Behavior-Driven Encrypted Malware Detection with Robust Traffic Representation

Peng Yin; Jizhe Jia; Jing Wang; Yukai Liu; Meng Shen; Liehuang Zhu

doi:10.1007/978-981-96-1548-3_8

Behavior-Driven Encrypted Malware Detection with Robust Traffic Representation

Peng Yin, Jizhe Jia, Jing Wang, Yukai Liu, Meng Shen^*, Liehuang Zhu

^*Corresponding author for this work

School of Cyberspace Science and Technology

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Nowadays, network traffic encryption techniques are widely adopted to protect data confidentiality and prevent privacy leakage during data transmission. However, malware often leverages traffic encryption techniques to conceal their malicious activities or camouflage their traffic as benign traffic. To cope with this problem, most existing encrypted malware traffic detection methods employ machine learning or deep learning models to learn distinct features between malware and benign traffic. Nevertheless, existing methods still encounter one challenge, i.e., robustness to an imbalanced dataset. In this paper, we propose BDMF, a behavior-driven malware fingerprinting method based on deep learning, to achieve encrypted malware traffic detection. We first design a novel traffic representation named Traffic Behavior Matrix (TBM), which can abstract traffic behavior patterns initiated by malware compared with benign traffic. Subsequently, we design an effective classifier based on Convolutional Neural Networks (CNNs), which extract distinctive, robust features to achieve effective malware traffic detection. The robust behavior-driven traffic representation enables the CNN-based model to achieve robustness to an imbalanced dataset. We conduct extensive experiments with a real-world dataset to evaluate the detection performance of BDMF. The experimental results demonstrate BDMF outperforms all baseline methods in different evaluation metrics. Specifically, when the proportion of benign and malware traffic samples reaches 25:1, BDMF achieves an F1 score of 88.28%, which is 19.01% higher than the SOTA method. Moreover, BDMF maintains at least 0.89 precision and 0.85 recall with a relatively low time overhead.

Original language	English
Title of host publication	Algorithms and Architectures for Parallel Processing - 24th International Conference, ICA3PP 2024, Proceedings
Editors	Tianqing Zhu, Jin Li, Aniello Castiglione
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	111-126
Number of pages	16
ISBN (Print)	9789819615476
DOIs	https://doi.org/10.1007/978-981-96-1548-3_8
Publication status	Published - 2025
Event	24th International Conference on Algorithms and Architectures for Parallel Processing, ICA3PP 2024 - Macau, China Duration: 29 Oct 2024 → 31 Oct 2024

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	15255 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	24th International Conference on Algorithms and Architectures for Parallel Processing, ICA3PP 2024
Country/Territory	China
City	Macau
Period	29/10/24 → 31/10/24

Keywords

Encrypted traffic analysis
Malware traffic detection
Traffic fingerprinting

Access to Document

10.1007/978-981-96-1548-3_8

Cite this

Yin, P., Jia, J., Wang, J., Liu, Y., Shen, M., & Zhu, L. (2025). Behavior-Driven Encrypted Malware Detection with Robust Traffic Representation. In T. Zhu, J. Li, & A. Castiglione (Eds.), Algorithms and Architectures for Parallel Processing - 24th International Conference, ICA3PP 2024, Proceedings (pp. 111-126). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 15255 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-981-96-1548-3_8

Yin, Peng ; Jia, Jizhe ; Wang, Jing et al. / Behavior-Driven Encrypted Malware Detection with Robust Traffic Representation. Algorithms and Architectures for Parallel Processing - 24th International Conference, ICA3PP 2024, Proceedings. editor / Tianqing Zhu ; Jin Li ; Aniello Castiglione. Springer Science and Business Media Deutschland GmbH, 2025. pp. 111-126 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{ed4f34ef12d8462ea9d51a55d11d01d4,

title = "Behavior-Driven Encrypted Malware Detection with Robust Traffic Representation",

abstract = "Nowadays, network traffic encryption techniques are widely adopted to protect data confidentiality and prevent privacy leakage during data transmission. However, malware often leverages traffic encryption techniques to conceal their malicious activities or camouflage their traffic as benign traffic. To cope with this problem, most existing encrypted malware traffic detection methods employ machine learning or deep learning models to learn distinct features between malware and benign traffic. Nevertheless, existing methods still encounter one challenge, i.e., robustness to an imbalanced dataset. In this paper, we propose BDMF, a behavior-driven malware fingerprinting method based on deep learning, to achieve encrypted malware traffic detection. We first design a novel traffic representation named Traffic Behavior Matrix (TBM), which can abstract traffic behavior patterns initiated by malware compared with benign traffic. Subsequently, we design an effective classifier based on Convolutional Neural Networks (CNNs), which extract distinctive, robust features to achieve effective malware traffic detection. The robust behavior-driven traffic representation enables the CNN-based model to achieve robustness to an imbalanced dataset. We conduct extensive experiments with a real-world dataset to evaluate the detection performance of BDMF. The experimental results demonstrate BDMF outperforms all baseline methods in different evaluation metrics. Specifically, when the proportion of benign and malware traffic samples reaches 25:1, BDMF achieves an F1 score of 88.28%, which is 19.01% higher than the SOTA method. Moreover, BDMF maintains at least 0.89 precision and 0.85 recall with a relatively low time overhead.",

keywords = "Encrypted traffic analysis, Malware traffic detection, Traffic fingerprinting",

author = "Peng Yin and Jizhe Jia and Jing Wang and Yukai Liu and Meng Shen and Liehuang Zhu",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2025.; 24th International Conference on Algorithms and Architectures for Parallel Processing, ICA3PP 2024 ; Conference date: 29-10-2024 Through 31-10-2024",

year = "2025",

doi = "10.1007/978-981-96-1548-3_8",

language = "English",

isbn = "9789819615476",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "111--126",

editor = "Tianqing Zhu and Jin Li and Aniello Castiglione",

booktitle = "Algorithms and Architectures for Parallel Processing - 24th International Conference, ICA3PP 2024, Proceedings",

address = "Germany",

}

Yin, P, Jia, J, Wang, J, Liu, Y, Shen, M & Zhu, L 2025, Behavior-Driven Encrypted Malware Detection with Robust Traffic Representation. in T Zhu, J Li & A Castiglione (eds), Algorithms and Architectures for Parallel Processing - 24th International Conference, ICA3PP 2024, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 15255 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 111-126, 24th International Conference on Algorithms and Architectures for Parallel Processing, ICA3PP 2024, Macau, China, 29/10/24. https://doi.org/10.1007/978-981-96-1548-3_8

Behavior-Driven Encrypted Malware Detection with Robust Traffic Representation. / Yin, Peng; Jia, Jizhe; Wang, Jing et al.
Algorithms and Architectures for Parallel Processing - 24th International Conference, ICA3PP 2024, Proceedings. ed. / Tianqing Zhu; Jin Li; Aniello Castiglione. Springer Science and Business Media Deutschland GmbH, 2025. p. 111-126 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 15255 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Behavior-Driven Encrypted Malware Detection with Robust Traffic Representation

AU - Yin, Peng

AU - Jia, Jizhe

AU - Wang, Jing

AU - Liu, Yukai

AU - Shen, Meng

AU - Zhu, Liehuang

N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2025.

PY - 2025

Y1 - 2025

N2 - Nowadays, network traffic encryption techniques are widely adopted to protect data confidentiality and prevent privacy leakage during data transmission. However, malware often leverages traffic encryption techniques to conceal their malicious activities or camouflage their traffic as benign traffic. To cope with this problem, most existing encrypted malware traffic detection methods employ machine learning or deep learning models to learn distinct features between malware and benign traffic. Nevertheless, existing methods still encounter one challenge, i.e., robustness to an imbalanced dataset. In this paper, we propose BDMF, a behavior-driven malware fingerprinting method based on deep learning, to achieve encrypted malware traffic detection. We first design a novel traffic representation named Traffic Behavior Matrix (TBM), which can abstract traffic behavior patterns initiated by malware compared with benign traffic. Subsequently, we design an effective classifier based on Convolutional Neural Networks (CNNs), which extract distinctive, robust features to achieve effective malware traffic detection. The robust behavior-driven traffic representation enables the CNN-based model to achieve robustness to an imbalanced dataset. We conduct extensive experiments with a real-world dataset to evaluate the detection performance of BDMF. The experimental results demonstrate BDMF outperforms all baseline methods in different evaluation metrics. Specifically, when the proportion of benign and malware traffic samples reaches 25:1, BDMF achieves an F1 score of 88.28%, which is 19.01% higher than the SOTA method. Moreover, BDMF maintains at least 0.89 precision and 0.85 recall with a relatively low time overhead.

AB - Nowadays, network traffic encryption techniques are widely adopted to protect data confidentiality and prevent privacy leakage during data transmission. However, malware often leverages traffic encryption techniques to conceal their malicious activities or camouflage their traffic as benign traffic. To cope with this problem, most existing encrypted malware traffic detection methods employ machine learning or deep learning models to learn distinct features between malware and benign traffic. Nevertheless, existing methods still encounter one challenge, i.e., robustness to an imbalanced dataset. In this paper, we propose BDMF, a behavior-driven malware fingerprinting method based on deep learning, to achieve encrypted malware traffic detection. We first design a novel traffic representation named Traffic Behavior Matrix (TBM), which can abstract traffic behavior patterns initiated by malware compared with benign traffic. Subsequently, we design an effective classifier based on Convolutional Neural Networks (CNNs), which extract distinctive, robust features to achieve effective malware traffic detection. The robust behavior-driven traffic representation enables the CNN-based model to achieve robustness to an imbalanced dataset. We conduct extensive experiments with a real-world dataset to evaluate the detection performance of BDMF. The experimental results demonstrate BDMF outperforms all baseline methods in different evaluation metrics. Specifically, when the proportion of benign and malware traffic samples reaches 25:1, BDMF achieves an F1 score of 88.28%, which is 19.01% higher than the SOTA method. Moreover, BDMF maintains at least 0.89 precision and 0.85 recall with a relatively low time overhead.

KW - Encrypted traffic analysis

KW - Malware traffic detection

KW - Traffic fingerprinting

UR - http://www.scopus.com/inward/record.url?scp=85218953113&partnerID=8YFLogxK

U2 - 10.1007/978-981-96-1548-3_8

DO - 10.1007/978-981-96-1548-3_8

M3 - Conference contribution

AN - SCOPUS:85218953113

SN - 9789819615476

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 111

EP - 126

BT - Algorithms and Architectures for Parallel Processing - 24th International Conference, ICA3PP 2024, Proceedings

A2 - Zhu, Tianqing

A2 - Li, Jin

A2 - Castiglione, Aniello

PB - Springer Science and Business Media Deutschland GmbH

T2 - 24th International Conference on Algorithms and Architectures for Parallel Processing, ICA3PP 2024

Y2 - 29 October 2024 through 31 October 2024

ER -

Yin P, Jia J, Wang J, Liu Y, Shen M , Zhu L. Behavior-Driven Encrypted Malware Detection with Robust Traffic Representation. In Zhu T, Li J, Castiglione A, editors, Algorithms and Architectures for Parallel Processing - 24th International Conference, ICA3PP 2024, Proceedings. Springer Science and Business Media Deutschland GmbH. 2025. p. 111-126. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-981-96-1548-3_8