flow features,compared to previously proposed oversampling *** study highlights the impact of feature extraction methods on attack detection in imbalanced,encrypted traffic environments and emphasizes that the one-class method using AE is more effective for attack detection and reducing false positives compared to traditional oversampling methods.