检测恶意 DoH 流量:利用小样本分析和对抗网络进行检测

IF 3.8 2区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS Journal of Information Security and Applications Pub Date : 2024-06-28 DOI:10.1016/j.jisa.2024.103827
Shaoqian Wu, Wei Wang, Zhanmeng Ding
{"title":"检测恶意 DoH 流量:利用小样本分析和对抗网络进行检测","authors":"Shaoqian Wu,&nbsp;Wei Wang,&nbsp;Zhanmeng Ding","doi":"10.1016/j.jisa.2024.103827","DOIUrl":null,"url":null,"abstract":"<div><p>In light of the escalating frequency of DNS attacks, it is imperative to bolster user security and privacy through the encryption of DNS queries. However, conventional methods for detecting DNS traffic are no longer effective in identifying encrypted traffic, particularly with the utilization of the DNS-over-HTTPS (DoH) protocol, which employs secure HTTPS for DNS resolution. To confront this challenge, we propose a novel model for detecting malicious DoH traffic, named DoH-TriCGAN, which distinguishes between non-DoH, benign DoH, and malicious DoH traffic. DoH-TriCGAN employs a conditional generative adversarial network comprising three network components, for which we only provide additional information to the generator. We extracted different small sample datasets and large sample dataset from the CIRA-CIC-DoHBrw-2020 dataset, to evaluate the efficiency and effectiveness of the proposed DoH-TriCGAN model, and compared the quality of the generated synthetic data. To establish a benchmark, we utilized the six metrics – accuracy, precision, recall, F1-score, ROC_AUC, and PR_AUC – to assess the performance of our model. The results demonstrate our proposed model outperforms the other five models (RF, XGBoost, BiGRU, Autoencoder, Transformer), showing the best performance particularly in scenarios with limited training samples, while also demonstrating data expansion capabilities by generating high-quality synthetic data to address the issue of insufficient network traffic.</p></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"84 ","pages":"Article 103827"},"PeriodicalIF":3.8000,"publicationDate":"2024-06-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Detecting malicious DoH traffic: Leveraging small sample analysis and adversarial networks for detection\",\"authors\":\"Shaoqian Wu,&nbsp;Wei Wang,&nbsp;Zhanmeng Ding\",\"doi\":\"10.1016/j.jisa.2024.103827\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><p>In light of the escalating frequency of DNS attacks, it is imperative to bolster user security and privacy through the encryption of DNS queries. However, conventional methods for detecting DNS traffic are no longer effective in identifying encrypted traffic, particularly with the utilization of the DNS-over-HTTPS (DoH) protocol, which employs secure HTTPS for DNS resolution. To confront this challenge, we propose a novel model for detecting malicious DoH traffic, named DoH-TriCGAN, which distinguishes between non-DoH, benign DoH, and malicious DoH traffic. DoH-TriCGAN employs a conditional generative adversarial network comprising three network components, for which we only provide additional information to the generator. We extracted different small sample datasets and large sample dataset from the CIRA-CIC-DoHBrw-2020 dataset, to evaluate the efficiency and effectiveness of the proposed DoH-TriCGAN model, and compared the quality of the generated synthetic data. To establish a benchmark, we utilized the six metrics – accuracy, precision, recall, F1-score, ROC_AUC, and PR_AUC – to assess the performance of our model. The results demonstrate our proposed model outperforms the other five models (RF, XGBoost, BiGRU, Autoencoder, Transformer), showing the best performance particularly in scenarios with limited training samples, while also demonstrating data expansion capabilities by generating high-quality synthetic data to address the issue of insufficient network traffic.</p></div>\",\"PeriodicalId\":48638,\"journal\":{\"name\":\"Journal of Information Security and Applications\",\"volume\":\"84 \",\"pages\":\"Article 103827\"},\"PeriodicalIF\":3.8000,\"publicationDate\":\"2024-06-28\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Information Security and Applications\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S2214212624001303\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212624001303","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

摘要

鉴于 DNS 攻击日益频繁,必须通过加密 DNS 查询来加强用户安全和隐私保护。然而,传统的 DNS 流量检测方法已无法有效识别加密流量,尤其是在使用安全 HTTPS 进行 DNS 解析的 DNS-over-HTTPS (DoH)协议的情况下。为了应对这一挑战,我们提出了一种用于检测恶意 DoH 流量的新型模型,命名为 DoH-TriCGAN,它能区分非 DoH、良性 DoH 和恶意 DoH 流量。DoH-TriCGAN 采用了一个条件生成式对抗网络,由三个网络组件组成,我们只向生成器提供额外的信息。我们从 CIRA-CIC-DoHBrw-2020 数据集中提取了不同的小样本数据集和大样本数据集,以评估所提出的 DoH-TriCGAN 模型的效率和有效性,并比较了生成的合成数据的质量。为了建立基准,我们使用了准确率、精确度、召回率、F1-score、ROC_AUC 和 PR_AUC 这六个指标来评估模型的性能。结果表明,我们提出的模型优于其他五个模型(RF、XGBoost、BiGRU、Autoencoder、Transformer),尤其是在训练样本有限的情况下表现最佳,同时还通过生成高质量的合成数据来解决网络流量不足的问题,从而展示了数据扩展能力。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
Detecting malicious DoH traffic: Leveraging small sample analysis and adversarial networks for detection

In light of the escalating frequency of DNS attacks, it is imperative to bolster user security and privacy through the encryption of DNS queries. However, conventional methods for detecting DNS traffic are no longer effective in identifying encrypted traffic, particularly with the utilization of the DNS-over-HTTPS (DoH) protocol, which employs secure HTTPS for DNS resolution. To confront this challenge, we propose a novel model for detecting malicious DoH traffic, named DoH-TriCGAN, which distinguishes between non-DoH, benign DoH, and malicious DoH traffic. DoH-TriCGAN employs a conditional generative adversarial network comprising three network components, for which we only provide additional information to the generator. We extracted different small sample datasets and large sample dataset from the CIRA-CIC-DoHBrw-2020 dataset, to evaluate the efficiency and effectiveness of the proposed DoH-TriCGAN model, and compared the quality of the generated synthetic data. To establish a benchmark, we utilized the six metrics – accuracy, precision, recall, F1-score, ROC_AUC, and PR_AUC – to assess the performance of our model. The results demonstrate our proposed model outperforms the other five models (RF, XGBoost, BiGRU, Autoencoder, Transformer), showing the best performance particularly in scenarios with limited training samples, while also demonstrating data expansion capabilities by generating high-quality synthetic data to address the issue of insufficient network traffic.

求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
Journal of Information Security and Applications
Journal of Information Security and Applications Computer Science-Computer Networks and Communications
CiteScore
10.90
自引率
5.40%
发文量
206
审稿时长
56 days
期刊介绍: Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.
期刊最新文献
Multi-ciphertext equality test heterogeneous signcryption scheme based on location privacy Towards an intelligent and automatic irrigation system based on internet of things with authentication feature in VANET A novel blockchain-based anonymous roaming authentication scheme for VANET Efficient quantum algorithms to break group ring cryptosystems IDPriU: A two-party ID-private data union protocol for privacy-preserving machine learning
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1