Современные информационные технологии и IT-образование (Mar 2022)
Detection of Malicious Activity in Encrypted Traffic Presented as a Time Series
Abstract
At the moment, traffic on the Internet is mostly encrypted; malware is also increasingly using encryption. To scan encrypted traffic for malicious activity, its metadata is used. For that purpose, traffic is divided into flows – sessions between two hosts. This paper is devoted to machine learning for analysis of encrypted traffic presented in the form of time series. This approach is considered in comparison with a more traditional approach to flow classification. The task is considered in the context of both supervised and unsupervised machine learning. Regarding decision-making on whether the host is infected as a whole, a model of a malware detector is proposed. The experiments were conducted on the case study of the network activity of ransomware. Specialized tools were used to analyze time series: recurrent and convolutional neural networks, dynamic time warping.
Keywords