Research on Covert Transformation Method for Malicious Communication Behavior Based on Packet Length Sequence

doi:10.3969/j.issn.1671-1122.2025.05.011

Abstract

Abstract:

To supply variant malicious traffic to network intrusion detection systems (NIDS) for evaluating detection models, this paper investigated a concealment transformation method for malicious communication behavior. First, the paper characterized traffic via packet-length sequences; by modifying these sequences, one can guide data-level transformations of malicious traffic to produce realistic and usable variants, thereby altering packet-length-related statistical features to interfere with NIDS detection. Next, based on packetlength sequences, this paper designed a concealment transformation method which selected, as reference traffic, the normal flow whose packetlength sequence most closely matches that of the malicious flow to be transformed, and then apply two strategies—TCP payload padding and segmentation—to adjust the packet sizes in the malicious flow so that its packetlength sequence resembles that of normal traffic, effectively mimicking normal communication behavior. Finally, this paper constructed test datasets using the DoH-Brw and CIC-AAGM datasets. Experimental results show that the variant malicious traffic generated from DoH-Brw achieves an average detection-rate reduction of over 60% across six NIDS, and variants based on CIC-AAGM yield an average reduction of over 30% across four NIDS, thereby demonstrating the effectiveness of proposed method.

Key words: network attacks, traffic obfuscation, malicious traffic

CLC Number:

TP309

YANG Judong, CHEN Xingshu, ZHU Yi. Research on Covert Transformation Method for Malicious Communication Behavior Based on Packet Length Sequence[J]. Netinfo Security, 2025, 25(5): 794-805.

Figures/Tables 12

References 21

[1]	DEEPEN D. ThreatLabz Report:87.2% of Threats Delivered over Encrypted Channels[EB/OL]. (2024-12-05)[2025-01-25]. https://www.zscaler.com/blogs/security-research/threatlabz-report-threats-delivered-over-encrypted-channels.
[2]	SIMONOVICH E M V. Highlights from Q3 2024 Cato CTRL SASE Threat Report[EB/OL]. (2024-11-19)[2025-01-25]. https://www.catonetworks.com/blog/highlights-from-q3-2024-cato-ctrl-sase-threat-report/.
[3]	ABDULGANIYU O H, TCHAKOUCHT T A, SAHEED Y K. Towards an Efficient Model for Network Intrusion Detection System(IDS): Systematic Literature Review[J]. Wireless Networks, 2024, 30(1): 453-482.
[4]	HOU Jian, LU Hui, LIU Fang'ai, et al. Detection and Countermeasure of Encrypted Malicious Traffic: A Survey[J]. Journal of Software, 2024, 35(1): 333-355.
	侯剑, 鲁辉, 刘方爱, 等. 加密恶意流量检测及对抗综述[J]. 软件学报, 2024, 35(1): 333-355.
[5]	NIAKANLAHIJI A, ORLOWSKI S, VAHID A, et al. Toward Practical Defense against Traffic Analysis Attacks on Encrypted DNS Traffic[J]. Computers & Security, 2023, 124: 103001-103014.
[6]	QIAN Yuwei, HUANG Guodong, MA Chuan, et al. Enhancing Resilience in Website Fingerprinting: Novel Adversary Strategies for Noisy Traffic Environments[J]. IEEE Transactions on Information Forensics and Security, 2024, 19: 7216-7231.
[7]	XIONG Sijie, SARWATE A D, MANDAYAM N B. Network Traffic Shaping for Enhancing Privacy in IoT Systems[J]. IEEE/ACM Transactions on Networking, 2022, 30(3): 1162-1177.
[8]	VERGUTZ A, SANTOS B V D, KANTARCI B, et al. Data Instrumentation from IoT Network Traffic as Support for Security Management[J]. IEEE Transactions on Network and Service Management, 2023, 20(2): 1392-1404.
[9]	WANG Shunyao, KO R K L, BAI Guangdong, et al. Evasion Attack and Defense on Machine Learning Models in Cyber-Physical Systems: A Survey[J]. IEEE Communications Surveys & Tutorials, 2024, 26(2): 930-966
[10]	ZHU Yiran, CUI Lei, DING Zhenquan, et al. Black Box Attack and Network Intrusion Detection Using Machine Learning for Malicious Traffic[J]. Computers & Security, 2022, 123: 102922-102936.
[11]	WANG Minxiao, YANG Ning, FORCADE-PERKINS N J, et al. ProGen: Projection-Based Adversarial Attack Generation against Network Intrusion Detection[J]. IEEE Transactions on Information Forensics and Security, 2024, 19: 5476-5491.
[12]	ZHANG Rongqian, LUO Senlin, PAN Limin, et al. Generating Adversarial Examples via Enhancing Latent Spatial Features of Benign Traffic and Preserving Malicious Functions[J]. Neurocomputing, 2022, 490(14): 413-430.
[13]	ZHANG Chaoyun, COSTA-PÉREZ X, PATRAS P, et al. Adversarial Attacks against Deep Learning-Based Network Intrusion Detection Systems and Defense Mechanisms[J]. IEEE/ACM Transactions on Networking, 2022, 30(3): 1294-1311.
[14]	HE Daojing, DAI Jiayu, LIU Xiaoxia, et al. Adversarial Attacks for Intrusion Detection Based on Bus Traffic[J]. IEEE Network, 2022, 36(4): 203-209.
[15]	LIU Jian, XIAO Qingsai, JIANG Zhengwei, et al. Effectiveness Evaluation of Evasion Attack on Encrypted Malicious Traffic Detection[C]// IEEE. 2022 IEEE Wireless Communications and Networking Conference (WCNC). New York: IEEE, 2022: 1158-1163.
[16]	YAN Haonan, LI Xiaoguang, ZHANG Wenjing, et al. Automatic Evasion of Machine Learning-Based Network Intrusion Detection Systems[J]. IEEE Transactions on Dependable and Secure Computing, 2024, 21(1): 153-167.
[17]	DEBICHA I, COCHEZ B, KENAZA T, et al. Adv-Bot: Realistic Adversarial Botnet Attacks against Network Intrusion Detection Systems[J]. Computers & Security, 2023, 129: 103176-103190.
[18]	SUN Hanwu, PENG Chengwei, SANG Yafei, et al. Evading Encrypted Traffic Classifiers by Transferable Adversarial Traffic[C]//IEEE. Collaborative Computing:Networking, Applications and Worksharing(CollaborateCom 2022). Heidelberg: Springer, 2022: 153-173.
[19]	XU Zhenning, KHAN H, MURESAN R. TMorph: A Traffic Morphing Framework to Test Network Defenses against Adversarial Attacks[C]// IEEE. 2022 International Conference on Information Networking (ICOIN). New York: IEEE, 2022: 18-23.
[20]	MONTAZERISHATOORI M, DAVIDSON L, KAUR G, et al. Detection of DoH Tunnels Using Time-Series Classification of Encrypted Traffic[C]// IEEE. 2020 IEEE International Symposium on Dependable, Autonomic and Secure Computing (DASC). New York: IEEE, 2020: 63-70.
[21]	LASHKARI A H A. KADIR A F, GONZALEZ H, et al. Towards a Network-Based Framework for Android Malware Detection and Characterization[C]// IEEE. 2017 15th Annual Conference on Privacy, Security and Trust (PST). New York: IEEE, 2020: 23300-23309.

训练算法	DoH-Brw		CIC-AAGM
训练算法	召回率	F1分数	召回率	F1分数
RF	0.99	0.99	0.91	0.91
C4.5	0.99	0.98	0.91	0.92
KNN	0.98	0.97	0.82	0.80
XGB	0.99	0.96	0.85	0.88
CNN	0.97	0.97	0.47	0.58
NB	0.93	0.78	0.27	0.33