Anomaly Detection in Imbalanced Encrypted Traffic with Few Packet Metadata-Based Feature Extraction  

作　　者：Min-Gyu Kim Hwankuk Kim 

机构地区：[1]Department of Financial Information Security,Kookmin University,Seoul,02707,Republic of Korea [2]Department of Information Security Cryptography Mathematics,Kookmin University,Seoul,02707,Republic of Korea

出　　处：《Computer Modeling in Engineering & Sciences》2024年第10期585-607,共23页工程与科学中的计算机建模（英文）

基　　金：supported by Institute of Information&Communications Technology Planning&Evaluation(IITP)grant funded by the Korea government(MSIT)(No.RS-2023-00235509,Development of Security Monitoring Technology Based Network Behavior against Encrypted Cyber Threats in ICT Convergence Environment).

摘　　要：In the IoT(Internet of Things)domain,the increased use of encryption protocols such as SSL/TLS,VPN(Virtual Private Network),and Tor has led to a rise in attacks leveraging encrypted traffic.While research on anomaly detection using AI(Artificial Intelligence)is actively progressing,the encrypted nature of the data poses challenges for labeling,resulting in data imbalance and biased feature extraction toward specific nodes.This study proposes a reconstruction error-based anomaly detection method using an autoencoder(AE)that utilizes packet metadata excluding specific node information.The proposed method omits biased packet metadata such as IP and Port and trains the detection model using only normal data,leveraging a small amount of packet metadata.This makes it well-suited for direct application in IoT environments due to its low resource consumption.In experiments comparing feature extraction methods for AE-based anomaly detection,we found that using flowbased features significantly improves accuracy,precision,F1 score,and AUC(Area Under the Receiver Operating Characteristic Curve)score compared to packet-based features.Additionally,for flow-based features,the proposed method showed a 30.17%increase in F1 score and improved false positive rates compared to Isolation Forest and OneClassSVM.Furthermore,the proposedmethod demonstrated a 32.43%higherAUCwhen using packet features and a 111.39%higher AUC when using flow features,compared to previously proposed oversampling methods.This study highlights the impact of feature extraction methods on attack detection in imbalanced,encrypted traffic environments and emphasizes that the one-class method using AE is more effective for attack detection and reducing false positives compared to traditional oversampling methods.

关 键 词：One-class anomaly detection feature extraction auto-encoder encrypted traffic CICIoT2023 

分 类 号：TP309.7[自动化与计算机技术—计算机系统结构]