research paper for security network

network security Recently Published Documents

Total documents.

Latest Documents
Most Cited Documents
Contributed Authors
Related Sources
Related Keywords

A Survey on Ransomware Malware and Ransomware Detection Techniques

Abstract: is a kind of malignant programming (malware) that takes steps to distribute or hinders admittance to information or a PC framework, for the most part by scrambling it, until the casualty pays a payoff expense to the assailant. As a rule, the payoff request accompanies a cutoff time. Assuming that the casualty doesn't pay on schedule, the information is gone perpetually or the payoff increments. Presently days and assailants executed new strategies for effective working of assault. In this paper, we center around ransomware network assaults and study of discovery procedures for deliver product assault. There are different recognition methods or approaches are accessible for identification of payment product assault. Keywords: Network Security, Malware, Ransomware, Ransomware Detection Techniques

Analysis and Evaluation of Wireless Network Security with the Penetration Testing Execution Standard (PTES)

The use of computer networks in an agency aims to facilitate communication and data transfer between devices. The network that can be applied can be using wireless media or LAN cable. At SMP XYZ, most of the computers still use wireless networks. Based on the findings in the field, it was found that there was no user management problem. Therefore, an analysis and audit of the network security system is needed to ensure that the network security system at SMP XYZ is safe and running well. In conducting this analysis, a tool is needed which will be used as a benchmark to determine the security of the wireless network. The tools used are Penetration Testing Execution Standard (PTES) which is one of the tools to become a standard in analyzing or auditing network security systems in a company in this case, namely analyzing and auditing wireless network security systems. After conducting an analysis based on these tools, there are still many security holes in the XYZ wireless SMP that allow outsiders to illegally access and obtain vulnerabilities in terms of WPA2 cracking, DoS, wireless router password cracking, and access point isolation so that it can be said that network security at SMP XYZ is still not safe

A Sensing Method of Network Security Situation Based on Markov Game Model

The sensing of network security situation (NSS) has become a hot issue. This paper first describes the basic principle of Markov model and then the necessary and sufficient conditions for the application of Markov game model. And finally, taking fuzzy comprehensive evaluation model as the theoretical basis, this paper analyzes the application fields of the sensing method of NSS with Markov game model from the aspects of network randomness, non-cooperative and dynamic evolution. Evaluation results show that the sensing method of NSS with Markov game model is best for financial field, followed by educational field. In addition, the model can also be used in the applicability evaluation of the sensing methods of different industries’ network security situation. Certainly, in different categories, and under the premise of different sensing methods of network security situation, the proportions of various influencing factors are different, and once the proportion is unreasonable, it will cause false calculation process and thus affect the results.

The Compound Prediction Analysis of Information Network Security Situation based on Support Vector Combined with BP Neural Network Learning Algorithm

In order to solve the problem of low security of data in network transmission and inaccurate prediction of future security situation, an improved neural network learning algorithm is proposed in this paper. The algorithm makes up for the shortcomings of the standard neural network learning algorithm, eliminates the redundant data by vector support, and realizes the effective clustering of information data. In addition, the improved neural network learning algorithm uses the order of data to optimize the "end" data in the standard neural network learning algorithm, so as to improve the accuracy and computational efficiency of network security situation prediction.MATLAB simulation results show that the data processing capacity of support vector combined BP neural network is consistent with the actual security situation data requirements, the consistency can reach 98%. the consistency of the security situation results can reach 99%, the composite prediction time of the whole security situation is less than 25s, the line segment slope change can reach 2.3% ,and the slope change range can reach 1.2%,, which is better than BP neural network algorithm.

Network intrusion detection using oversampling technique and machine learning algorithms

The expeditious growth of the World Wide Web and the rampant flow of network traffic have resulted in a continuous increase of network security threats. Cyber attackers seek to exploit vulnerabilities in network architecture to steal valuable information or disrupt computer resources. Network Intrusion Detection System (NIDS) is used to effectively detect various attacks, thus providing timely protection to network resources from these attacks. To implement NIDS, a stream of supervised and unsupervised machine learning approaches is applied to detect irregularities in network traffic and to address network security issues. Such NIDSs are trained using various datasets that include attack traces. However, due to the advancement in modern-day attacks, these systems are unable to detect the emerging threats. Therefore, NIDS needs to be trained and developed with a modern comprehensive dataset which contains contemporary common and attack activities. This paper presents a framework in which different machine learning classification schemes are employed to detect various types of network attack categories. Five machine learning algorithms: Random Forest, Decision Tree, Logistic Regression, K-Nearest Neighbors and Artificial Neural Networks, are used for attack detection. This study uses a dataset published by the University of New South Wales (UNSW-NB15), a relatively new dataset that contains a large amount of network traffic data with nine categories of network attacks. The results show that the classification models achieved the highest accuracy of 89.29% by applying the Random Forest algorithm. Further improvement in the accuracy of classification models is observed when Synthetic Minority Oversampling Technique (SMOTE) is applied to address the class imbalance problem. After applying the SMOTE, the Random Forest classifier showed an accuracy of 95.1% with 24 selected features from the Principal Component Analysis method.

Cyber Attacks Visualization and Prediction in Complex Multi-Stage Network

In network security, various protocols exist, but these cannot be said to be secure. Moreover, is not easy to train the end-users, and this process is time-consuming as well. It can be said this way, that it takes much time for an individual to become a good cybersecurity professional. Many hackers and illegal agents try to take advantage of the vulnerabilities through various incremental penetrations that can compromise the critical systems. The conventional tools available for this purpose are not enough to handle things as desired. Risks are always present, and with dynamically evolving networks, they are very likely to lead to serious incidents. This research work has proposed a model to visualize and predict cyber-attacks in complex, multilayered networks. The calculation will correspond to the cyber software vulnerabilities in the networks within the specific domain. All the available network security conditions and the possible places where an attacker can exploit the system are summarized.

Network Security Policy Automation

Network security policy automation enables enterprise security teams to keep pace with increasingly dynamic changes in on-premises and public/hybrid cloud environments. This chapter discusses the most common use cases for policy automation in the enterprise, and new automation methodologies to address them by taking the reader step-by-step through sample use cases. It also looks into how emerging automation solutions are using big data, artificial intelligence, and machine learning technologies to further accelerate network security policy automation and improve application and network security in the process.

Rule-Based Anomaly Detection Model with Stateful Correlation Enhancing Mobile Network Security

Research on network security technology of industrial control system.

The relationship between industrial control system and Internet is becoming closer and closer, and its network security has attracted much attention. Penetration testing is an active network intrusion detection technology, which plays an indispensable role in protecting the security of the system. This paper mainly introduces the principle of penetration testing, summarizes the current cutting-edge penetration testing technology, and looks forward to its development.

Detection and Prevention of Malicious Activities in Vulnerable Network Security Using Deep Learning

Export citation format, share document.

Open access
Published: 12 July 2023

Network traffic classification model based on attention mechanism and spatiotemporal features

Feifei Hu 1 ,
Situo Zhang 1 ,
Xubin Lin 1 ,
Niandong Liao 2 &
Yanqi Song 2

EURASIP Journal on Information Security volume 2023 , Article number: 6 ( 2023 ) Cite this article

6543 Accesses

6 Citations

Metrics details

Traffic classification is widely used in network security and network management. Early studies have mainly focused on mapping network traffic to different unencrypted applications, but little research has been done on network traffic classification of encrypted applications, especially the underlying traffic of encrypted applications. To address the above issues, this paper proposes a network encryption traffic classification model that combines attention mechanisms and spatiotemporal features. The model firstly uses the long short-term memory (LSTM) method to analyze continuous network flows and find the temporal correlation features between these network flows. Secondly, the convolutional neural network (CNN) method is used to extract the high-order spatial features of the network flow, and then, the squeeze and excitation (SE) module is used to weight and redistribute the high-order spatial features to obtain the key spatial features of the network flow. Finally, through the above three stages of training and learning, fast classification of network flows is achieved. The main advantages of this model are as follows: (1) the mapping relationship between network flow and label is automatically constructed by the model without manual intervention and decision by network features, (2) it has strong generalization ability and can quickly adapt to different network traffic datasets, and (3) it can handle encrypted applications and their underlying traffic with high accuracy. The experimental results show that the model can be applied to classify network traffic of encrypted and unencrypted applications at the same time, especially the classification accuracy of the underlying traffic of encrypted applications is improved. In most cases, the accuracy generally exceeds 90%.

1 Introduction

Network traffic classification is the process of identifying specific applications or activities by matching them with network traffic. This task is essential for network management and security [ 1 ]. In network management, network traffic classification enables the identification of different types of network applications, allowing for the appropriate allocation of network resources [ 2 ].

Currently, some early network traffic classification methods focus mainly on two aspects: port based and deep packet inspection based [ 3 ]. Port-based methods identify network traffic by standard port numbers. However, in the current network environment, the port-based approach is beginning to decline due to the prevalence of port obfuscation and dynamic ports.

The deep packet inspection-based method has high classification accuracy for known application traffic, but it cannot identify unknown or encrypted application traffic [ 4 ]. With the development of some new technologies, machine learning, traffic behavior analysis, signature matching, and deep learning methods have also been applied and studied in network traffic classification [ 5 ].

Machine learning algorithms enable the classification of network traffic by training models on known categories. These models can automatically identify and classify new traffic. Common algorithms used for this purpose include decision trees, support vector machines (SVM), and Naive Bayes classifiers. They use packet features such as source and destination IP addresses, packet length, and timestamps for classification. A network traffic classification method based on Naive Bayes classification was proposed in [ 6 ]. The authors first preprocessed the dataset by removing irrelevant features and normalizing values. They then applied a feature selection algorithm based on information gain to identify the most important features in the classification task. The Naive Bayes classifier was trained on the selected features and evaluated on the test set using several metrics, including accuracy, precision, recall, and F1 scores. The study showed that Naive Bayes classification is an effective method for classifying network traffic, and that feature selection is crucial for improving the performance of the algorithm.

The traffic behavior analysis method classifies traffic by analyzing the behavioral patterns of traffic. It can detect abnormal traffic behavior and identify network attacks and unusual activities. For example, by monitoring frequent connection attempts or unusual data transfer volumes from specific IP addresses, it is possible to determine whether traffic is a malicious activity. Signature matching methods use predefined rules or patterns to match traffic. By matching it against the signature of a known network attack or malicious behavior, it can determine whether the traffic belongs to a specific type of attack. This method is commonly used in intrusion detection systems (IDS) and intrusion prevention systems (IPS).

Deep learning traffic classification is a method that uses deep neural network models to automatically classify network traffic. A deep learning-based method for packet-based network traffic classification was proposed in [ 7 ]. The authors used a convolutional neural network (CNN) to extract features from the packets and a multilayer perceptron (MLP) to classify the traffic. The method was evaluated on a real-world dataset and was shown to be more effective than other machine learning algorithms.

From the research in references [ 6 ] and [ 7 ], it can be seen that the former approach can identify certain unknown or encrypted application traffic but relies on prior knowledge. The latter method does not require manual extraction of traffic features and can automatically construct the mapping relationship between network traffic and corresponding labels, thus eliminating the dependence on prior knowledge [ 8 ].

In recent years, the use of encryption technology has increased significantly in network communications. This is to ensure the privacy of user data. However, this has also led to a significant increase in encrypted traffic, which challenges traditional rule-based methods to effectively identify and classify it. Encryption transforms communication content into random ciphertext, making it difficult to decipher in a short period of time. As a result, load-based methods are ineffective for accurate matching and detection.

Encrypted traffic ensures secure communication, but it also creates opportunities for malicious activities. This can lead to an increase in false positives or false negatives in existing inspection methods, which poses a significant challenge for network regulators in accurately identifying and managing encrypted traffic. For example, consider an organization that relies heavily on VoIP communication for its day-to-day operations. Employees are also allowed to access video streaming platforms during their break times. However, due to limited network resources, the organization needs to prioritize VoIP traffic to ensure high call quality. However, both VoIP and video streaming traffic often use similar network ports and protocols, making it challenging to differentiate them based solely on network packet header. Existing traffic classification methods are not accurate enough to differentiate between VoIP and video streaming traffic, which leads to suboptimal QoS and potential disruptions in VoIP calls.

In addition, due to the use of encryption technology, traffic content is converted into random ciphertext, making it difficult to directly check and analyze the content. This may result in traditional content-based malicious traffic detection methods being unable to effectively decrypt and identify some normal encrypted traffic, leading to false positives. For example, Dropbox is a file synchronization and sharing service that let users upload and download files. Dropbox uses encryption to keep user data private and secure. However, this traffic behavior pattern may be similar to some malicious activities (such as massive file transfer or abnormal file types), which may result in misreported malicious traffic.

In addition, Dropbox provides its services using shared IP addresses or domain names that may be associated with other malicious activity. When cybersecurity systems detect malicious traffic based on IP addresses or domain names, they may misclassify Dropbox traffic as malicious.

Finally, Dropbox users can upload and download large amounts of data, possibly with high frequency. Such large data transfers and frequent traffic can be misinterpreted as malicious behavior, especially if traffic- or frequency-based rules are used in network security systems.

From the problems faced by the first two network applications, it can be seen that there are still some challenging problems to be solved in dealing with encrypted traffic and application traffic classification, which are mainly as follows [ 9 , 10 , 11 ]:

Inaccurate traffic classification: Due to the complexity and diversity of application software, traffic can vary on different devices and versions of the same application. In addition, some applications may use encryption to hide their traffic, making it difficult to classify traffic.

Misclassification: Application traffic classification is usually based on a few simple rules, such as port numbers, IP addresses, and domain names. Therefore, misclassification may occur. For example, the traffic of some applications may be very similar to that of other applications, but their functions are completely different, which can be easily misjudged.

Complex encryption algorithm: The encryption algorithm is usually very complex, which makes it difficult to classify traffic. Some encryption algorithms may also use random numbers, hash functions, and other techniques, which increases the difficulty of classification.

Traffic noise problem: Since the encrypted traffic itself is encrypted, there may be a lot of noise in the encrypted traffic, which may affect the accuracy of traffic classification.

Attacks and spoofing: Some malicious attackers may use encryption to hide their attack traffic, which poses a challenge to the classification of encrypted traffic. At the same time, the attacker may spoof other types of traffic to fool the traffic classification system.

Traffic congestion: Users may use multiple applications at the same time, and the traffic of these applications will be mixed together, making it difficult to accurately classify and record the traffic of each application.

To address the aforementioned critical issues and improve the inspection accuracy of the original methods, the following three aspects can be considered:

Update malicious traffic detection rules: Network security systems can be updated with rules based on the traffic behavior patterns and features of legitimate business traffic. This can help to avoid false positives, where legitimate traffic is mistakenly identified as malicious.

Perform comprehensive feature-based classification: Malicious traffic can be identified by considering multiple features, such as traffic behavior, data transmission patterns, IP addresses, and domain names. By considering multiple features together, it becomes possible to more accurately differentiate between normal business traffic and malicious traffic.

Use machine learning or deep learning methods: Machine learning and deep learning methods can be used to classify and identify normal business traffic. These methods learn the features and patterns of normal traffic to distinguish between normal traffic and malicious traffic.

This paper proposes an end-to-end representation learning network classification model. End-to-end representation learning is a deep learning-based approach that can directly map input data to output labels, thus avoiding the process of manual feature extraction of input data. For encryption and application software traffic classification, the solution of this paper is as follows:

Encrypted traffic classification problem: The traditional traffic classification method may need to decrypt encrypted traffic, which involves key management and privacy issues. However, the end-to-end representation learning method can directly classify encrypted traffic without decryption, thus avoiding these problems.

Application software traffic classification problem: The complexity and diversity of application software make traffic classification inaccurate. However, the end-to-end representation learning method can automatically extract useful features by learning a large amount of traffic data, so as to achieve more accurate traffic classification.

Accuracy problem: The end-to-end representation learning method can improve the accuracy and precision of classification through multi-level neural network structure and a large number of training data, which is more efficient than traditional methods.

Universality problem: The end-to-end representation learning method can deal with various types of traffic data without manual feature extraction and rule design, so it has better universality and flexibility.

Adaptive problem: Due to the constant changes of application software and encryption algorithms, traditional traffic classification methods need to be updated constantly, while end-to-end representation learning methods can update the model adaptively through incremental learning to adapt to new application software and encryption algorithms.

The brief steps of the end-to-end representational learning model proposed in this paper are as follows:

Sequential analysis with LSTM: LSTM is effective in capturing temporal dependencies in sequential data. It analyzes the order and timing of network packets, enabling the model to learn long-term dependencies and detect subtle patterns. This helps differentiate between normal and potential attacks, even in cases where similar ports or encryption techniques are used.

Local pattern extraction with CNN: CNNs excel at extracting local patterns and features from data. In network traffic classification, a CNN component can learn to recognize specific packet-level patterns that differentiate applications. This aids in identifying distinctive characteristics of benign Dropbox traffic, such as packet sizes, payload patterns, or protocol behavior, leading to accurate classification.

Refining feature representations with SE: The SE module enhances the model’s representational power by recalibrating channel-wise features. It learns adaptive weights to focus on informative features while suppressing less relevant ones. This improves the discrimination between benign and potentially malicious traffic, reducing false-positive detections.

Combined approach: By combining LSTM, CNN, and SE in the network traffic classification process for IDS, a novel approach is introduced that leverages the strengths of each component. LSTM captures temporal dependencies, CNN extracts local patterns, and the SE module refines feature representations. This combined approach enhances accuracy and reliability in network traffic classification, specifically addressing the challenge of misclassifying benign business traffic as potential attacks and reducing false-positive detections in IDS systems.

This paper selects three datasets to evaluate the performance of the model and compares it with some methods in recent years. The results show that the model is more accurate and performs better than other methods in most cases in different classification experiments. The main contributions of this paper are as follows:

This paper proposes an end-to-end representation learning model which can automatically classify application software and encrypted network traffic. This method effectively solves the problem of coarse and fine granularity classification of application software traffic and the difficulty of accurate classification of encrypted traffic.

This paper applies the attention mechanism and representation method to network traffic classification to get rid of the bottleneck of information processing and improve the model capability.

This paper uses three datasets to verify the effectiveness of the model. The experimental results show that the method has higher detection accuracy and stronger generalization ability than other methods.

This model can be used to identify and classify network traffic generated by different applications, even if the traffic is encrypted. This approach works by capturing underlying patterns and features within the encrypted traffic, which helps to improve classification accuracy. In the context of enterprise network environments, this model can be used by network administrators to identify and differentiate traffic generated by instant messaging tools, BitTorrent, and other applications. This helps to reduce false positives, improve network security, and ensure compliance with enterprise network policies.

The rest of this paper is organized as follows. The second section is related work, which introduces the motivation and preparation of the experiment. The third section describes the specific method. The fourth section gives the experimental results and analysis. The fifth section summarizes the paper and prospects the future research.

2 Related work

2.1 traditional network traffic classification methods.

Traditional network traffic classification refers to the method of classifying and identifying traffic by analyzing the packet features of network traffic. There has been a lot of research in this field, mainly including the following aspects:

Protocol-based classification method: This is one of the earliest network traffic classification methods, which classifies traffic by identifying the protocol identifier in the packet header. This method is simple and fast but susceptible to deception and attacks.

Port-based classification method: This method classifies traffic based on port numbers, identifying the application type by determining the source and destination port numbers of the packet. This method is also simple and fast but vulnerable to port deception attacks.

Feature extraction-based classification method: This method extracts various features of packets, such as packet size and timestamp, to classify traffic. This method requires manual selection and extraction of features, which has some subjectivity.

Traditional machine learning methods: This method uses machine learning algorithms such as SVM and neural networks to classify and identify traffic. These methods have good interpretability for classification results. In traffic classification, the interpretability of classification results is very important because important features and patterns of traffic data can be obtained by analyzing the classification results.

Deep learning-based classification method: This method uses deep learning algorithms such as CNN and recurrent neural networks (RNN) to classify and identify traffic. This method can automatically extract features and has higher accuracy and flexibility.

In the early research of network traffic classification, port-based methods were widely used in practical network business. However, these methods have lower recognition accuracy for applications with dynamic ports [ 12 , 13 ]. Lim et al. fully proved that port-based methods can effectively identify applications that follow the port registration rules [ 14 ]. Most researchers now use hybrid methods that mix port-based methods with other methods to improve detection accuracy. Lu et al. proposed a hybrid method that first classifies flows into corresponding applications by packet size distribution and then groups flow into sessions by port location [ 15 ].

Another direction for improvement is deep packet inspection (DPI), a traffic detection and control technology based on the application layer. When IP, TCP, or UDP data flows pass through a DPI system, the system extracts a feature library by in-depth analysis of the packet payload. In the traffic identification process, DPI matches the network flow load to the rules in the feature library. If the match is successful, the protocol corresponding to the rule is identified. Bujlow et al. conducted a comprehensive comparison of 6 commonly used DPI tools, including 2 commercial products (PACE and NBAR) and 4 open-source tools (OpenDPI, L7-filter, nDPI, and libprotoident). The test comparison results show that the PACE commercial tool has the best detection performance among the six tools, but some open-source tools, such as nDPI and libprotoident, can also achieve very high accuracy [ 16 ].

As the rapid development of network applications, some new applications no longer follow simple port registration rules, and some are encrypted. Therefore, both port-based and DPI-based methods cannot directly analyze network traffic [ 17 ].

In recent years, machine learning methods such as SVM, Bayesian, KNN, and neural networks have been widely applied in network traffic classification with some success. However, existing flow correlation methods based on passive flow analysis technology have problems of high storage and huge computational overhead. Hu et al. [ 18 ] proposed a novel flow correlation method based on compressed sensing-neural network. This method takes the traffic features after dimensionality reduction as the input of the convolutional neural network, extracts the correlation features through the convolutional neural network, and then uses the one-class SVM classifier to judge the correlation.

As can be seen from the above, machine learning methods have been applied to traffic classification, but their performance depends on the correct selection of traffic features and manual decision-making. This means that they cannot automatically adapt to new changes in the network. In contrast, deep learning methods generally have strong self-learning capabilities and do not require human intervention during model training. As a result, more and more researchers have begun to pay attention to and use deep learning methods to classify network flows. At present, the main popular deep learning models are convolutional neural networks (CNNs), recurrent neural networks (RNNs), and so on. These models have made great achievements in network security [ 19 ], computer vision [ 20 ], natural language processing [ 21 , 22 ], speech recognition [ 23 , 24 ], and other fields.

Wang et al. [ 9 ] proposed a malware traffic classification method using CNN. This method does not require manual feature engineering but directly uses raw network traffic as input to the classifier. It is the first attempt to apply representation learning to malware traffic classification, and the results of related experiments are promising. However, the authors also point out two potential limitations of the method:

The generalization ability of the method needs further verification.

The method only considers the spatial features of network traffic and ignores temporal features.

Li et al. [ 25 ] introduced RNN to network traffic classification. In this method, network datagrams are divided into several byte segments, which are then fed to the RNN for training and learning. Finally, the softmax function is applied to output the traffic type. The authors believe that this method has several advantages over traditional machine learning methods:

No prior knowledge of the target application is required.

Different protocols and multi-class operations can be handled.

To overcome the limitations of single deep learning models, researchers have begun to explore the use of multiple deep learning models in combination. For example, RNN and LSTM can be combined to analyze and refine network characteristics from multiple angles. Currently, researchers are exploring how to combine and optimize different classification methods to achieve more accurate and efficient traffic classification and identification. Additionally, researchers are also constantly exploring and researching new methods and technologies to address the challenges of classifying new applications and encrypted traffic.

2.2 Encryption and application traffic classification methods

With the widespread use of encryption and application software, network traffic classification faces new challenges. In response to these challenges, researchers have conducted a series of related work.

Encryption traffic classification: Traditional network traffic classification methods cannot accurately identify the type of encrypted traffic due to the difficulty of decrypting and analyzing encrypted traffic. Researchers have proposed encryption traffic classification methods based on traffic statistical features and machine learning algorithms, such as Hidden Markov models (HMM) and collaborative decomposition algorithms.

Application software traffic classification: The classification of application software traffic is subjective and complex. Researchers have proposed a number of methods to overcome these problems, such as host behavior, user behavior, and deep learning.

End-to-end representation learning: End-to-end representation learning is a new traffic classification method that learns the end-to-end representation of network traffic to achieve traffic classification and identification. This method can overcome the problem of manual feature selection and extraction in traditional methods and has higher accuracy and flexibility.

Network traffic classification platforms: Researchers have developed a number of network traffic classification platforms, such as OpenDPI, L7-filter, and DPI-LIB, to facilitate and accelerate traffic classification research. These platforms provide convenient traffic classification tools and datasets, which can help researchers to conduct traffic classification research more quickly.

Network encrypted traffic classification is a technique for identifying and classifying encrypted traffic. Many researchers have attempted to solve this problem using different methods. Here are some related work introductions:

Deep learning-based encrypted traffic classification: This method employs deep learning models to automatically extract features from encrypted traffic and subsequently classify it. By utilizing models such as convolutional neural networks (CNNs) or recurrent neural networks (RNNs), the transmission characteristics of encrypted traffic can be fed as inputs to identify and categorize the traffic. Shapira et al. [ 26 ] introduce a novel method for encrypting Internet traffic. Their approach involves converting elementary stream data into images and then applying a CNN technique to identify traffic categories (e.g., browsing, chatting, video). Lotfollahi et al. [ 11 ] attempt to distinguish between encrypted and non-encrypted traffic by combining a stackable autoencoder with a CNN method. While this approach performs well on ISCX data streams, it struggles to identify subcategories of network streams when tested on Tor and YouTube data streams.

Statistical analysis-based encrypted traffic classification: This method employs statistical analysis techniques to examine the properties of encrypted traffic and extract valuable information for classifying it. For instance, Bayesian classifiers or support vector machines can be utilized to categorize encrypted traffic. Ammar Almomani proposed a system for analyzing and classifying VPN and non-VPN traffic using a new machine learning classifier called stacking ensemble learning. This approach was applied for the first time to a VPN and non-VPN attack problem. By combining predictions from multiple learning mechanisms (random forest, neural network, and support vector machine), ensemble learning was employed to enhance prediction accuracy [ 27 ].

Feature extraction-based encrypted traffic classification: This method classifies encrypted traffic by extracting and analyzing its features. For example, wavelet transform can be used to extract time-domain and frequency-domain features of encrypted traffic, and then a classifier can be employed to categorize the traffic. Okada et al. [ 28 ] investigated the impact of encryption on traffic features. They created a training dataset containing HTTP, FTP, SSH, and SMTP application protocols encrypted using PPTP and IPsec tunnels. The authors evaluated 49 traffic features and analyzed which ones had strong correlations in normal and encrypted traffic. They then used the correlated features to infer the function that transforms features between normal and encrypted traffic. Consequently, standard classifiers can be used to classify transformed traffic. The authors employed the Naive Bayesian classifier and made several modifications to validate their approach.

Rule-based encrypted traffic classification: This method uses predefined rules to determine the type and purpose of encrypted traffic. For example, the type of encrypted traffic can be ascertained by analyzing the features of the TLS handshake protocol. TLS is an encryption protocol that provides privacy for applications and is typically used to encapsulate common application layer protocols, such as HTTP and SMTP protocols. For instance, for SSL/TLS traffic, the following rules can be used to classify it:

If the handshake message contains an RSA key exchange algorithm, the traffic type is RSA.

If the handshake message contains an ECDHE key exchange algorithm, the traffic type is ECDHE.

If the handshake message contains an AES encryption algorithm, the traffic type is AES.

If the SHA digest algorithm is included in the handshake message, the traffic type is SHA.

These rules can be defined through an understanding of the TLS protocol and can be implemented through software to identify the type of encrypted traffic. Rule-based encryption traffic classification methods can quickly identify encryption traffic types, but their disadvantage is that they cannot adapt to new encryption protocols or algorithms, requiring constant updating and maintenance of rule tables.

For example, Wei et al. [ 29 ] proposed the HNNIM (hybrid neural network identification model) model to identify malicious TLS traffic. The goal is to address the issue that classical machine learning methods are heavily influenced by expert experience, resulting in suboptimal identification and classification outcomes. The HNNIM model combines plaintext information from the TLS protocol’s handshake phase and the TCP protocol’s header field information, reducing reliance on expert experience and effectively improving the identification and classification of malicious TLS traffic. Korczyn´ski and Duda [ 30 ] proposed a Markov-based method for detecting anomalous encrypted communication by extracting fingerprints from the payload of data packets in TLS/SSL sessions to identify encrypted application traffic and then modeling the TLS/SSL message type sequence using a first-order Markov chain to detect anomalous encrypted communication. This method is applicable to unidirectional communication from the server to the client for a given application but requires upgrading and updating of the application and periodic updating of the fingerprints.

As new applications and services emerge, network traffic becomes more complex and diverse, making application-level traffic classification increasingly important and popular. However, existing methods for traffic classification often have limitations in achieving acceptable real-time performance.

Kyu-Seok Shim et al. [ 31 ] proposed a new method for application-level traffic classification that utilizes a sequence of payload sizes to generate unique signatures for each application. By analyzing the packet order, direction, and payload size of the first N packets in a flow, this method identifies application traffic with high accuracy and completeness rates, over 95% and 93%, respectively.

Jae-Hyun et al. [ 32 ] also used payload size sequence (PSS) signatures to classify application-level traffic. PSS signatures represent unique flow patterns for each application, which can be used to differentiate between applications. PSS signatures are generated for each application using statistical information of flows obtained from application traffic traces. This method can easily and quickly classify application traffic in real-time networks by matching the PSS signatures of new flows to those of each application.

Although some achievements have been made in application traffic classification, one of the main problems facing encrypted application traffic classification is encryption. Since the packet payload is encrypted, the traditional feature-based traffic classification method cannot be directly applied to encrypted traffic. Secondly, the characteristics of encrypted traffic and ordinary traffic are very different, so special techniques and algorithms are needed to distinguish them. In addition, as encryption technology continues to evolve and update, traffic classification methods need to be constantly updated and improved to maintain effectiveness. Finally, the number and variety of encryption applications are increasing, and the accuracy and scalability of classification methods need to be improved constantly.

End-to-end representation learning refers to the process of learning high-level features or representations from raw data using neural networks. In the field of traffic classification, end-to-end representation learning can automatically learn the characteristics of traffic without relying on manually defined characteristics.

DeepPacket and DeepFlow are traffic classification methods that utilize deep representation learning. In [ 33 ], the authors employed a convolutional neural network (CNN) and a stacked autoencoder (SAE) to classify encrypted traffic data. They improved model performance using data augmentation and SAE learning techniques and demonstrated that DeepPacket outperformed traditional rule and feature-based methods. Similarly, in [ 34 ], the authors used CNNs and recurrent neural networks to classify data packets. They enhanced performance with data augmentation, transfer learning, and deep supervision and showed that DeepFlow outperformed traditional methods. In [ 35 ], the authors summarized various deep learning methods used in network traffic classification, including CNNs, recursive neural networks, and autoencoders. Experimental results indicated that deep learning methods outperformed traditional rule and feature-based methods and performed well in different types of traffic classification tasks.

In summary, traditional machine learning methods typically require feature extraction from network flows and classification using machine learning and rule definitions. The effectiveness of network traffic classification depends on feature extraction and rule definition and requires trustworthy public network traffic datasets for comparison. With the increasing popularity of encryption technology, analyzing encrypted network traffic effectively has become an urgent problem to solve. The complexity of network services also requires continuous exploration of how to classify different types of network flows. Although representation learning has made great progress in network traffic classification, there are still some outstanding issues to be addressed, including the following:

Classification of unknown traffic: Representation learning algorithms typically require a large amount of training data to generate effective feature representations. However, in practical networks, there may be some unknown traffic types that cannot be properly classified. Therefore, how to classify unknown traffic is still a challenge.

Classification of encrypted traffic: The widespread use of encryption communication technology has led to an increasing amount of encrypted traffic in networks. Due to the concealment of encrypted communication, encrypted traffic is difficult to be detected and recognized by traditional rule-based or feature-based classification methods. Therefore, how to effectively classify encrypted traffic is still an important issue.

Classification of variable traffic: Traffic types in networks are usually diverse and dynamically changing. For example, the traffic of the same application may change due to upgrades or updates, and even the traffic of the same application used by different users may differ. Therefore, how to classify variable traffic is still a challenging problem.

Classification of anomalous traffic: Anomalous traffic, such as attack traffic and virus traffic, often appears in networks. The features of this traffic are usually different from normal traffic, so special classification methods are needed to identify them. However, current representation learning algorithms still face certain challenges in dealing with anomalous traffic.

3 Proposed solution

Deep learning has been proven to be very effective in network traffic classification tasks. However, the increasing diversity of network traffic and encrypted traffic demands continuous improvement and optimization of these models. In order to further improve the classification accuracy of encrypted and network application traffic, this paper proposes the use of multiple deep learning models to enhance network traffic classification. The paper also considers aspects such as dataset, feature selection, model optimization, and model fusion.

The paper emphasizes the importance of dataset quality and diversity and the need to collect valid data. For different types of traffic, appropriate end-to-end representation learning methods should be used. Using various model optimization techniques, such as adaptive learning rate, dropout, and batch normalization, can improve model performance. In addition, using multiple model fusion methods, such as voting, weighted averaging, and stacking, can further improve model performance.

The comprehensive use of these technologies and methods can effectively improve the accuracy and generalization ability of network traffic classification, especially in the area of encrypted and network application traffic classification.

In this section, a deep learning-based spatiotemporal correlation network flow classification model is proposed. The model combines the advantages of convolutional neural network (CNN) and long short-term memory (LSTM). The model framework is shown in Fig. 1 .

Network architecture

To automatically and effectively extract and represent the spatiotemporal features of network flows, the proposed model performs the following steps:

The model utilizes LSTM to extract the temporal features of the network flow.

The model applies the squeeze-and-excitation (SE) mechanism to optimize the CNN network structure and improve its training performance.

LSTM is a type of neural network with memory function and is well-suited for processing temporal data. Given that network flow is a typical time series data, LSTM is a suitable choice for training the model.

CNN, on the other hand, has a strong ability in image feature extraction. It usually comprises three main components: convolution layer, pooling layer, and full connection layer. The convolution layer convolutes the local region of the input data with the convolution kernel, while the pooling layer reduces the dimension of the training characteristics. The fully connected layer is a traditional multilayer perceptron, often used as an output.

The CNN-SE-net is achieved by integrating the SE module with the traditional CNN network. The SE module is an attention mechanism that can be embedded in other classification or detection models. Its core idea is to learn feature weights based on the loss function through the network, so that the effective feature map has a larger weight, while the ineffective feature map has a smaller weight.

The detailed implementation of the model is shown in Sect. 3.3 .

3.1 Datasets

A good dataset is a necessary condition for verifying the correctness of a method. Currently, researchers mainly rely on some well-known network attack datasets (such as KDD-CUP99 [ 36 ], NSL-KDD [ 37 ], and UNSW_NB15 [ 38 ]) to test network traffic classification methods. For example, Gao et al. [ 39 ] used the KDD-CUP99 dataset to validate their method of combining multiple Boltzmann machines and back-propagation algorithms to classify network flows. Shone [ 40 ] and Zhang et al. [ 19 ] tested the intrusion detection systems they developed on the NSL-KDD and UNSW_NB15 datasets, respectively.

Although these datasets contain some classic examples of network attacks, some of them are outdated and cannot adapt to new network scenarios. As time goes on, network traffic and attack types and patterns are constantly changing. Therefore, evaluating intrusion detection methods using outdated datasets may lead to evaluation results that do not match the actual situation.

To address this problem, researchers can take the following measures:

Create new datasets: Researchers can create new datasets to reflect the current network attacks and traffic. This can be achieved by monitoring real-time network traffic and recording attack behavior.

Update existing datasets: Researchers can update existing datasets to reflect current network attacks and traffic. This can be achieved by adding new attack types and patterns.

Develop more generic evaluation frameworks: Researchers can develop more generic evaluation frameworks that can be applied not only to existing datasets but also to new datasets. This can be achieved by designing more flexible and scalable evaluation metrics.

Use mixed datasets: Researchers can use mixed datasets, which combine multiple datasets to reflect a wider range of attacks and traffic. This can be achieved by combining existing datasets or collecting data from different sources.

In summary, as network attacks and traffic continue to evolve, evaluating the relevance of intrusion detection methods becomes increasingly difficult. To address this issue, researchers need to take innovative approaches to create new datasets, update existing datasets, develop more generic evaluation frameworks, and use mixed datasets.

In order to verify the comprehensive ability of the proposed method in this paper, multiple different datasets were used, including three commonly used datasets: ISCX VPN-nonVPN [ 41 ], USTC-TFC2016 [ 42 ], and the YouTube dataset [ 43 ]. These three datasets contain a large amount of encrypted, unencrypted, abnormal, and normal traffic, and the proposed method was thoroughly tested from both binary and multi-class perspectives.

The ISCX VPN-nonVPN dataset consists of both VPN and non-VPN network traffic, providing a means to evaluate the performance of intrusion detection systems and network security algorithms. VPNs employ encryption and authentication to safeguard data communication, offering enhanced network security. This dataset encompasses real-world network environments and encompasses various common network protocols such as HTTP, SSH, FTP, SMTP, and DNS. Additionally, it includes instances of common network attacks like DDoS attacks, port scanning, and malware propagation.

Widely utilized in academic research and practical applications, the ISCX VPN-nonVPN dataset serves as a valuable resource for studying network attack detection, intrusion detection algorithms and tools, and testing defense performance. The Canadian Cybersecurity Institute stores this dataset in PCAP format, with network traffic categorized into 12 types based on protocol type, including chat, email, file transfer, streaming, torrent, VoIP, and more (Table 1 ).

The USTC-TFC2016 dataset, released by the Security Laboratory of the University of Science and Technology of China, comprises video traffic data collected from real-world scenarios covering multiple video applications and network protocols. Captured using packet capture technology between March and June 2016, the dataset includes various application scenarios spanning local networks and the Internet. It encompasses video protocols such as HTTP, RTSP, UDP, RTP, SIP, Skype, and QQ video. The USTC-TFC2016 dataset serves as a vital resource for research on video traffic analysis, video content recognition, traffic classification, network application performance evaluation, and related fields. It is widely recognized as a significant video traffic dataset. Table 1 illustrates that the dataset encompasses 20 network flows, consisting of 10 normal flows and 10 abnormal flows.

The YouTube dataset comprises 100 encrypted video streams from Chrome, with each video viewed 100 times. These videos’ titles are derived from current popular topics, including news, sports, nature, and more. For example, in the directory http://www.cse.bgu.ac.il/title_fingerprinting/dataset_chrome_100/Hollyweezy/ , there are 100 PCAPs, with “Hollyweezy” representing the video title. The dataset also includes some data packets with delays and packet loss for testing purposes.

The purpose of this dataset is to develop a model capable of identifying video titles associated with encrypted video traffic. In order to validate the proposed method’s ability to accurately identify encrypted network flows, this publicly available dataset is employed. Due to the large number of source data samples and the space they occupy, only 10 samples are selected for testing and evaluation in this experiment, with a total PCAP stream size of 3.24 GB.

3.2 Preprocessing

Since the original network packets in PCAP format cannot be directly used as the input of this model, this paper refers to the literature [ 9 ] to preprocess the dataset for the PCAP packets. The specific steps include the following: traffic filtering, image generation, and IDX format conversion.

3.2.1 Step 1 (traffic filtering)

Since a session is a bidirectional network flow, it contains more abundant information than a unidirectional flow. Therefore, this paper adopts the traffic classification method based on the session mode. This step splits the PCAP-formatted raw packets into individual session-level packets and then cleans the traffic to remove empty and duplicate files that affect model training.

In this step, this paper uses the SplitCap [ 44 ] tool to split the network flow from flow to session level. SplitCap is a free and open-source PCAP file splitter. SplitCap splits a large PCAP file into multiple files based on TCP and UDP sessions, one PCAP file per session. The TCP and UDP session concepts in SplitCap are defined as bidirectional streams, i.e., all frames/packets with the same 5-tuple (source host, destination host, source port, destination port, transport protocol).

From the protocol level analysis, the traffic characteristics are mainly reflected in the application layer. For example, the STMP protocol stands for mail traffic and HTTP for browser traffic. If the relevant network features are only obtained from a single PCAP packet, the entire process of the network session cannot be accurately reflected. By using session-based traffic analysis, new implicit statistical features can be obtained, such as blocking window size, out-of-order segments, and network forward and backward flow byte sizes.

3.2.2 Step 2 (image generation)

To facilitate the processing of the CNN training model, the following steps are taken. Firstly, the cleaned files are standardized to a length of 784 bytes. If a file is longer than 784 bytes, it will be truncated, and if it is shorter, it will be padded with 0 × 00 bytes. Each byte in the original packet represents a pixel in the image, resulting in a conversion of 784 bytes of stream data into a 28 × 28 image matrix. Each image has three parameters: height (H), width (W), and channel (C).

To convert PCAPs/flows into a 784-byte image, the following steps are involved:

Obtain PCAPs/flows data: PCAPs are packet capture file formats, while flows are a data representation method based on network traffic statistics. Tools such as Wireshark and Tcpdump can be used to collect this data.

Preprocess the PCAPs/flows data: Since PCAPs/flows data is typically large, preprocessing is necessary to reduce the data volume and extract relevant information. This involves filtering out unnecessary packets, extracting packets within a specific time period, and removing irrelevant data based on specific requirements.

Feature extraction: Useful features such as packet length, source IP address, destination IP address, source port number, destination port number, and transport layer protocol type need to be extracted to convert PCAPs/flows data into an image. The selection of features depends on the specific task at hand, such as detecting malicious traffic by extracting traffic direction and duration.

Feature encoding: The extracted features need to be encoded, which can be achieved through techniques like one-hot encoding or embedding encoding. The choice of encoding method should consider its impact, such as one-hot encoding resulting in high-dimensional vectors with feature independence, while embedding encoding map features to a lower-dimensional space but may lead to information loss.

Conversion of encoded features into an image involves the following steps:

Arrange the encoded features into a one-dimensional vector according to a specific order. For example, if there are n features, each encoded with a length of m, these n features should be concatenated in order to form a one-dimensional vector of length n*m.

Rearrange the one-dimensional vector into a 28 × 28 matrix, where the 784 values are reshaped into a matrix with 28 rows and 28 columns.

Map the values in the matrix to pixel values using techniques like linear mapping or logarithmic mapping. For instance, to map the feature value range to the integer range of 0–255, the linear mapping formula can be applied as follows: pixel_value = (feature_value - min_feature_value) × 255/(max_feature_value - min_feature_value).

Optional post-processing steps can be performed on the generated image, such as image enhancement or denoising, to improve the image quality.

3.2.3 Step 3 (IDX format conversion)

The processed data is converted into the IDX file format, which serves as the input for the LSTM and CNN networks [ 45 ].

To ensure clarity in the preprocessing process, let us use an example from the YouTube dataset, specifically the flow titled “Maroon 5_Sugar.” Fig. 2 showcases a selection of original flows downloaded from the network in this study. The IDX format is commonly used for storing large multidimensional arrays or tensors efficiently. By converting the preprocessed data into IDX files, it becomes compatible with the LSTM and CNN networks, enabling further analysis and classification tasks. It is worth noting that IDX format conversion provides a structured and standardized representation of the data, facilitating seamless integration with the chosen network models for subsequent processing and analysis.

Some of the original Maroon_5_Sugar flows

The first PCAP network flow consists of a total of 63,855 TCP records. Visual representation of these records can be achieved using tools like Wireshark, as depicted in Fig. 3 . While Wireshark allows for basic information retrieval, such as source IP address and source port, it does not provide statistical insights into network sessions.

The information of Maroon_5_Sugar_Train03_39_04 flow

After completing step 1, subflows in session-level PCAP format are obtained, as illustrated in Fig. 4 . Furthermore, comprehensive network communication information can be obtained by opening a session PCAP packet in Wireshark, as depicted in Fig. 5 . This includes details of TCP flow establishment, data transmission, and release, along with various relevant statistical features that can be calculated.

Some subflows in session-level PCAP format

A complete session network subflow

After the processing of step 2, the network session flow is converted into a 784-byte image, which serves as the input for the CNN network. The processed images of the three datasets are displayed in Figs. 6 , 7 , and 8 , respectively. It is evident that most of the images exhibit distinguishable texture features, while only a few share similarities, such as FTP and SMB. The traffic visualization results indicate clear distinctions between images representing different types of traffic, demonstrating the feasibility of using session flow-generated images for traffic classification.

Visualization of ISCX VPN-nonVPN

Visualization of USTC-TFC2016

Visualization of YouTube

Network traffic is the language of communication between computers, which is transmitted in the form of sequence in the network and contains rich time-related information. In order to comprehensively analyze the network traffic and extract its temporal correlation features, this paper adopts the LSTM method.

LSTM networks are a special type of RNN that can learn long-term dependencies. LSTM was proposed by Hochreiter and Schmidhuber in 1997 [ 46 ]. In many problems, LSTMs have achieved considerable success and are widely used. The structure of the LSTM model used in this paper is shown in Fig. 9 . The long- and short-term memory network consists of several long- and short-term memory units, which are composed of linear units and a self-connection with a constant weight of 1.0. This allows a value (forward pass) or gradient (backward pass) to flow into this self-looping unit and be saved and retrieved after the desired time step.

The structure of the LSTM model

The 784-byte data obtained from the preprocessed network stream will be converted into a matrix with a value between 0 and 255, and then, this matrix will be generated into a 28 × 28 × 1 single-channel image. These images will be sent to the LSTM model to extract the time series features contained in the network flow. The internal structure of LSTM is more complex, and the core is the unit state flow shown in Fig. 9 . The unit state flow is controlled and adjusted by three gate mechanisms: forgetting gate ( ${F}_{t}$ ), input gate ( ${I}_{t}$ ), and output gate ( ${O}_{t}$ ).

The output of the previous cell ${h}_{t-1}$ and the input data of the current cell ${x}_{t}$ are entered into the forgetting gate at the same time to obtain the information retention degree of the previous hidden layer, and the value is ${F}_{t}$ .

where $\sigma$ refers to the sigmoid function, ${W}_{f}$ is the weight matrix of the forgetting gate, and ${b}_{f}$ is the bias value. The input gate calculates ${I}_{t}$ and ${C}_{t}{\prime}$ to determine the new data and the extent to which it needs to be retained.

In the above formula, ${W}_{i}$ and ${W}_{c}$ are the weight matrix of the input gate, and ${b}_{i}$ and ${b}_{c}$ are the bias value. Finally, according to the calculation results of the input gate and the forgetting gate, the output gate obtains the next output results ${h}_{t}\ and$ ${O}_{t}$ .

where $\sigma$ refers to the sigmoid function, ${W}_{o}$ is the weight matrix of the output gate, and ${b}_{o}$ is the bias value.

3.3.2 CNN-SE-net

CNN is an excellent deep learning model for image processing, capable of automatically extracting features from high-dimensional data using shared convolutional kernels, without encountering significant computational challenges.

However, researchers have identified certain limitations when employing a single CNN network. Firstly, as the network depth increases, modifying parameters through backpropagation can lead to slower changes in parameters near the input layer. Secondly, using gradient descent algorithms may cause the training process to converge to local minima instead of the global minimum. Lastly, the pooling layer may result in the loss of valuable information and disregard the correlation between individual parts and the overall context.

Consequently, it is not feasible to directly employ a single CNN model for network flow training. To enhance the accuracy and efficiency of CNN models in network traffic classification, this study proposes optimizations from two perspectives.

Firstly, during CNN model training, the large convolutional kernel’s receptive field can be simulated by stacking multiple 3 × 3 convolutional kernels. For instance, three 3 × 3 convolutional kernels can be stacked to achieve a receptive field equivalent to a 7 × 7 convolutional kernel. This approach increases the network’s depth and search space, reduces the number of model parameters, and enhances overall performance [ 47 ]. Additionally, selecting a smaller stride value during model training prevents the loss of detailed information associated with larger strides. Therefore, this study sets the model’s stride parameter to 1.

Secondly, the self-attention mechanism of the SE module [ 48 ] is employed to extract spatial and channel information while recalibrating the interdependence among feature map channels. The SE module generates modulation weights based on the global information of the feature map, enhancing or suppressing different channels based on specific classification tasks.

The attention mechanism, also referred to as “neural network attention,” comprises three steps: information input, calculation of attention distribution, and processing of input information based on the calculated attention distribution. By incorporating the self-attention mechanism into the CNN model, this study effectively captures spatial and channel dependencies, leading to improved performance in network traffic classification tasks.

Let $a \in {\mathrm{R}}^{\mathrm{d}}$ be the input vector, $\mathrm{X }= [{\mathrm{x}}_{1}, {\mathrm{x}}_{2}, \cdot \cdot \cdot , {\mathrm{x}}_{n}]$ be $N$ input samples, $q \in {R}^{k}$ be the query vector or feature vector, and $Z \in [1, N]$ be the attention variable, which indicates the position of the selected information. For example, $z = i$ means the $i$ -th input vector is selected.

The general attention mechanism is divided into soft attention and hard attention. The formulas of soft attention mechanism are generally as follow:

where ${a}_{i}$ is called attention distribution and $s\left({x}_{i},q\right)$ is the attention scoring function. Attention distribution ${a}_{i}$ can be interpreted as the degree of attention of the $i$ -th input vector for a given query $q$ . The soft attention selection mechanism is to aggregate them.

Hard attention selects information based on maximum sampling or random sampling. Among them, the formula for selecting the input information with the highest probability is as follows:

The specific implementation of embedding SE in CNN is shown in Fig. 10 .

SE mechanism-embedded process

After preprocessing, the original network flow is input into the LSTM module for time series analysis, and the output $X = [{\mathrm{x}}_{1}, {\mathrm{x}}_{2}, ...,{\mathrm{x}}_{c}]$ is obtained. After the convolution operation, the output is ${U}{\prime}= [{\mathrm{u}}_{1}{\prime}, {\mathrm{u}}_{2}{\prime}, ...,{\mathrm{u}}_{c}{\prime}]$ , ${U}{\prime}\in {R}^{{H}{\prime}\times {W}{\prime}\times {C}{\prime}}$ .

The convolution operation is shown in formula 10 .

where * denotes convolution and $V=\left[{v}_{1},{v}_{2},\dots ,{v}_{c}\right]$ is C convolution kernels of 3 × 3. The first three convolution layers of network use 32, 64, and 64 convolution kernels respectively, and the channel number of the feature graph is correspondingly converted to the following: 1–32-64–64.

After that, the fourth network layer is the maximum pooling layer with 2 × 2 and step size of 2, and the output result is $U=\left[{u}_{1},{u}_{2},\dots ,{u}_{c}\right]$ , $\mathrm{U}\in {R}^{H\times W\times C}$ .

SE module is embedded in the fifth layer of the model. SE module is a channel-based attention model with simple deployment and small amount of calculation [ 39 ]. In this paper, the SE module is embedded in CNN to enhance or suppress the feature channel through weight, so that the model focuses on the spatial features with greater importance.

The specific operation is further subdivided into three main steps: global average pooling ${F}_{sq}\left(U\right)$ , weight generation ${F}_{ex}\left({w}^{*},W\right),$ and weight redistribution ${F}_{sca}\left({u}_{c},{w}_{c}^{\sim }\right)$ .

Global average pooling

The feature map output by the maximum pooling layer has three dimensions, namely width, height, and number of channels. First, the global average pooling operation compresses the width and height directions, so that the width and height dimensions are reduced to 1 × 1, but the number of channels remains unchanged.

The feature map output in this step is ${w}^{*}=\left[{w}_{1}^{*},{w}_{2,}^{*}\dots ,{w}_{C}^{*}\right]$ , ${w}_{1}^{*}\in {R}^{1\times 1\times C}$ . The feature map of $1\times 1\times \mathrm{C}$ has a global perceptual domain, and the specific calculation of ${w}^{*}$ is shown in formula 11 :

Weight generation

Two fully connected layers are used to reduce and increase the dimension of channel C and increase the nonlinear relationship between channels. This operation produces a weight representing the importance of a set of global information ${\mathrm{W}}^{\sim }=[{w}_{1}^{\sim },{w}_{2}^{\sim },\dots ,{w}_{c}^{\sim }]$ . The details are described in the formula 12 .

where ${W}_{1}\in {R}^{\frac{C}{r}\times C},{W}_{2}\in {R}^{C\times \frac{C}{r}} , r$ is reduction ratio of dimensionality-reduction layer.

Weight redistribution

Finally, the output $\mathrm{U}\in {R}^{H\times W\times C}$ of the maximum pooling layer is multiplied by the feature channel weight ${\mathrm{W}}^{\sim }=[{w}_{1}^{\sim },{w}_{2}^{\sim },\dots ,{w}_{c}^{\sim }]$ and the output of CNN-SE-net ${\mathrm{X}}^{\sim }=[{x}_{1}^{\sim },{x}_{2}^{\sim },\dots ,{x}_{c}^{\sim }]$ is obtained.

It can be seen that the importance of each channel has changed after weight redistribution.

The output from the SE module undergoes another round of processing through three convolution layers, each utilizing small 3 × 3 convolutional kernels. These convolution layers are configured with 32, 32, and 16 convolutional kernels, respectively, resulting in a channel conversion of 32–32-16. Subsequently, the model is trained with a maximum pooling layer of 2 × 2 dimensions and a stride of 2. This is followed by two fully connected layers, one with a dimension of 1024 and another with a dimension matching the number of traffic classes. Finally, the softmax layer is employed to produce the ultimate classification results.

4 Experiment

4.1 basic performance test.

In this paper, three international public network traffic datasets are chosen for several experiments: ISCX VPN-nonVPN, USTC-TFC2016, and YouTube. These datasets consist of raw PCAP flow files, which are described in Sect. 3.1 . After the preprocessing detailed in Sect. 3.2 , each PCAP flow is transformed into a 28 × 28 × 1 image. The experimental parameters are outlined in Table 2 .

For evaluating the proposed detection scheme, Python, Scikit-learn, NumPy, Pandas, TensorFlow, and Keras machine learning libraries are utilized in this study. Initially, 90% of the samples are randomly selected as the training set, while the remaining 10% serve as the test set. To address potential overfitting issues, a dropout layer is introduced after the first fully connected layer. Cross-entropy and Adam are employed as the loss functions and optimizers, respectively. During the training phase, the ReLU and softmax activation functions are predominantly used.

Dropout is a regularization technique commonly employed in convolutional neural networks (CNNs) to mitigate overfitting. By randomly deactivating neurons during training, dropout reduces the complexity of the neural network and fosters independence among neurons. This, in turn, enhances the network’s ability to generalize and make more robust predictions. In these experiments, a dropout value of 0.7 indicates that 70% of the neurons in each layer are randomly ignored or “dropped out” during each iteration of training. This technique effectively reduces interdependence among neurons and helps prevent overfitting, allowing the network to learn more generalized features. During testing, all neurons are utilized to ensure optimal performance by activating the entire network for making predictions.

To assess the impact of this method and provide an objective comparison with other approaches, the experimental results in this paper are evaluated using metrics such as F1 score, recall, accuracy, and precision.

In the aforementioned formulas, TP (true positive) represents the number of successful detections of the current network traffic category. TN (true negative) refers to the number of other network traffic types that were correctly identified. FP (false positive) represents the number of other network traffic categories falsely identified as the current network traffic category. FN (false negative) denotes the number of current network traffic categories mistakenly identified as other network traffic categories.

The performance results obtained from the experiments are visualized in Figs. 11 , 12 , and 13 . The X -axis of these figures represents the number of training epochs for the model’s training set samples. The Y -axis shows the loss value of the model training, depicted by the red curve, and the detection accuracy of the model, represented by the blue curve.

Test performance on ISCX VPN-nonVPN

Test performance on USTC-TFC2016

Test performance on YouTube

From the experimental results in these figures, it is evident that as the training epochs increase, the model’s detection accuracy improves, gradually approaching 100%. Simultaneously, the loss rate decreases, progressively approaching 0%.

Furthermore, the figures demonstrate that in the selected experiments, the model generally achieves optimal results after 200 training iterations. The model exhibits a rapid convergence speed, effectively reducing the consumption of computing resources through fewer iterations of training.

To further assess the overall performance of the model and its ability to accurately classify different network traffic types, the paper conducted detection on the network applications within the three datasets. The detection results are presented in Tables 3 , 4 , and 5 .

The results indicate that the precision, F1 score, and recall values all exhibit high performance. In Fig. 3 , the average precision is 97.54%, the average F1 score is 97.61%, and the average recall is 97.72. Moreover, in Figs. 4 and 5 , the average values for these three indicators also exceed 96%. These high values obtained from the detections provide strong evidence that the model proposed in this paper is capable of effectively classifying network traffic across different datasets and application types.

4.2 Comparative experiment

To further validate the performance of the proposed model, the paper conducted comparative experiments with several existing methods on the first three datasets.

DraperGil et al. [ 10 ] employed the C4.5 machine learning technique to classify traffic in the ISCX VPN-nonVPN dataset. Wang et al. [ 1 ] proposed the use of multichannel LeNet-5, a variant of LeNet-5 CNN architecture, for network traffic classification. This method demonstrated better performance in classifying VPN traffic compared to the C4.5 method. Lotfollahi et al. [ 11 ] utilized a combination of SAE and 1DCNN for network flow classification. Dubin et al. [ 49 ] employed the KNN method for flow classification.

Using the same training and test datasets, the proposed method was compared with the aforementioned literature methods, and the experimental results are presented in Tables 6 , 7 , and 8 .

From the results in Table 6 , the C4.5 method did not perform well in detecting both VPN and non-VPN flows, with a precision value lower than 85%. The other two CNN methods showed improvements in detecting VPN flows, achieving precision values exceeding 92%, but the improvement in non-VPN flow detection was not significant. The proposed method in this paper demonstrated good performance in detecting both VPN and non-VPN flows by extracting and optimizing the spatiotemporal features of network flows, with precision, recall, and F1 score values exceeding 95%.

Additionally, in Table 6 , since the original literature for the C4.5 and ID CNN methods did not include the F1-score indicator, the corresponding values are indicated with “-” in Table 6 .

Regarding the results in Table 7 , the multichannel LeNet5 method showed strong performance in the USTC-TFC2016 dataset, achieving a detection rate of 97% for benign flows and over 98% for malware flows. Similarly, the proposed method in this paper yielded excellent results on this dataset. Although the overall indicators were slightly weaker than the former method, all three indicators for detecting the two types of flows surpassed 98%.

In the experiments conducted on the YouTube dataset (Table 8 ), the literature [ 40 ] primarily focused on precision values. Therefore, this paper only compared the precision value with the KNN method. The experimental results showed that the proposed method outperformed the KNN method in identifying YouTube video flows. It was capable of distinguishing between encrypted and non-encrypted flows, with a detection precision value exceeding 96%.

To evaluate the model’s performance during training, tests were conducted on the ISCX VPN-nonVPN dataset. The training involved 12 different network streams, using epoch = 5000 and learning rate (LR) values ranging from 0.0001 to 0.01. The objective was to observe changes in model accuracy with varying numbers of training rounds and LR values, aiming to identify the optimal LR value.

Figure 14 illustrates the accuracy variations of the model with different LR values. It can be observed that a LR of 0.0001 led to slow convergence, as the model’s accuracy failed to stabilize even after 300 epochs of training. This is due to the learning rate being a hyperparameter that adjusts the weight degree of the network based on the loss function. A small LR value can result in longer convergence times.

Accuracy of the model under different learning rates

In contrast, setting the LR to 0.01 caused significant oscillations in the learning rate curve, indicating that the LR was too high. This caused the gradient to swing in a region near the minimum value during training, making it difficult for the model to converge.

The experiments revealed that the model achieved the fastest convergence with a learning rate of 0.001. This LR value produced a small range of oscillation in the accuracy curve and resulted in the highest accuracy rate after convergence. Therefore, a learning rate of 0.001 was selected for this study. In summary, the experiments demonstrated that the optimal LR value depends on the dataset and model architecture. Careful tuning of the LR is crucial for achieving good performance during training.

To further evaluate and compare the time-consuming performance of different models in model training, the study assesses the model’s training time and convergence time. Training time refers to the duration spent by the model to train on the training set, depending on factors such as the number of iterations, model size, and experimental hardware environment. Convergence time, on the other hand, relates to the time taken for the model to reach a relatively stable performance output and is influenced by the model size and other parameters. Table 9 presents the training time required by each model (ID CNN [ 1 ], SAE + 1D CNN [ 11 ], and the model proposed in this study) to complete 5000 epochs and the time taken to reach convergence based on the same test set using the ISCX dataset.

As indicated in Table 9 , the model’s training time for completing 5000 epochs on the ISCX dataset is 1967.76 s, which corresponds to only 93.4% of the training time of the ID CNN model and 88.8% of the training time of the SAE + 1D CNN model. Moreover, the convergence time for completing 5000 epochs on the ISCX dataset is 589.17 s, representing only 81.7% of the convergence time of the ID CNN model and 85.9% of the convergence time of the SAE + 1D CNN model. Tables 6 and 9 demonstrate that the proposed model achieves lower time usage compared to the 1D-CNN model with the simplest structure while maintaining an accuracy rate that is over 5% higher. Compared to the SAE + 1D CNN model, the proposed model significantly reduces training time, advances convergence time, and increases the average training accuracy by more than 3%.

In summary, the proposed model demonstrates excellent performance and requires less training time than other models. However, it is important to note that actual training time and convergence time may vary due to various factors, including dataset and model parameters. Therefore, careful consideration of these factors is crucial when selecting and optimizing models for specific applications.

5 Conclusion

Encryption stream and network application stream classification are important issues in the field of network security, which are of great significance for real-time monitoring and defending against network attacks. Aiming at the problem that existing network traffic generally has various types and it is difficult to effectively identify malicious traffic from non-encrypted and encrypted traffic, this paper proposes a deep learning traffic model based on the combination of LSTM, CNN, and SE methods. This method first eliminates the problem that some old classical machine learning methods rely too much on the accurate extraction of network traffic features. Secondly, by using the LSTM method to automatically obtain the time series features and the CNN method to obtain the spatial features of the network flow, the problems of the temporal correlation of features and the incomplete feature space are well resolved. In addition, by embedding the SE mechanism in the CNN, the correlation of the channels between different layers of the network is further analyzed to improve the accuracy of model feature selection. Judging from the results of different experiments, it fully reflects that the method proposed in this paper is indeed feasible and can basically handle the classification of different network traffic.

The model proposed in this paper can effectively enhance the capabilities of enterprises in detecting and defending against network attacks. By integrating it with IDS, IPS, and other network security systems, enterprises can achieve accurate identification and classification of network traffic. The model demonstrates higher accuracy in network traffic classification, effectively reducing false positives and false negatives. This improves the detection accuracy and reliability of IDS. The model also strengthens its feature extraction capability, allowing for a more comprehensive description of network traffic characteristics. This provides IDS with more accurate information, enabling better identification and classification of network traffic. The introduction of the SE mechanism further enhances the model’s robustness by analyzing channel correlations across different layers of the network. This empowers IDS to effectively respond to variations and threats in network attacks.

With the rapid development of Internet and the gradual improvement of security awareness, there are more and more types of network traffic and encrypted traffic forms, which puts forward higher requirements for the detection rate and accuracy of the model. The future work of this paper needs to continue to improve the training speed of the model and find better solutions from the aspects of network model structure and data set parallel processing.

Availability of data and materials

The datasets used and/or analyzed during the current study are available from the corresponding author on reasonable request.

Abbreviations

Long short-term memory, which is a kind of time cycle neural network

Convolutional neural network, which is a kind of feed-forward neural network with convolution calculation and deep structure

Squeeze and excitation, its purpose is to improve the quality of the representation generated by the network by explicitly modeling the interdependence between the channels of its convolution features

DPI is called “deep packet inspection.” DPI technology adds analysis to the application layer on the basis of analyzing the packet header. It is a flow detection and control technology based on the application layer

SMTP is a protocol that provides reliable and effective email transmission

Transmission control protocol, it is a connection-oriented, reliable, byte stream-based transmission layer communication protocol

Support vector machine, which is a generalized linear classifier that performs binary classification of data in a supervised learning method

Bayesian classification algorithm is a classification method of statistics

Recurrent neural network, it is a type of recurrent neural network that takes sequence data as input, recursively in the evolution direction of the sequence, and all nodes (cyclic units) are connected in a chain

IDX is an image format

CNN-SE-net refers to the SE mechanism embedded in the CNN network

Back propagation, which is a multilayer feed-forward neural network trained according to the error back-propagation algorithm

Which is an algorithm developed by Ross Quinlan for generating decision trees

Virtual private network

This refers to a CNN network with a one-dimensional architecture

Stacked auto-encoders

Learning rate

W. Wang, M. Zhu, J. Wang, X. Zeng, Z. Yang, in 2017 IEEE International Conference on Intelligence and Security Informatics (ISI). End-to-end encrypted traffic classification with one-dimensional convolution neural networks. (IEEE, Beijing, 2017), pp.43–48

Google Scholar

J. Zhang, X. Chen, Y. Xiang, W. Zhou, J. Wu, Robust network traffic classification. IEEE-ACM Transactions on Networking. 23 (4), 1257–1270 (2015)

Article Google Scholar

X. Xiao, R. Li, H. Zheng, R. Ye, A. KumarSangaiah, S. Xia, Novel dynamic multiple classification system for network traffic. Inf. Sci. 479 , 526–541 (2019)

F. Michael, R. Chris, R. Eduardo, M. JeanAlexander, H. Klaus, A survey of payload based traffic classification approaches. IEEE Communications Surveys and Tutorials. 16 (2), 1135–1156 (2014)

S. Rezaei, X. Liu, Deep learning for encrypted traffic classification: an overview. IEEE Commun. Mag. 57 (5), 76–81 (2019)

Y. Soundharya, A. Bhanu Prasad, Network traffic classification with Naive Bayes predictions. Int. J. Coal. Sci. Technol. 5 (3), 51–254 (2014)

H.-K. Lim, J. -B. Kim, J. -S. Heo, K. Kim, Y.-G. Hong, Y.-H. Han, in 2019 International Conference on Artificial Intelligence in Information and Communication (ICAIIC) . Packet-based network traffic classification using deep learning. (Okinawa, Japan, 2019), pp.046–051

Y. Bengio, A. Courville, P. Vincent, Representation learning: a review and new perspectives. IEEE Trans. Pattern Anal. Mach. Intell. 35 (8), 1798–1828 (2013)

W. Wang, M. Zhu, X. Zeng, X. Ye, Y. Sheng, in 2017 International Conference on Information Networking (ICOIN) . Malware traffic classification using convolutional neural network for representation learning (Da Nang, Vietnam, 2017), pp. 712–717.

G. DraperGil, A.H. Lashkari, M.S.I. Mamun, A.A. Ghorbani, in Proceedings of the 2nd international conference on information systems security and privacy . Characterization of encrypted and VPN traffic using timerelated features. (London, the United Kingdom, 2016), pp.407–414

M. Lotfollahi, M. Jafari Siavoshani, R. Shirali Hossein Zade et al., Deep packet: a novel approach for encrypted traffic classification using deep learning. Soft. Computing. 24 , 1999–2012 (2020)

Qosmos. Deep packet inspection and metadata engine, [online]. https://www.qosmos.com/products/deep-packet-inspection-engine/ . Accessed 17 Mar 2021

Paloalto. Paloalto networks, [online]. https://www.paloaltonetworks.com/ . Accessed 20 Feb 2021

Y. Lim, H. Kim, J. Jeong, C. Kim, Y. Choi, in Proceedings of the 2010 ACM Conference on Emerging Networking Experiments and Technology. Internet traffic classification demystified: on the sources of the discriminative power. (Philadelphia, PA, USA, 2010)

C. Lu et al., Session level flow classification by packet size distribution and session grouping. Comput. Netw. 56 (1), 260–272 (2012)

T. Bujlow, V. Carela-Espanol, P. Barlet-Ros, Independent comparison of popular dpi tools for traffic classification. Comput. Netw. 76 , 75–89 (2015)

Sarah Perez. Eff: Half of web traffic is now encrypted, [online]. https://techcrunch.com/2017/02/22/eff-half-the-web-is-now-encrypted/ . Accessed 20 Mar 2021

Y. Hu, H. Jin, C. Wang, Network flow association method based on compressed sensing. Computer. Appl. Res. 37 (S2), 245–246+ 241 (2020). (in Chinese)

J. Zhang, Y. Ling et al., Model of the intrusion detection system based on the integration of spatial-temporal features. Comput. Secur. 89 , 101681 (2020)

H. Zheng, J. Fu, T. Mei, J. Luo, in The IEEE International Conference on Computer Vision (ICCV) . Learning multi-attention convolutional neural network for fine-grained image recognition. (Venice, Italy, 2017)

H. Li, Deep learning for natural language processing: advantages and challenges. Natl. Sci. Rev. 005 (1), 24–26 (2018)

Y. Tom Young, H. Devamanyu, P. Soujanya, C. Erik, Recent trends in deep learning based natural language processing. IEEE Comput. Intell. Mag. 13 (3), 55–75 (2018)

D. Wang, X. Wang, S. Lv, End-to-end mandarin speech recognition combining CNN and BLSTM. Symmetry 11 (5), 644 (2019)

J. Zhao, X. Mao, L. Chen, Speech emotion recognition using deep 1d and 2d CNN LSTM networks. Biomed. Signal Process. Control 47 , 312–323 (2019)

R. Li, X. Xiao, in 2018 IEEE/ACM 26th International Symposium on Quality of Service (IWQoS). Byte segment neural network for network traffic classification. (Banff, Canada, 2018), pp.1–10

T. Shapira, Y. Shavitt, in IEEE INFOCOM 2019 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). FlowPic: encrypted Internet traffic classification is as easy as image recognition. (Pairs, France, 2019), pp.680–687

A. Almomani, Classification of virtual private networks encrypted traffic using ensemble learning algorithms. Egyptian Informatics Journal 23 (4), 57–68 (2022)

Y. Okada, S. Ata, N. Nakamura, Y. Nakahira, I. Oka, in Communications Quality and Reliability (CQR), 2011 IEEE International Workshop Technical Committee. Application identification from encrypted traffic based on characteristic changes by encryption. (Naples, Italy, 2011), pp.1–6

J. Wei, R. Zheng, J. Liu, Research on malicious TLS traffic identification based on hybrid neural network. Comput. Eng. Appl. 57 (7), 107–114 (2021). (in Chinese)

M. Korczynski, A. Duda, in Proceedings of the 33rd IEEE Annual Conference on Computer Communications (IEEE INFOCOM). Markov chain fingerprinting to classify encrypted traffic. (Toronto, Canada, 2014), pp.781–789

K. Shim, J. Ham, B.D. Sija et al., Application traffic classification using payload size sequence signature. Int. J. Network Manage 27 (5), 1–17 (2017)

J.H. Ham, H.M. An, M.S. Kim, Application traffic classification using PSS signature. KSII Transactions on Internet and Information Systems (TIIS). 8 (7), 2261–2280 (2014)

M. Lotfollahi, M. Jafari Siavoshani, R. Shirali Hossein Zade, M. Saberian, Deep packet: a novel approach for encrypted traffic classification using deep learning. Soft Comput. 24 (3), 1999–2012 (2020)

A. Lazaris, V.K. Prasanna, in CAN 2017 - Proceedings of the 2017 Cloud-Assisted Networking Workshop. DeepFlow: a deep learning framework for software-defined measurement. (Vilanova i la Geltrú, Barcelona, Spain, 2017), pp.43–48

J.W. Li, Z.S. Pan, Network traffic classification based on deep learning. KSII Transact Internet Inform Syst. 14 (11), 4246–4267 (2020)

KDD-CUP99 dataset, [online]. https://archive.ics.uci.edu/ml/datasets/KDD+Cup+1999+Data . Accessed 23 Dec 2020

NSL-KDD dataset, [online]. https://www.unb.ca/cic/datasets/nsl.html . Accessed 20 Feb 2021

UNSW_NB15 dataset, [online]. https://ieee-dataport.org/documents/unswnb15-dataset . Accessed 8 June 2021

N. Gao, L. Gao, Q. Gao, H. Wang, in 2014 Second International Conference on Advanced Cloud and Big Data. An intrusion detection model based on deep belief nets. (Huangshan, China, 2014), pp.247–252

N. Shone, T.N. Ngoc, V.D. Phai, Q. Shi, A deep learning approach to network intrusion detection. IEEE Transact. Emerging Topics Comput Intell. 2 (1), 41–50 (2018)

VPN-nonVPN dataset (ISCXVPN2016), [online]. https://www.unb.ca/cic/datasets/vpn.html . Accessed 18 May 2021

USTC-TFC2016 dataset, [online]. https://github.com/yungshenglu/USTC-TFC2016 . Accessed 8 July 2020

YouTube dataset, [online]. http://www.cse.bgu.ac.il/title_fingerprinting/ . Accessed 21 Mar 2021

SplitCap tool, [online]. https://www.netresec.com/?page=SplitCap . Accessed 13 June 2022

IDX file format, [online]. https://fon.hum.uva.nl/praat/manual/IDX_file_format.htm . Accessed 3 Sept 2021

S. Hochreiter, J. Schmidhuber, Long short-term memory. Neural Comput. 9 (8), 1735–1780 (1997)

K. Simonyan, A. Zisserman, in The 3rd International Conference on Learning Representations (ICLR2015) . Very deep convolutional networks for large-scale image recognition. (San Diego, CA, 2015), pp.1–14

J. Hu, L. She, G. Sun, in the IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Squeeze-and-excitation networks. (Salt Lake City, USA, 2018), pp.7132–7141

R. Dubin et al., I know what you saw last minute - encrypted HTTP adaptive video streaming title classification. IEEE Transact Inform Forensics Secur. 12 (12), 3039–3049 (2017)

Download references

Acknowledgements

The authors would like to express their sincere gratitude to all the reviewers and editors for their valuable comments that have significantly contributed to improving the quality of this paper. This work has received support from the National Key R&D Program of China (No. 2020YFB0906003). Additionally, it has been partially funded by the key scientific and technological project “Research and Application of Key Technologies for Network Security Situational Awareness of Electric Power Monitoring System (No. ZDKJXM20170002)” of China Southern Power Grid Corporation. Furthermore, it has received support from the 2021 Graduate Practical Innovation and Entrepreneurial Ability Improvement Project “Research and Design of Traffic Classification Method Based on Deep Integrated Learning” (No. 6080201-000101204) from Changsha University of Science and Technology.

There is no financial support for this study.

Author information

Authors and affiliations.

CSG Power, Dispatching Control Center, Guangzhou, 510663, China

Feifei Hu, Situo Zhang, Xubin Lin & Liu Wu

Changsha University of Science and Technology, Changsha, 410114, China

Niandong Liao & Yanqi Song

You can also search for this author in PubMed Google Scholar

Contributions

FH, SZ, and XL contributed to the design and implementation of the study and writing part of the paper. NL and YS conducted analysis and simulation experiments, and LW supplemented the manuscript.

Authors’ information

Hu Feifei is an employee of power dispatching and control center of China Southern Power Grid Corporation. His main research interests include power system security, network situation awareness, and power data security. Email: [email protected].

Corresponding author

Correspondence to Niandong Liao .

Ethics declarations

Competing interests.

The authors declare that they have no competing interests.

Additional information

Publisher’s note.

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/ .

Reprints and permissions

About this article

Cite this article.

Hu, F., Zhang, S., Lin, X. et al. Network traffic classification model based on attention mechanism and spatiotemporal features. EURASIP J. on Info. Security 2023 , 6 (2023). https://doi.org/10.1186/s13635-023-00141-4

Download citation

Received : 22 March 2021

Accepted : 01 July 2023

Published : 12 July 2023

DOI : https://doi.org/10.1186/s13635-023-00141-4

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

Traffic classification
Attention mechanism

Evaluating Network Security Configuration (NSC) Practices in Vehicle-Related Android Applications

2024-01-2881.

Internet of things technology, research, and challenges: a survey

Published: 02 May 2024

Cite this article

Amit Kumar Vishwakarma 1 ,
Soni Chaurasia 2 ,
Kamal Kumar 3 ,
Yatindra Nath Singh 4 &
Renu Chaurasia 5

The world of digitization is growing exponentially; data optimization, security of a network, and energy efficiency are becoming more prominent. The Internet of Things (IoT) is the core technology of modern society. This paper is based on a survey of recent and past technologies used for IoT optimization models, such as IoT with Blockchain, IoT with WSN, IoT with ML, and IoT with big data analysis. Suppose anyone wants to start core research on IoT technologies, research opportunities, challenges, and solutions. In that case, this paper will help me understand all the basics, such as security, interoperability, standards, scalability, complexity, data management, and quality of service (QoS). This paper also discusses some recent technologies and the challenges in implementation. Finally, this paper discusses research possibilities in basic and applied IoT Domains.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price includes VAT (Russian Federation)

Instant access to the full article PDF.

Rent this article via DeepDyve

Institutional subscriptions

Data Availability

Available on request.

Ghorbani HR, Ahmadzadegan MH (2017) Security challenges in internet of things: survey. In: 2017 IEEE conference on wireless sensors (ICWiSe)

Brock DL (2013) The electronic product code (EPC) a naming scheme for physical objects. http://www.autoidlabs.org/ uploads/media/MIT-AUTOID-WH-002.pdf

IoT Analytics (2014) Why the internet of things is called internet of things: definition, history, disambiguation. https://iot-analytics.com/internet-of-things-definition/

Internet of Things (2005) International telecommunication union (ITU), Geneva. https://www.itu.int/net/wsis/tunis/newsroom/stats/The-Internet-of-Things-2005.pdf

Internet of Things (2010) https://en.oxforddictionaries.com/definition/us/ internetofthings

Manyika Chui M, Bisson P, Woetzel J, Dobbs R, Bughin J, Aharon D (2015) Unlocking the potential of the internet of things. https://www.mckinsey.com/~/media/McKinsey

Vermesan O, Friess P, Guillemin P, Gusmeroli S, Sundmaeker H, Bassi A, Jubert IS, Mazura M, Harrison M, others (2011) Internet of things strategic research roadmap

Artik cloud (2017) https://developer.artik.cloud/documentation/getting-started/index.html

Fusion Connect (2014) https://autodeskfusionconnect.com/iot-devices

(2016) https://docs.aws.amazon.com/iot/latest/developerguide/what-is-aws-iot.html

Guth J, Breitenbücher U, Falkenthal M, Leymann F, Reinfurt L (2016) Comparison of IoT platform architectures: A field study based on a reference architecture. In: 2016 Cloudification of the internet of things (CIoT)

Balani, Naveen and Hathi, Rajeev, Enterprise IoT: A Definitive Handbook. In: CreateSpace Independent Publishing Platform, 2015

GE Predix (2017) https://docs.predix.io/en-US/platform

Soliman M, Abiodun T, Hamouda T, Zhou J, Lung CH, (2013) Smart home: integrating internet of things with web services and cloud computing. In: 2013 IEEE 5th International conference on cloud computing technology and science

Google Cloud (2016) https://cloud.google.com/solutions/iot-overview

Familiar B (2015) IoT and microservices. In: Microservices, IoT, and Azure. Apress, Berkeley, CA. In: Internet of Things;Web services:Azure IOT

Microsoft IoT platform (2015) https://docs.microsoft.com/en-us/rest/api/iothub/?redirectedfrom=MSDN

High R (2012) The era of cognitive systems: an inside look at ibm watson and how it works. In: Internet of Things;Web services:Azure IOT

IBM Watson IoT (2017) https://www.ibm.com/internet-of-things

Deering S, Hinden R (2017) Internet Protocol, Version 6 (IPv6) Specification. https://tools.ietf.org/html/rfc8200

WInter Ed T, Thubert P, Brandt A, Hui J, Kelsey R, Levis P, Pister K, Struik R (2012) ipv6 routing protocol for low-power and lossy networks. https://tools.ietf.org/html/rfc6550

Saputro N, Akkaya K, Uludag S (2012) A survey of routing protocols for smart grid communications. http://www.sciencedirect.com/science/article/pii/S1389128612001429 , vol 56

Yi P, Iwayemi A, Zhou C (2011) Building automation networks for smart grids. In: International journals of digital multimedia broadcasting

Fairhurst G Jones T (2018) Transport features of the user datagram protocol (UDP) and lightweight UDP (UDP-Lite). https://www.rfceditor.org/info/rfc8304

Palattella MR, Accettura N, Vilajosana X, Watteyne T, Grieco LA, Boggia G, Dohler M (2013) Standardized protocol stack for the internet of (Important) things. In: IEEE communications surveys tutorials, vol 15

Karagiannis V, Chatzimisios P, Vazquez-Gallego F, Alonso-Zarate J (2015) A survey on application layer protocols for the internet of things. Transaction on IoT and Cloud Computing

Banks A, Gupta R (2014) MQTT Version 3.1.1. Edited by Andrew Banks and Rahul Gupta. OASIS Committee Specification Draft 02 / Public Review Draft 02. http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/csprd02/mqtt-v3.1.1-csprd02.html

Bormann C, Castellani AP, Shelby Z (2012) CoAP: An Application Protocol for Billions of Tiny Internet Nodes. IEEE Internet Computing

Shelby Z, Hartke K, Bormann C (2014) The constrained application protocol (CoAP). https://tools.ietf.org/html/rfc7252

Johansson P, Kazantzidis M, Kapoor R, Gerla M (2001) Bluetooth: an enabler for personal area networking. IEEE Network

Kirsche M, Klauck R (2012) Unify to bridge gaps: Bringing XMPP into the Internet of Things. In: 2012 IEEE international conference on pervasive computing and communications workshops

Naik N, Jenkins P (2016) Web protocols and challenges of Web latency in the Web of Things. In: 2016 Eighth international conference on ubiquitous and future networks (ICUFN)

Han Dm, Lim Jh (2010) Smart home energy management system using IEEE 802.15.4 and zigbee. IEEE Transactions on Consumer Electronics

Eriksson J, Balakrishnan H, Madden S (2008) Cabernet: vehicular content delivery using wifi. https://doi.org/10.1145/1409944.1409968

Ratasuk R, Vejlgaard B, Mangalvedhe N, Ghosh A (2016) NB-IoT system for M2M communication. In: 2016 IEEE Wireless communications and networking conference

ANDRIES MI, BOGDAN I, NICOLAESCU SV, SCRIPCARIU L (2007) WiMAX features and applications. http://www.agir.ro/buletine/687.pdf

Kucharzewski L, Kotulski Z (2014) WiMAX networks architecture and ata security. Annales UMCS Informatica AI X

Adams JT (2006) An introduction to IEEE STD 802.15.4. In: 2006 IEEE aerospace conference

Atzori L, Iera A, Morabito G (2010) The internet of things: a survey. journal = Computer Networks. http://www.sciencedirect.com/science/article/pii/S1389128610001568 , vol.54

Mainetti L, Patrono L Vilei A (2011) Evolution of wireless sensor networks towards the Internet of Things: A survey. In: SoftCOM 2011, 19th international conference on software, telecommunications and computer networks

Miorandi D, Sicari S, De Pellegrini F, Chlamtac I (2012) Internet of things: Vision, applications and research challenges. http://www.sciencedirect.com/science/article/pii/S1570870512000674 , vol 10, pp 1497–1516

Xu LD, He W, Li S (2014) Internet of things in industries: a survey. In: IEEE Transactions on industrial informatics, vol 10

Botta A, De Donato W, Persico V, Pescapé A (2016) Integration of cloud computing and internet of things: a survey. http://www.sciencedirect.com/science/article/pii/S0167739X15003015 , vol 56

Seyedzadegan M, Othman M (2013) IEEE 802.16: WiMAX Overview, WiMAX Architecture. http://www.ijcte.org/papers/796-Z1030.pdf

Abdulzahra AM, Al-Qurabat AK, Abdulzahra SA (2023) Optimizing energy consumption in WSN-based IoT using unequal clustering and sleep scheduling methods. Internet of Things 22:100765

Chaurasia S, Kumar K (2023) ACRA:Adaptive Meta-heuristic Based Clustering and Routing Algorithm for IoT-Assisted Wireless Sensor Network. Peer to Peer Networking and Application. Springer

Chaurasia S, Kumar K (2023) MBASE: Meta-heuristic Based optimized location allocation algorithm for baSE station in IoT assist wireless sensor networks. Multimedia Tools and Applications, pp 1–33

Senthil GA, Raaza A, Kumar N (2022) Internet of things energy efficient cluster-based routing using hybrid particle swarm optimization for wireless sensor network. Wirel Pers Commun 122.3: 2603-2619

Prasanth A, Jayachitra S (2020) A novel multi-objective optimization strategy for enhancing quality of service in IoT-enabled WSN applications. Peer Peer Netw Appl 13:1905–1920

Article Google Scholar

Vaiyapuri T, et al (2022) A novel hybrid optimization for cluster-based routing protocol in information-centric wireless sensor networks for IoT based mobile edge computing. Wirel Pers Commun 127.1: 39-62

Dhiman G, Sharma R (2022) SHANN: an IoT and machine-learning-assisted edge cross-layered routing protocol using spotted hyena optimizer. Complex Intell Syst 8(5):3779–3787

Seyfollahi A, Taami T, Ghaffari A (2023) Towards developing a machine learning-metaheuristic-enhanced energy-sensitive routing framework for the internet of things. Microprocess Microsyst 96:104747

Donta PK et al (2023) iCoCoA: intelligent congestion control algorithm for CoAP using deep reinforcement learning. J Ambient Intell Humaniz Comput 14(3):2951–2966

Rosati R et al (2023) From knowledge-based to big data analytic model: a novel IoT and machine learning based decision support system for predictive maintenance in industry 4.0. J Intell Manuf 34.1:107–121

Babar M et al (2022) An optimized IoT-enabled big data analytics architecture for edge-cloud computing. IEEE Internet Things J 10(5):3995–4005

Article MathSciNet Google Scholar

Lv Z, Singh AK (2021) Big data analysis of internet of things system. ACM Trans Internet Technol 21(2):1–15

Qiu Y, Zhu X, Jing L (2021) Fitness monitoring system based on internet of things and big data analysis. IEEE Access 9:8054–8068

Rahman A et al (2021) Smartblock-sdn: An optimized blockchain-sdn framework for resource management in iot. IEEE Access 9:28361–28376

Zhao Y et al (2023) A lightweight model-based evolutionary consensus protocol in blockchain as a service for IoT. IEEE Transactions on Services Computing

Saba T et al (2023) Blockchain-enabled intelligent iot protocol for high-performance and secured big financial data transaction. IEEE Transactions on Computational Social Systems

Abed S, Reem J, Bassam JM (2023) A review on blockchain and IoT integration from energy, security and hardware perspectives. Wirel Pers Commun 129(3):2079–2122

Javanmardi S et al (2023) An SDN perspective IoT-Fog security: A survey. Comput Netw 229:109732

Qayyum A et al (2023) Secure and trustworthy artificial intelligence-extended reality (AI-XR) for metaverses. ACM Computing Surveys

Rawat P, Chauhan S (2021) Clustering protocols in wireless sensor network: A survey, classification, issues, and future directions. Comput Sci Rev 40:100396

Albouq SS et al (2023) A survey of interoperability challenges and solutions for dealing with them in IoT environment. IEEE Access 10:36416–36428

Rana B, Singh Y, Singh PK (2021) A systematic survey on internet of things: Energy efficiency and interoperability perspective. Trans Emerg Telecommun Technol 32(8):e4166

Sasaki Y (2021) A survey on IoT big data analytic systems: current and future. IEEE Internet of Things Journal 9(2):1024–1036

Alfandi O et al (2021) A survey on boosting IoT security and privacy through blockchain: Exploration, requirements, and open issues. Cluster Comput 24(1):37–55

Bian Jet al. Machine learning in real-time internet of things (iot) systems: A survey. IEEE Internet of Things J 9(11): 8364–8386

Donta PK et al (2022) Survey on recent advances in IoT application layer protocols and machine learning scope for research directions. Digital Commun Netw 8(5):727–744

Download references

No funding was received to carry out this work.

Author information

Authors and affiliations.

Management science and technology, Khalifa University, Abu Dhabi, UAE

Amit Kumar Vishwakarma

Computer science & Engineering, SGT University, Gurugram, India

Soni Chaurasia

Department of Information Technology, IGDTUW, New Delhi, India

Kamal Kumar

Electrical Engineering, IIT Kanpur, Kanpur, India

Yatindra Nath Singh

Computer science & Engineering, AIT, Rooma, Kanpur, India

Renu Chaurasia

You can also search for this author in PubMed Google Scholar

Contributions

Equally contributed.

Corresponding author

Correspondence to Soni Chaurasia .

Ethics declarations

Conflicts of interest.

No conflict of interest.

Consent to Publish

As per journal policy.

Additional information

Publisher's note.

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Vishwakarma, A.K., Chaurasia, S., Kumar, K. et al. Internet of things technology, research, and challenges: a survey. Multimed Tools Appl (2024). https://doi.org/10.1007/s11042-024-19278-6

Download citation

Received : 18 October 2023

Revised : 13 March 2024

Accepted : 18 April 2024

Published : 02 May 2024

DOI : https://doi.org/10.1007/s11042-024-19278-6

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

Semantic intelligence
IoT protocol
IoT application
Research possibilities
IoT Platforms
IoT optimization models
Find a journal
Publish with us
Track your research

Top 19 Network Security Threats + Defenses for Each

Jenna Phipps

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More .

Network security threats are technological risks that weaken the defenses of an enterprise network, endangering proprietary data, critical applications, and the entire IT infrastructure. Because businesses face an extensive array of threats, they should carefully monitor and mitigate the most critical threats and vulnerabilities. There are seven major categories of network security issues that all include multiple threats, as well as specific detection and mitigation methods your teams should implement for each threat.

Featured Partners: Cybersecurity Software

Table of Contents

Public Internet Threats

If your enterprise network is connected to the public internet, every threat on the internet can render your business vulnerable too. Widespread, complex business networks are particularly challenging to protect; these can include edge and mobile networks as well as branch office networks and storage area networks (SANs). Typical internet threats include malicious software, malicious websites, email phishing, DNS poisoning, and DoS and DDoS attacks.

Malicious software (malware) is code designed to disturb normal or safe computing operations. When clicked, links in emails or extensions on websites immediately download malware onto a host machine. Sometimes the malware can laterally move through the network, depending on its abilities.

Defending Against Malware

Use the following methods to prevent malware:

Train your employees: Your workers are your organization’s first line of defense and its biggest attack surface. They need to know how to reduce the major risks your business faces.
Implement endpoint protection: All devices should have antivirus and endpoint protection installed on them to automatically respond when the software detects a threat.
Segment your network: Segmentation technologies require setting policies for each network, managing which traffic can move between subnets, and decreasing lateral movement.

Spoofed Websites

Spoofed websites are sites that look legitimate but are designed to steal internet users’ account credentials. Threat actors direct users to the site, and once the users input their credentials, the attackers collect them and use them to log into the real application.

Defending Against Malicious Sites

Protect your credentials through the tips below:

Deploy multi-factor authentication for all applications: If a threat actor manages to steal your credentials through successful spoofing, they’ll have a harder time getting through MFA.
Teach users to recognize spoofed websites: Make sure your employees know the characteristics of a fake site, whether that’s grammatical issues, a strange URL, or an unapproved email that led them there.
Blacklist sites as soon as you learn about them: If multiple employees are navigating to a single site from the same threat actor, blacklist the URL as soon as you identify it.

Email-Based Phishing Attacks

Email phishing is a technique used by threat actors to trick users into opening emails and clicking links inside them. It can include both malware and spoofed sites; there’s plenty of overlap in internet phishing threats. Email attacks typically target employees through their business email accounts.

Defending Against Email-Based Phishing Attacks

To prevent email phishing, use these techniques:

Implement stringent email protection software: Often, threat actors direct users to a spoofed website through an email with a link, like instructions to reset a password.
Host intensive security awareness training sessions: Your employees should know exactly what to look for when they receive unfamiliar emails.
Install a next-generation firewall (NGFW): Installing an NGFW between the public internet and your organization’s private network helps filter some initial malicious traffic.

Read more about types of phishing, including spear phishing, whaling, and smishing, in our complete guide to phishing attacks .

DNS Attacks

DNS cache poisoning , or hijacking, redirects a legitimate site’s DNS address and takes users to a malicious site when they attempt to navigate to that webpage.

Defending Against DNS Attacks

Consider these strategies to prevent DNS attacks:

Use DNS encryption: Encrypting DNS connections requires teams to use the DNSCrypt protocol, DNS over TLS, or DNS over HTTPS.
Isolate DNS servers: Deploy a demilitarized zone (DMZ) to isolate all DNS traffic from the public internet.
Stay on top of updates: All DNS servers should be regularly patched when an update is announced.

DoS & DDoS Attacks

Denial of service (DoS) and distributed denial of service (DDoS) attacks are threats that can disable machines or entire computer systems by overloading them with traffic. They’re notoriously difficult to prevent because they often come from external traffic, rather than from a threat within the network that can be located and halted while it’s in your system. Not every DoS or DDoS attack comes from internet traffic, but many of them do.

Defending Against DoS & DDoS Attacks

Implement the methods below to protect your network from DoS and DDoS attacks:

Implement reverse proxies: The reverse proxy has its own IP address, so when IP addresses flood a single server, they’ll go to the proxy’s IP address instead and the internal server’s IP address won’t be overwhelmed as easily.
Install web application firewalls: You can configure firewalls to monitor and block different kinds of traffic.
Deploy load balancers: By directing network traffic to the sources that can manage it, load balancing reduces the risk of traffic completely overwhelming a server.

Unsecured & Outdated Network Protocols

Some older versions of network protocols have bugs that have been fixed in later versions, but many businesses and systems continue to use the older protocols. It’s best to use the most recent protocol versions to at least avoid already-known threats, especially if your industry requires a certain protocol version to stay compliant with regulatory standards. Some of the most popular network protocols include SSL, TLS, SNMP, HTTP, and HTTPS.

SSL & TLS

Secure Socket Layer (SSL) and Transport Layer Security (TLS) are both networking security protocols. Any older SSL and TLS versions than TLS 1.3 have multiple weaknesses, including the vulnerabilities that allow POODLE attacks and BEAST attacks . While TLS 1.3 may have its own weaknesses that will be discovered over time, it does fix known vulnerabilities in older TLS and SSL versions.

Defending Against SSL & TLS Threats

Use these tips to prevent threats caused by SSL and TLS:

Update connections: Keep every network connection upgraded to the most recent version of TLS.
Disable old versions: Completely disabling older SSL and TLS versions on your network ensures they aren’t used accidentally.

Simple Network Management Protocol (SNMP) is a common internet protocol designed to manage the operations of networks and the devices on them. SNMP versions 1 and 2 have known vulnerabilities, including unencrypted transmissions (v1) and IP address spoofing (v2). Version 3 is the best option of the three because it has multiple encryption options. It was designed to solve v1 and v2’s problems.

Defending Against SNMP Threats

Upgrade all versions of SNMP to version 3 to avoid the gaping security flaws in the previous versions.

Hypertext Transfer Protocol is an internet communication protocol that isn’t inherently secure. Hypertext Transfer Protocol Secure (HTTPS), the encrypted version of HTTP, is. All your internet connections should be encrypted, and every communication with another website should use HTTPS.

Defending Against HTTP Threats

To prevent insecure HTTP connections, use these methods:

Block HTTP access: If any connections use HTTP, block access to them as soon as you can.
Direct traffic to HTTPS: Configure all attempted HTTP communications to redirect to HTTPS.

Network Misconfigurations

A simple misconfiguration of a network protocol or rule can expose an entire server, database, or cloud resource. Typing one wrong line of code or failing to set up routers or switches securely can contribute to configuration errors. Misconfigured network security commands are also challenging to find because the rest of the hardware or software appears to be working properly. Misconfigurations also include improperly deployed switches and routers.

Common misconfigurations include using default or factory configurations on hardware and software and failing to segment networks, set access controls on your applications, or patch immediately.

Using the Equipment’s Default Configuration

Default credentials are factory-set usernames and passwords on networking hardware and software. They’re often very easy for attackers to guess and may even use basic words like “admin” or “password.”

Defending Against Default Configuration Threats

To prevent security issues caused by default configurations:

Change all credentials: Switch any default usernames or passwords immediately to stronger, hard-to-guess credentials.
Make regular password updates: After the initial password change, switch them every few months.

Insufficient Segmentation

Network segmentation is a technology that splits a network into different sections. If a network isn’t divided into subnetworks, malicious traffic has a much easier time traveling all throughout the network, with the opportunity to compromise many different systems or applications.

Defending Against Network Segmentation Threats

Segment networks into subnetworks and create security barriers between them. Segmentation technologies involve setting policies for each network, managing which traffic can move between subnets, and decreasing lateral movement.

Access Misconfigurations

Misconfigured access controls happen when teams fail to securely implement access and authentication protocols, like strong passwords and multi-factor authentication. This is a significant risk to your entire network. Both on-premises and cloud-based systems need access controls, including public cloud buckets that don’t require authentication methods by default. Network users need to be both authorized and authenticated.

Authentication requires the user to present PINs, passwords, or biometric scans to help prove they are who they say they are. Authorization permits the user to view data or applications once they verify themselves and their identity is trusted. Access controls allow organizations to set privilege levels like read-only and editing permissions. Otherwise, you run the risk of a privilege escalation attack , which occurs when a threat actor enters the network and moves laterally by escalating their user privileges.

Defending Against Access Misconfiguration Threats

Use these tips to reduce access-related misconfiguration risks:

Require credentials for every application: This includes databases, client management systems, and all on-premises and cloud software.
Don’t forget your cloud resources: Cloud buckets accessible on the internet should have access barriers; otherwise, they’re visible to anyone who has the bucket’s URL.
Deploy zero trust: Employees should only have the access level they need to do their job, known as the principle of least privilege or zero trust. This helps decrease insider fraud and accidental errors.

Obsolete & Unpatched Network Resources

Network hardware and software vulnerabilities are flaws that tend to reveal themselves over time, which requires IT and network technicians to stay apprised of threats as vendors or researchers announce them.

Obsolete routers, switches, or servers aren’t able to use the most recent security updates. These devices then require additional protective controls. Other old devices, like hospital equipment, often can’t be abandoned entirely, so enterprises will likely have to set up extra security to keep them from putting the rest of the network at risk.

Defending Against Patch Management Threats

Use these key strategies to prevent misconfigurations caused by patch and update failures:

Don’t wait to patch known issues: It’s critical for network administrators to patch firmware vulnerabilities immediately. Threat actors move into action quickly once they learn of vulnerabilities, so IT and networking teams should be one step ahead.
Automate some of the work: Automated alerts will help your business’s teams keep network resources up to date even if they aren’t on the clock constantly.
Reduce hazards caused by old tech: Phase out obsolete devices where possible. They’ll continue to be incompatible with the rest of the network, and it’s challenging to secure an entire network if some hardware doesn’t support it.

Human Security Threats

Your team members make mistakes, whether that’s an accidental line of code or a router password exposed for the whole internet to see. Training providers offer extensive cybersecurity courses just to mitigate the high likelihood that employees will put your infrastructure in danger.

Human error plays a large role in the majority of all data breaches — 85% of them are caused by employee mistakes, according to a study done by Stanford professor and security provider Tessian. You’ll need to watch for threats borne out of carelessness as well as deliberately malicious behavior — both are possible.

Accidental or Careless Errors

Employees make plenty of accidental security gaffes, including posting passwords on paper or Slack, letting strangers into the office, or plugging unidentified flash drives into a company computer. Sometimes they know the company’s policies but don’t want to follow them because they appear to take more time, like coming up with new passwords for every application instead of reusing them.

Defending Against Threats Caused by Mistakes

To reduce human error episodes:

Host cybersecurity training sessions every quarter: Make training interactive so that employees stay engaged, and make sure that new hires immediately know expectations.
Install software like password managers: These help employees manage their credentials safely .
Implement data loss prevention (DLP) technology: Protecting data is critical for both reputation maintenance and regulatory compliance .
Restrict your physical workspace: Don’t allow someone from outside the business into the premises where network hardware and software are hosted.

Intentionally Malicious Insiders

One area of human threat that’s often overlooked is insider threats, which come from employees who intend to harm the business. Although these don’t happen as frequently, they can be even more dangerous. These insiders usually have credentialed access to a network, which makes it much easier for them to steal data.

Malicious insiders exploit proprietary information or customer data, sometimes selling it to a third party. But other insiders may just want revenge if a coworker wronged them, they were terminated, or they believe the business is making unethical decisions. Malicious insider threats are difficult to mitigate because perpetrators may hide their feelings about the company and their intentions over time. And because they often have valid credentials, their effect is harder to track.

Defending Against Threats from Malicious Insiders

The following practices will help your business manage malicious employee behavior:

Make security a regular topic: Have conversations about cybersecurity in manager and employee one-on-one meetings. Show employees you’re serious about security.
Host more training sessions: They’re especially important because other employees are trained to recognize the behavior of their own team.
Implement behavioral analytics: Analytics can help your team at least identify anomalous behavior over time. If an insider is leaking data or changing credentials, it could be intentional.
Vet people before hiring: Asking for references and performing background checks, while not a catch-all, helps businesses hire trustworthy individuals.

Read more about developing a cybersecurity culture within your organization and how it reduces your vulnerability to employee mistakes.

Operational Technology

Operational technology (OT) typically refers to hardware and software that observe and control industrial environments. These environments include warehouses, construction sites, and factories. OT allows businesses to manage HVAC, fire safety, and food temperature through network-connected cellular technology.

Enterprise Internet of Things and Industrial Internet of Things (IIoT) devices also fall under operational technology. When connected to a business network, OT can provide an open door for threat actors.

Dangers of Operational Technology

Older OT devices weren’t designed with significant cybersecurity in mind, so whatever legacy controls they had may no longer be adequate — or fixable. Initially, equipment and sensors in plants and construction sites had no internet connection, nor were they 4G- or 5G-enabled. Current OT design makes it easy for an attacker to move laterally through networks. It’s also extremely difficult to implement large-scale security for legacy OT that’s been operating longer than it’s been connected to the internet.

Operational technology often has consequences that go far beyond IT security, especially in critical infrastructure such as food management, healthcare, and water treatment. An OT breach could do more than cost money or jeopardize tech resources like a standard network breach — it could cause injury or death.

Defending Against OT Threats

To secure your enterprise’s OT devices and networks, use these key tips:

Perform a detailed audit: You’ll need to know every single device connecting to your company network, and a thorough audit is the best way to do that.
Consistently monitor all OT traffic: Any anomalies should send automated alerts to IT and network engineers. Configure alerts so engineers immediately know what’s happening.
Use secure connections for all wireless networks: If your OT devices are on Wi-Fi, ensure that the Wi-Fi uses at least WPA2.

VPN Vulnerabilities

Although virtual private networks (VPNs) are security tools designed to create a private tunnel for organizations’ network communications, they can still be breached. Your business should monitor both your direct team’s VPN use and all third-party VPN access.

Employee VPN Usage

VPNs are designed to protect your team’s computing sessions and associated data, like IP addresses and passwords, from prying eyes. However, they don’t always achieve that goal — VPN connections aren’t a foolproof security method and can sometimes still be hacked, especially if the VPN connection has a sudden and brief outage.

Defending Against VPN Threats

Use the methods below to mitigate VPN vulnerabilities within your organization:

Implement least privilege access management: Least privilege access gives specified users the permissions they need to do their job and nothing else.
Stay on top of patches: Individual VPN solutions can have vulnerabilities of their own, so ensure that your business continually monitors them and patches weaknesses when needed.

Third-Party VPN Access

When businesses give partners or contractors access to their applications using a VPN, it’s very difficult to restrict these third parties’ access to specific permissions. VPNs also don’t keep a lot of data logs to analyze later, so it’s challenging to locate the specific source of a breach if a third party does abuse their permissions.

Defending Against Third-Party VPN Threats

Implement least-privilege access for contractors and other third parties, too. It’ll limit their access to sensitive business data and applications.

Remote Access

Over the last decade, but especially during the COVID-19 pandemic, connecting remotely to office networks and resources became a popular way to complete work from home offices and other locations. Unfortunately, untrusted networks and personal devices put business networks and systems in danger. Two major threats are Remote Desktop Protocol and Wi-Fi networks.

Remote Desktop Protocol

Remote Desktop Protocol (RDP) allows users to use one computer to interface with another remote computer and control it. In the early stages of the pandemic, RDP was one of the most common ransomware attack vectors. Attackers were able to find a backdoor through RDP’s vulnerabilities or simply brute force attack by guessing passwords. Remote access trojans also allow attackers to remotely control a machine once malware downloads onto the computer through an email attachment or other software.

Defending Against RDP Threats

To be as secure as possible, your business should phase out RDP as soon as you can. It’s no longer safe to use. If your team does still decide to use RDP, use these protective methods:

Limit password attempts: Users should only be able to input a password a couple of times. This prevents brute force attacks.
Set difficult-to-guess passwords: Require good password hygiene for all RDP credentials.
Limit access to specific IP addresses: Only whitelist specific addresses attached to employee devices.
Configure strict user policies for RDP: This includes least privilege access. Only those who need to connect remotely to perform their job should have access.

Wi-Fi Networks

Other unsecure network connections, like unprotected Wi-Fi, allow thieves to steal credentials and then log into business applications from coffee shops and other public locations. Remote businesses have multiple methods of remote access to company resources, and it’s hard for IT and security teams to lock all of them down.

Defending Against Wi-Fi Threats

If you’re working on a network outside your home, take the following security measures:

Make sure the network is private: If you can work in a small coworking space or another home, that’s ideal, but if you’re in a public place, ensure the Wi-Fi requires a password.
Use a VPN: Virtual private networks, though not foolproof, help protect your remote connections when Wi-Fi is not secure.

Where Do Network Threats Come From?

Network threats come from an enormous variety of sources, but narrowed down, they can be traced to vectors like devices, humans, network traffic, general security operations, and maintenance failures.

Hardware sometimes has misconfigurations and outdated protocols. Devices that have been infected by malware, like routers, are a threat to the rest of the network. Also, unauthorized devices and unsecured BYOD devices on the network may not have the same security controls as authorized devices and are therefore more vulnerable.

Humans make mistakes, and network security is difficult to manage even for experts because it’s so highly intricate. It’s easy for senior engineers to misconfigure a setting, as experienced as they may be. Additionally, some insiders deliberately manipulate networks for their personal gain.

Malicious packets attempt to enter a network, requiring firewalls and other systems, like IDPS, to prevent them. Malicious traffic comes from multiple locations, so it’s challenging to secure all ports. Traffic IP addresses can be hidden, too, and threat actors can use different IP addresses to avoid network blacklists and thwart threat intelligence.

Sometimes hardware and software fail. DoS and DDoS attacks flood servers and render them unusable. Also, natural disasters and power surges destroy or temporarily take down networks. Although this isn’t a cybersecurity issue at its root, it can certainly weaken security controls, particularly if the main NGFW or other detection and prevention tools go down.

Insufficient Maintenance

Network hardware and software need to be updated with the latest protocols and patches. Unpatched vulnerabilities on network firmware are an open door for attackers. Additionally, if IT and network admins don’t regularly perform vulnerability scans, they won’t be able to identify vulnerabilities as quickly.

Network Security vs. Endpoint Security vs. Application Security

The line between network security, application security , and endpoint security is hard to draw because they all affect each other immensely. In this article, we’ve focused on network threats and excluded threats that originate on applications or endpoints, such as cross-site scripting or ransomware. We define application, endpoint, and network security as follows:

Network security: Specific to the network’s infrastructure, including connections between devices like routers and switches.
Endpoint security: Specific to devices and users and their effect on an organization overall.
Application security: Specific to software programs and their effect on the organization, network, and computer systems.

However, endpoint devices and business applications still affect network security. A malware-infected computer or compromised CRM system can still lead to a network breach. These categories do overlap, but to avoid confusion, we’ve differentiated between them in this guide.

How Can You Detect Threats?

Although network threats come from many sources, enterprises need a reliable set of detection tools and techniques to pinpoint malicious behavior. Firewalls, monitoring, analytics, automation, vulnerability assessments, and deception tactics all help businesses identify threats and give their teams time to develop a solution.

Manage Firewalls

Advanced network perimeter protection like a next-generation firewall can be configured to send alerts when it detects anomalous traffic. If data packets entering the network behave strangely, that’s a warning sign for IT and security teams. Threat intelligence from NGFWs is critical for identifying malicious traffic early. Some firewalls can also block well-known malicious websites. Make sure your team is consistently fine-tuning your firewalls and updating rules as needed.

Monitor Networks

Monitoring network devices and traffic helps enterprises observe patterns over a period of time. Advanced monitoring solutions like NDR are even able to scan encrypted traffic, where some threats may have slipped through the cracks.

Don’t forget to monitor IoT devices on the network — it’s not only challenging to secure IoT devices but also to identify threats from a distributed network of smart devices. Identify all device vulnerabilities and implement network traffic monitoring specifically designed for the Internet of Things. It’s important to locate the root of IoT threats before they spread further through the network.

Implement Machine Learning & Behavioral Analytics

Although firewalls and other perimeter security can identify and halt some traffic, other traffic will breach the network. Using analytics to study traffic as it moves through the network is beneficial for long-term security. A behavioral analytics solution that uses ML should be able to study ongoing traffic patterns and detect malicious behavior. NGFWs and other advanced security solutions often offer ML and behavioral analytics capabilities.

Automate Your Alerts

Security teams can’t study networks 24/7, but automated alerts flag malicious activity immediately after it’s detected. Machine learning and behavioral analytics platforms study patterns in network traffic data. Then automation sends email or Slack alerts to IT personnel immediately once an anomaly is detected.

Scan for Vulnerabilities

Vulnerability scanners examine devices and assets and compare them against a database of known vulnerabilities to identify issues like misconfigurations and outdated software. Some scanners categorize vulnerabilities by their level of risk. Some vulnerability scanning solutions also help businesses maintain compliance with cybersecurity and data protection regulations by creating policies and rules that enforce particular standards.

Perform Penetration Testing

Pentesting gives enterprises clear, actionable information about their network security by hiring expert hackers to find vulnerabilities in the network. These hackers identify specific areas of weakness in web-facing assets like applications, firewalls, and servers. Consider learning more about the differences between pen testing and vulnerability testing .

Create Honeypots

A computer system or application specifically designed to trap attackers is called a honeypot. For example, a honeypot could be a database set up with a tempting name, implying sensitive information is stored there. It’s designed to help teams study threat actor behavior before the threat actors get to critical assets. Other examples of a honeypot include an additional router or a firewall that protects a fake database. Some vendors offer this as deception technology .

Bottom Line: Tracking & Preventing Network Security Threats

Tight cybersecurity defenses have increased steeply in the last five years. The rise of ransomware and the sophisticated tactics of bad actors necessitate equally strong action from enterprises. No longer can IT teams and engineers sit back and hope that a firewall or good passwords will save them from the vulnerabilities that besiege their network.

Keep a close eye on all the threats mentioned above, and train your teams to detect threats and prevent them. Ensure that you don’t let little things slide — small misconfigurations or unpatched vulnerabilities can still cost the business millions of dollars if successfully exploited. It’ll take time, but commit to implementing consistent and careful cybersecurity practices within your business, and eventually network security will be an immediate and natural response to threats.

Is your business concerned about protecting your network from ransomware? Read about preventing ransomware attacks next.

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

IT Security Resources

How to set up dmz on servers: 7-step dmz configuration.

Creative network and world hologram background.

How To Set Up a Firewall in 8 Easy Steps + Best Practices

Digital shield and check icon on a virtual circuit grid background.

Wireless Network Security: WEP, WPA, WPA2 & WPA3 Explained

Illustration of a wifi icon on a virtual circuit grid.

Vulnerability Recap 4/29/24 – Cisco, Microsoft, Palo Alto & More

Microprocessor chip with open red icon embedded on a circuit grid.

Top Cybersecurity Companies

Top 10 cybersecurity companies.

1 Uniqkey – Business Password Manager

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis

Padlocks and locks on virtual digital screen.

Our Network

Computerworld
Network World

SAP users are at high risk as hackers exploit application vulnerabilities

Research highlights heightened threat actor interests in sap systems, targeting poorly patched organizations..

Targeting SAP vulnerabilities by threat actors is currently at its peak as systems compromised by ransomware incidents have grown fivefold since 2021, according to joint research by Flashpoint and Onapsis.

Based on SAP threat intelligence from Onapsis Research Labs and Flashpoint Threat Intelligence Platform, the research found that multiple, unpatched application-level SAP vulnerabilities are being exploited and used in ransomware campaigns.

“This research leverages the combined experience of Onapsis Research Labs on SAP Threats, Vulnerabilities, and Threat Intelligence, with the Flashpoint Threat Intelligence platform, intelligence, and vulnerability data,” said Juan Perez-Etchegoyen, CTO at Onapsis. “We kicked off this research end of last year because we were seeing indications of an increase in the Threat Activity in certain areas, targeting SAP Applications, specifically during 2023.”

The research highlights that all the vulnerabilities found exploited within the research have already been patched by their respective vendors, indicating threat actors’ continued targeting of organizations with weak cybersecurity governance for SAP applications.

Exploits were financially motivated

Among the many attack types exploiting the SAP vulnerabilities, ransomware emerged as the most preferred indicating strong motivation for paydays.

“Threat actors have different motivations but most of them are looking to profit out of their compromises,” said Paul Laudanski, director of security research at Onapsis. “They do that by exfiltrating sensitive data such as financial statements or performing financial fraud. Additionally, the ones involved in ransomware also profit out of asking for the ransom or even auctioning the exfiltrated data to the highest bidder, advertising it to competitors for example.”

They are successful in doing this because the data these organizations exfiltrate are business sensitive to their business owners, and in some instances, impact the operations of those businesses that encourage ransom payment, according to Laudanski.

In an analysis of ransomware data over the last three years and isolating incidents that directly involved compromise of SAP-based data, the researchers were able to conclude that, since 2021, there has been a 400% growth in the number of attacks.

The leading ransomware groups involved in such attacks included Conti, Quantum, LockBit, Blackcat, HIVE, REvil, and Netwalker.

Additionally, a few of the attacks targeting SAP systems data were also found to have been a part of a state-sponsored campaign. “One of the examples of Threat Actors known to target SAP Applications is APT10, known to be associated with Chinese state backing,” Perez-Etchegoyen added.

Heightened dark web chatter

According to the research, conversations on SAP vulnerabilities and exploits have increased by 490% across the open, deep, and dark web from 2021 to 2023. The conversations primarily focused on how to exploit the vulnerabilities, guidance for the execution of exploitation for certain victims, and monetizing SAP compromises.

Additionally, the researchers found that the price for remote code execution (RCE) attacks for SAP applications increased by 400% from 2020 to 2023.

“We see the elevated interest on exploits to target SAP applications, as the site (exploit brokers) is offering a bounty of “up to $50,000” for a remote code execution (RCE) affecting SAP NetWeaver-based systems 12,” the researchers said in the report. “Similarly, and more recently, CrowdFence released its updated price list on April 8th, 2024, highlighting SAP RCE Exploits for up to $250,000.”

A few high-severity (>9/10 CVSS) vulnerabilities exploited to compromise SAP systems included CVE-2010-5326, CVE-2016-2386, CVE-2020-6207, CVE-2020-6287, CVE-2021-38163, CVE-2021-33690, CVE-2022-22536, CVE-2022-6287, and CVE-2022-6207 .

To minimize associated risks, as pointed out in the research, organizations should identify and secure business-critical processes and data supported by SAP, mitigate all the vulnerabilities outlined in the list, ensure SOC visibility into SAP indicators of compromise (IoCs), and integrate SAP landscape into vulnerability management, security monitoring and threat detection, secure development lifecycle and threat intelligence.

“We believe this research confirms the need by Organizations to address cybersecurity around SAP Applications, given the nature of the focus that threat actors are placing in targeting SAP Applications through regular campaigns as well as in conjunction with Ransomware,” Perez-Etchegoyen added.

More from this author

Securiti adds distributed llm firewalls to secure genai applications, salt security adds defense against oauth attacks, new ot security service can help secure against critical systems attacks, russian state-sponsored hacker used gooseegg malware to steal windows credentials, most popular authors.

Show me more

5 key takeways from verizon's 2024 data breach investigations report.

The CSO guide to top security conferences

3 Windows vulnerabilities that may not be worth patching

CSO Executive Sessions: The personality of cybersecurity leaders

CSO Executive Sessions: Geopolitical tensions in the South China Sea - why the private sector should care

CSO Executive Sessions: 2024 International Women's Day special

Computer Network Security and Technology Research

Ieee account.

Change Username/Password
Update Address

Purchase Details

Payment Options
Order History
View Purchased Documents

Profile Information

Communications Preferences
Profession and Education
Technical Interests
US & Canada: +1 800 678 4333
Worldwide: +1 732 981 0060
Contact & Support
About IEEE Xplore
Accessibility
Terms of Use
Nondiscrimination Policy
Privacy & Opting Out of Cookies

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity. © Copyright 2024 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.

IMAGES

Network Security Research Paper
🔐 Cyber Security Research Topics
(DOC) Analysis And Research of Computer Network Security.docx
(PDF) Wireless Sensor Networks: An Overview on its Security Threats
FREE 10+ Cyber Security Proposal Samples [ Project, Training, Audit ]
Example Of Cyber Security Research Paper

VIDEO

Security thread uv fiber banknote watermark certificate cotton paper supplier factory
Security thread paper
How to prove EVM Hacking
Toilet Paper Security in the Bahamas #cruiselife
Best Research Paper in Cybersecurity
Intermediate paper security duty checking #police #motivation #music #commando

COMMENTS

Featured Papers on Network Security and Privacy
Feature papers represent the most advanced research with significant potential for high impact in the field. A Feature Paper should be a substantial original Article that involves several techniques or approaches, provides an outlook for future research directions and describes possible research applications. ... The featured papers on Network ...
(PDF) ADVANCES IN NETWORK SECURITY: A COMPREHENSIVE ...
The report proposes new research directions to advance research. This paper discusses network security for secure data communication. ... The methodology adopted in this paper is a review of ...
Present and Future of Network Security Monitoring
Abstract: Network Security Monitoring (NSM) is a popular term to refer to the detection of security incidents by monitoring the network events. An NSM system is central for the security of current networks, given the escalation in sophistication of cyberwarfare. In this paper, we review the state-of-the-art in NSM, and derive a new taxonomy of the functionalities and modules in an NSM system.
Research paper A comprehensive review study of cyber-attacks and cyber
Network Security: Network security protects the computer network from disruptors, which can be malware or hacking. Network security is a set of solutions that enable organizations to keep computer networks out of the reach of hackers, organized attackers, and malware (Zhang, 2021). Download : Download high-res image (282KB)
network security Latest Research Papers
Wireless Network Security . Wireless Router . Network Security System. The use of computer networks in an agency aims to facilitate communication and data transfer between devices. The network that can be applied can be using wireless media or LAN cable. At SMP XYZ, most of the computers still use wireless networks.
A review on graph-based approaches for network security ...
This survey paper provides a comprehensive overview of recent research and development in network security that uses graphs and graph-based data representation and analytics. The paper focuses on the graph-based representation of network traffic records and the application of graph-based analytics in intrusion detection and botnet detection. The paper aims to answer several questions related ...
Full article: Network security
The goal of this paper is to communicate an updated perspective of network security for organizations, and researchers in the field and present some recommendations to tackle the current situation of security threats. Keywords: cyber attacks. data breaches. intrusions. network security. security intelligence.
PDF Network Security Threats and Protection Models
This paper discusses the possible exploits on typical network components, it will cite real life scenarios, and propose practical ... it describes some of the key efforts done by the research community to prevent such attacks, mainly by using Firewall and Intrusion Detection Systems. 2. NETWORK SECURITY THREAT MODELS Network security refers to ...
Network Security: A Brief Overview of Evolving ...
Challenges in the aspects of security and continuous availability of the ICT resources and services, trigger the evolution of network security strategies. In this review paper, a brief overview of ...
Wireless sensor network security: A recent review based on state-of-the
Wireless sensor network security is provided on two levels. 16 On the first level, encryption methods and firewalls are utilised to protect the network from outside attackers. Intrusion detection systems (IDS) are employed to defend against internal intruders at the second level. ... By reviewing earlier research on the subject, this paper ...
Cyber risk and cybersecurity: a systematic review of data ...
Depending on the amount of data, the extent of the damage caused by a data breach can be significant, with the average cost being USD 392 million Footnote 1 (IBM Security 2020). This research paper reviews the existing literature and open data sources related to cybersecurity and cyber risk, focusing on the datasets used to improve academic ...
Network Security
Opening the network to DevOps without letting threats inside. Kurt Glazemakers. December 2021 View PDF. More opportunities to publish your research: Browse open Calls for Papers. Read the latest articles of Network Security at ScienceDirect.com, Elsevier's leading platform of peer-reviewed scholarly literature.
An Overview of Wireless Network Security
While assuming the role of Chief Security Officer, Network Security Designer, and Network Security Administrator, the intention of this research was to identify principle elements related to network security and provide an overview of potential threats, vulnerabilities, and countermeasures associated with technology designed to the IEEE 802.11 wireless LAN standard. In addition, fundamental ...
Artificial intelligence for cybersecurity: Literature review and future
The article is a full research paper (i.e., not a presentation or supplement to a poster). ... device authentication is the process of authenticating devices based on their credentials or behaviour in the network to ensure the security of machine-to-machine communication. Researchers are actively working in the field of sensor identification ...
A Survey on Network Slicing Security: Attacks, Challenges, Solutions
Hence, enhancing NS security, privacy, and trust has become a key research area toward realizing the true capabilities of 5G. This paper presents a comprehensive and up-to-date survey on NS security. The paper articulates a taxonomy for NS security and privacy, laying the structure for the survey.
(PDF) Network Security and Cryptography Challenges and ...
secret. The most important goals of modern cryptography are. the preservation of users' privacy, the maintenance of data. integrity, and the verification of information validity. [4]. Finding a ...
Research on the Key Technologies of Network Security-Oriented ...
In today's increasingly severe network security situation, network security situational awareness provides a more comprehensive and feasible new idea for the inadequacy of various single solutions and is currently a research hotspot in the field of network security. At present, there are still gaps or room for improvement in network security situational awareness in terms of model scheme ...
A Review Paper on Network Security and Cryptography
Network cryptography and security protects wireless networks and data communications and the data stored on our systems. Cryptography is a cybersecurity strategy that uses codes such as encryption to protect company information and communications from cyber threats.
Network traffic classification model based on attention ...
Traffic classification is widely used in network security and network management. Early studies have mainly focused on mapping network traffic to different unencrypted applications, but little research has been done on network traffic classification of encrypted applications, especially the underlying traffic of encrypted applications. To address the above issues, this paper proposes a network ...
Advancements in computer network technologies: A review
From 5G networks and the Internet of Things to network security and quantum networking, this review explores the current state of computer networks and their prospects. This article presents a comprehensive review of recent advancements in computer network technologies, emphasizing their impact on various sectors. The rapid evolution of computer networks has transformed communication, work ...
Evaluating Network Security Configuration (NSC) Practices in Vehicle
Android applications have historically faced vulnerabilities to man-in-the-middle attacks due to insecure custom SSL/TLS certificate validation implementations. In response, Google introduced the Network Security Configuration (NSC) as a configuration-based solution to improve the security of certificate validation practices.
Security and privacy protection in cloud computing ...
From information security, network security to cloud computing security, the constant requirement of security is the confidentiality and privacy protection of information. According to the annual report of the Cloud Security Alliance (CSA) and the research results of relevant scholars in literature, we can conclude several threats to privacy ...
Internet of things technology, research, and challenges: a survey
The world of digitization is growing exponentially; data optimization, security of a network, and energy efficiency are becoming more prominent. The Internet of Things (IoT) is the core technology of modern society. This paper is based on a survey of recent and past technologies used for IoT optimization models, such as IoT with Blockchain, IoT with WSN, IoT with ML, and IoT with big data ...
Top 19 Network Security Threats + Defenses for Each
Employees make plenty of accidental security gaffes, including posting passwords on paper or Slack, letting strangers into the office, or plugging unidentified flash drives into a company computer ...
Electronics
Web3.0, as the link between the physical and digital domains, faces increasing security threats due to its inherent complexity and openness. Traditional intrusion detection systems (IDSs) encounter formidable challenges in grappling with the multidimensional and nonlinear traffic data characteristic of the Web3.0 environment. Such challenges include insufficient samples of attack data ...
(PDF) Network Security
PDF | On Nov 13, 2019, Alfred Tan Yik Ern published Network Security | Find, read and cite all the research you need on ResearchGate
SAP users are at high risk as hackers exploit application
According to the research, conversations on SAP vulnerabilities and exploits have increased by 490% across the open, deep, and dark web from 2021 to 2023. The conversations primarily focused on ...
Computer Network Security and Technology Research
Network security problem exists through all the layers of the computer network, and the network security objective is to maintain the confidentiality, authenticity, integrity, dependability, availability and audit-ability of the network. This paper introduces the network security technologies mainly in detail, including authentication, data ...