Figure 1
Source publication
Intrusion detection has attracted a considerable interest from researchers and industries. After many years of research the community still faces the problem of building reliable and efficient intrusion detection systems (IDS) capable of handling large quantities of data with changing patterns in real time situations. The Tor network is popular in...
Context in source publication
Context 1
... detection system is a software application or a device placed at strategic places on a network to monitor and detect anomalies in network traffic [1][2] as shown in Fig. 1. The main features of IDS are to raise an alarm when an anomaly is detected. A complementary approach is to take corrective measures when anomalies are detected, such an approach is referred to as an intrusion Prevention System (IPS) [3]. Based on the interactivity property of IDS, it can be designed to work either on-line or off- ...
Similar publications
Intrusion detection has attracted a considerable interest from researchers and industry. After many years of research the community still faces the problem of building reliable and efficient intrusion detection systems (IDS) capable of handling large quantities of data with changing patterns in real time situations. The Tor network is popular in pr...
Citations
... These attributes are sometimes referred to as features. The dataset pertaining to the UNB-CIC Tor Network Traffic comprises a comprehensive set of 28 distinct features [72]. ...
The primary objective of an anonymity tool is to protect the anonymity of its users through the implementation of strong encryption and obfuscation techniques. As a result, it becomes very difficult to monitor and identify users’ activities on these networks. Moreover, such systems have strong defensive mechanisms to protect users against potential risks, including the extraction of traffic characteristics and website fingerprinting. However, the strong anonymity feature also functions as a refuge for those involved in illicit activities who aim to avoid being traced on the network. As a result, a substantial body of research has been undertaken to examine and classify encrypted traffic using machine-learning techniques. This paper presents a comprehensive examination of the existing approaches utilized for the categorization of anonymous traffic as well as encrypted network traffic inside the darknet. Also, this paper presents a comprehensive analysis of methods of darknet traffic using ML (machine learning) techniques to monitor and identify the traffic attacks inside the darknet.
... Hodo et al. [12] pursued different objectives aimed at improving the efficiency of the Tor network by identifying anomalous or nonTor traffic that could compromise users' privacy. They utilised a learning system to establish a regular traffic profile and detected deviations from this profile as outlier traffic. ...
Tor, a network offering Internet anonymity, presented both positive and potentially malicious applications, leading to the need for efficient Tor traffic monitoring. While most current traffic classification methods rely on flow-based features, these can be unreliable due to factors like asymmetric routing, and the use of multiple packets for feature computation can lead to processing delays. Recognising the multi-layered encryption of Tor compared to nonTor encrypted payloads, our study explored distinct patterns in their encrypted data. We introduced a novel method using Deep Packet Inspection and machine learning to differentiate between Tor and nonTor traffic based solely on encrypted payload. In our first strand of research, we investigated hex character analysis of the Tor and nonTor encrypted payloads through statistical testing across 8 groups of application types. Remarkably, our investigation revealed a significant differentiation rate of 94.53% between Tor and nonTor traffic. In the second strand of our research, we aimed to distinguish Tor and nonTor traffic using machine learning, based on encrypted payload features. This proposed feature-based approach proved effective, as evidenced by our classification performance, which attained an average accuracy rate of 95.65% across these 8 groups of applications. Thereby, this study contributes to the efficient classification of Tor and nonTor traffic through features derived solely from a single encrypted payload packet, independent of its position in the traffic flow.
... Apart from machine learning algorithms, fingerprinting methods were also used to identify Tor traffic from mixed-web traffic [12]. Hidden Markov Models (HMM), Support Vector Machine (SVM), and Artificial Neural Networks (ANN) are also applied to different datasets for classification of Tor networks [13,14]. These classifiers are having some methodological error as they include IPs of source and destination in the classifier model. ...
With the rapid growth in the internet traffic, analysis and exploration of traffic classification has become more challenging task especially for dark net or dark web. Darknet, within the confines of deep web, has been witnessing illegitimate doings such as drug trafficking, terrorism, betting etc. Hence classification of darknet traffic is an important task. This paper presents intelligent framework for the darknet traffic categorization with proposed hybrid feature selector. The darknet traffic consists of data packet related information as input predictors for the model. Twenty-one machine learning models with and without feature selectors are presented to categorize the darknet traffic. We propose a Hybrid LASSO-Random Forest (HLRF) feature selector to reduce feature dimensionality. Classification of darknet traffic is evaluated with well-known KNN, Extra Tree and XGBoost classifiers. The performance of proposed models was assessed in terms of Accuracy, Precision, Recall, Harmonic Mean Value of True Positive Value (TPV) and Positive Predicted Value (PPV), Matthews Corelation Coefficients (MCC) and Jaccard Score. The experimental results approve that XGBoost with proposed HLRF feature selector outperforms in categorization of darknet traffic. The results revel that proposed XGBoost-HLRF model obtain an accuracy and recall value of 98.10% with precision of 98.12%. Comparison of XGBoost-HLRF model with other proposed state of art models are presented for performance assessment of our model.
... First, each packet is thermally encoded and fed into a CNN to obtain spatial features, and then an RNN is used to learn the overall temporal features. E. Hodo et al. [15] used an artificial neural network and a support vector machine for binary classification of the public dataset ISCXTor2016 and achieved satisfactory accuracies. Huo, Y et al. [16]. ...
With the continuous expansion of the darknet and the increase in various criminal activities in the darknet, darknet traffic identification has become increasingly essential. However, existing darknet traffic identification methods rely on all traffic characteristics, which require a long computing time and a large amount of system resources, resulting in low identification efficiency. To this end, this paper proposes an autoencoder-based darknet traffic identification method (AE-DTI). First, AE-DTI maps the feature values to pixels of a two-dimensional grayscale image after deduplication and denoising of the darknet traffic dataset. Then, AE-DTI designs a new feature selection algorithm (AE-FS) to downscale the grayscale graph, and AE-FS trains a feature scoring network, which globally scores all the features based on the reconstruction error to select the features with scores greater than or equal to a set threshold value. Finally, AE-DTI uses a one-dimensional convolutional neural network with a dropout layer to identify darknet traffic on the basis of alleviating overfitting. Experimental results on the ISCXTor2016 dataset show that, compared with other dimensionality reduction methods (PCA, LLE, ISOMAP, and autoencoder), the classification model trained with the data obtained from AE-FS has a significant improvement in classification accuracy and classification efficiency. Moreover, AE-DTI also shows significant improvement in recognition accuracy compared with other models. Experimental results on the CSE-CIC-IDS2018 dataset and CIC-Darknet2020 dataset show that AE-DTI has strong generalization.
... Despite the complexity, few of the works such as (AlSabah et al. 2012;Lashkari et al., 2017;Shahbar and Zincir-Heywood, 2018) have managed to obtain data from real ACNs, and out of these works, few (Lashkari et al., 2017;Shahbar and Zincir-Heywood, 2018) have also published the dataset publicly for the use of research community. Research works like Hodo et al. (2017), Pescape et al. (2018), Kim and Anpalagan (2018) and Cai et al. (2019) have used the publicly available dataset for their research. ...
... • Filter method: The filter method ranks the features of the dataset based on metrics such as correlation coefficients and mutual information and is computationally fast. A majority of the reviewed works make use of correlation-based feature selection (Lashkari et al., 2017;Hodo et al., 2017;Pescape et al., 2018), few works such as a Correlation-based methods figure out a subset of features based on the degree of redundancy in the feature set. The correlation method ensures that the elements in the feature subset have a high correlation with the target variable and low correlation amongst themselves (Khalid et al., 2014). ...
... • Offline classification: In offline classification, classification is performed by utilising the flow information after it has ended. This type of classification has no time constraints on the classifier model, and the majority of our reviewed works perform only offline classification Cai et al. 2019;He et al., 2015;Hodo et al., 2017;Jia et al., 2017;Kim and Anpalagan, 2018;Lashkari et al., 2017;Shahbar and Zincir-Heywood, 2018;Rao et al., 2018). In ML, Train-test split and cross-validation methods are commonly used to validate classification models and evaluate their performance. ...
With the growing need for anonymity and privacy on the Internet, Anonymous Communication Networks (ACNs) such as Tor, I2P, JonDonym, and Freenet have risen to fame. Such anonymous networks aim to provide freedom of expression and protection against tracking to its users. Simultaneously, there is also a class of users involved in the illegal usage of these ACNs. An emerging research topic in the field of ACNs is network traffic classification, as it can improve the network security against illegal users as well as improve the Quality of Service for its legal users. In this study, we review the research works available in the literature relevant to traffic classification in ACNs based on Machine Learning and also present to the researchers the general concepts and techniques in this area. A discussion on future trends in this area is also provided to bring out the future enhancements required in ML-based network traffic classification in ACNs.
... C4.5 and k-Nearest Neighbor (KNN) were used for verification The experimental results revealed a recognition accuracy for VPN traffic of nearly 90%. In 2017, Hodo et al. [14] proposed extracting the statistical features of encrypted traffic and classifying them into different groups, using an artificial neural network and Support Vector Machine (SVM). The experimental results revealed an accuracy of 99%. ...
The detection of malicious encrypted traffic is an important part of modern network security research. The producers of the current malware do not pay attention to the fact that malicious encrypted traffic can also be detected; they do not construct further adversarial malicious encrypted traffic to deceive existing malicious encrypted traffic detection methods. However, with the increasing confrontation between attack and defense, adversarial malicious encrypted traffic samples will appear gradually, which will make the existing malicious encrypted traffic detection methods obsolete. In this paper, an adversarial malicious encrypted traffic detection method based on refined session analysis (ADRSA) is proposed. The key ideas of this method are: 1) interpretability analysis is used to extract malicious traffic features that are not easily affected by encryption, 2) restoration technology is used to further improve traffic separability, and 3) a deep neural network is used to identify adversarial malicious encrypted traffic. In experimental tests, the ADRSA method could accurately detect malicious encrypted traffic, particularly adversarial malicious encrypted traffic, and the detection rate is more than 95%. However, the detection rate of other malicious encrypted traffic detection methods is almost zero when facing adversarial malicious encrypted traffic. The detection performance of ADRSA exceeds that of the most popular detection methods.
... By applying ensemble models only, accuracy was very poor but when "compensation constant" was applied during the testing process, accuracy improved. Such peak detection methods have been widely used in micro-grid for reducing the energy cost which resonates in [45], where the author has immaculately summarized the potential benefits of peak detection and consequent demand response, in improving power quality, minimizing losses, and optimizing the cost of operations in both micro-grid and the grid. Furthermore, in [46], an algorithm predicting peak electric load days (PELD) is implemented using ARIMA and Neural Networks (NNs). ...
Increased focus on sustainability and energy decentralization has positively impacted the adoption of nanogrids. With the tremendous growth, load forecasting has become crucial for their daily operation. Since the loads of nanogrids have large variations with sudden usage of large household electrical appliances, existing forecasting models, majorly focused on lower volatile loads, may not work well. Moreover, abrupt operation of electrical appliances in a nanogrid, even for shorter durations, especially in “Peak Hours,” raises the energy cost substantially. In this paper, an ANN model with dynamic feature selection is developed to predict the hour-ahead load of nanogrids based on meteorological data and a load lag of 1 h (t-1). In addition, by thresholding the predicted load against the average load of previous hours, peak loads, and their time indices are accurately identified. Numerical testing results show that the developed model can predict loads of nanogrids with the Mean Square Error (MSE) of 0.03 KW, the Mean Absolute Percentage Error (MAPE) of 9%, and the coefficient of variation (CV) of 11.9% and results in an average of 20% daily energy cost savings by shifting peak load to off-peak hours.
Keywords: nanogrids; peak load; load forecasting; artificial neural network (ANN); machine learning; microgrids
... Aghaeiet et al. [1] proposed C4.5 decision tree classifier on proxy traffic. Artificial neural network (ANN) approaches have also been proposed for encrypted web traffic identification [7,23]. From the experimentation in [23], the ANN approach outperforms C4.5 and Naive random forest methods. ...
A Growing number of conventional Convolutional neural network (CNN) models have been employed for encrypted web traffic characterization. However, the application of CNN models is confronted with two significant challenges; a) they possess short reflective fields that don't gather much-encrypted traffic information for effective and accurate predictions. b) these models are not adaptive to the diverse nature of traffic flow because of their single-head architecture. This paper alleviates these problems using the fusion of dilated Convolutional neural networks dubbed FDCNN. FDCNN architecture supports exponentially large receptive fields and captures local dependencies in encrypted traffic data. The experimental results on public datasets, ISCX VPNnon-VPN Traffic datasets, indicate that FDCNN architecture is practical and achieves higher accuracy.
... It monitors the traffic, and whenever it detects suspicious activity, it alerts the network admin. The basic functionality of IDS includes reporting threats, taking preventive steps whenever it identifies some intrusion, and recording all significant incidents happening in the network [6]. The following Fig. 1 shows a modular diagram of IDS. ...
This extensive review aims to classify the Intrusion Detection System (IDS) and various machine learning and deep learning (ML/DL) approaches used for IDS. The survey also addresses security, which is a concern with the Internet of Things. Several types of intrusion detection systems (IDSs), including shallow and deep learning methods and various learning algorithms to aid intrusion detection, are also categorized. This research expands on Network Intrusion Detection Systems and investigates techniques for improving their performance. It provides a more comprehensive understanding of deep and shallow learning methodologies with their benefits and drawbacks. The study component examines IDS classification, feature extraction techniques, machine learning, deep learning, and examples of how these may be applied. The essence of this review will establish a viable approach to assist professionals in modeling trustworthy and powerful IDS based on real-time requirements. Because the methods of intrusions and cyberattacks in networks are constantly evolving, it attracted the interest of many scholars and industrial professionals. However, cyber specialists struggle to develop an accurate and effective Intrusion Detection System (IDS). In addition, an increasing number of devices has resulted in more complicated network topology, raising security risks. As a result, a lengthy and exhaustive review is indispensable while developing a secure communication system.
... The Tor-nonTor dataset [28] is also a popular dataset used for traffic classification task. Recent papers like [17], [18] used this dataset for encrypted traffic analysis. The traffic categories for the (ISCXVPN2016) and (ISCXTor2016) dataset are the same, hence Table 1 can be used to describe both datasets. ...
The internet is responsible for global connectivity and ensuring its safety is a paramount task for governments and organisations. Cybersecurity concerns led to the encryption of over 87% of internet traffic. Encryption ensures security by improving privacy between sender and receiver but creates a problem of inaccurate traffic classification. Previous papers have used Artificial Intelligence to address this problem, however issues such as model simplicity, complexity, imbalanced dataset etc, are problems yet to be addressed. Overfitting, underfitting and ultimately poor classification are outcomes of poorly designed models. This paper applies deep learning to the problem of encrypted traffic classification. A Convolutional Neural Network (CNN) is used to address this problem. An eleven layered architecture is designed and trained with a range of images generated from the metadata of encrypted traffic. At its core, the design is made less complex for understandability and deals with overfitting. The proposed model is assessed with the standard metrics of accuracy, precision, recall and 1 score then compared to a baseline model. The model is trained and tested for seven classification problems, using three encryption types (https, vpn, tor). For all classification tasks, the proposed model achieved accuracies ranging from 91%-99%, which is an indication of optimum generalization strength. Our model outperformed the baseline model which had accuracies ranging from 67.6%-99%, an indication of poor generalization strength.
