| Title |
SSL Encryption Traffic Attack Behavior Recognition Method Based on Traffic Behavior Characteristics |
| Authors |
(Weijie Song) ; (Zufeng Hou) ; (Sixiao Guo) ; (Zhige Liao) ; (Jiadong Yan) |
| DOI |
https://doi.org/10.5573/IEIESPC.2026.15.2.272 |
| Keywords |
Traffic behavior characteristics; SSL; Encrypted traffic; Attack behavior; Identification method |
| Abstract |
In recent years, cyberattackers have increasingly exploited SSL/TLS encrypted traffic to hide their attacks, including but not limited to distributed denial of service (DDoS) attacks, malware propagation, data theft, and botnet control. Traditional content-based security detection methods are ineffective against encrypted traffic, as they cannot directly analyze the content, posing a serious threat to the safe and stable operation of network systems. To address this challenge, we propose a method to identify SSL encryption traffic attack behavior based on traffic behavior characteristics. Our approach introduces advanced statistical features, such as autocorrelation functions and sliding window statistics, to capture the dynamic behavior patterns of encrypted traffic. In the feature optimization and selection phase, we use information gain and mutual information to select the most effective feature set through recursive reduction, wrapping, and embedding strategies. For model fusion, we discuss ensemble learning methods, detailing the weight assignment and result fusion processes, and establish an adaptive learning mechanism by combining online learning and feedback adjustment. We evaluate the prediction performance, resource consumption, and processing speed of our model using a comprehensive performance evaluation framework. The experimental part of this study uses a comprehensive encrypted traffic dataset, covering a wide range of normal network activities and encrypted malicious behavior examples. Experimental results show that single models such as GBT, CNN, XGBoost, LightGBM, and ResNet perform well in terms of accuracy, recall, and F1 score. The performance of the weighted average fusion model with multiple weight configurations is further improved, demonstrating the impact of different weight configurations on model performance. Additionally, the Boosting model performance improves with increasing iteration numbers, highlighting the effect of iteration numbers on model performance. Our findings provide a robust and efficient solution for detecting and mitigating SSL/TLS encrypted traffic attacks, enhancing the overall security and stability of network systems. This research is significant because it addresses a critical gap in current cybersecurity practices and offers a practical approach to securing encrypted traffic. Experimental results show that the proposed method performs well in terms of precision, recall and F1 score, outperforming single models.
Our research provides network administrators with powerful tools to effectively detect and block malicious activities in encrypted traffic without sacrificing privacy. |