TY - GEN
T1 - Light-weight Unsupervised Anomaly Detection for Encrypted Malware Traffic
AU - Han, Shangbin
AU - Wu, Qianhong
AU - Zhang, Han
AU - Qin, Bo
N1 - Publisher Copyright:
© 2022 IEEE.
PY - 2022
Y1 - 2022
N2 - Users and businesses in the network frequently suffer from attacks by malware like privacy breach. While encrypted traffic protects users and businesses, it also provides convenience for attackers to avoid detection. Existing anomaly detection systems use supervised learning with high-dimension features and employ experts for labeling. However, our exploration reveals that high-dimension features will reduce the efficiency of the classification model. Besides, their training needs abundant high-quality labels, which is difficult to obtain in practice. Facing these challenges, in this paper, we propose an unsupervised anomaly detection method, which adopts the three-layer Autoencoder for feature compression to improve model running efficiency and employs the classical Kmeans algorithm to achieve unsupervised classification. When training the Autoencoder, we only use the normal encrypted traffic. We compare the performance of our method against the state-of-the-art anomaly detection algorithms using open encrypted malware traffic data set. The results demonstrate that our method can achieve the Fl-measure of 0.95, which is competitive with supervised learning algorithms.
AB - Users and businesses in the network frequently suffer from attacks by malware like privacy breach. While encrypted traffic protects users and businesses, it also provides convenience for attackers to avoid detection. Existing anomaly detection systems use supervised learning with high-dimension features and employ experts for labeling. However, our exploration reveals that high-dimension features will reduce the efficiency of the classification model. Besides, their training needs abundant high-quality labels, which is difficult to obtain in practice. Facing these challenges, in this paper, we propose an unsupervised anomaly detection method, which adopts the three-layer Autoencoder for feature compression to improve model running efficiency and employs the classical Kmeans algorithm to achieve unsupervised classification. When training the Autoencoder, we only use the normal encrypted traffic. We compare the performance of our method against the state-of-the-art anomaly detection algorithms using open encrypted malware traffic data set. The results demonstrate that our method can achieve the Fl-measure of 0.95, which is competitive with supervised learning algorithms.
KW - Anomaly detection
KW - Encrypted malware traffic
KW - Unsupervised learning
UR - https://www.scopus.com/pages/publications/85141403105
U2 - 10.1109/DSC55868.2022.00034
DO - 10.1109/DSC55868.2022.00034
M3 - 会议稿件
AN - SCOPUS:85141403105
T3 - Proceedings - 2022 7th IEEE International Conference on Data Science in Cyberspace, DSC 2022
SP - 206
EP - 213
BT - Proceedings - 2022 7th IEEE International Conference on Data Science in Cyberspace, DSC 2022
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 7th IEEE International Conference on Data Science in Cyberspace, DSC 2022
Y2 - 11 July 2022 through 13 July 2022
ER -