APSIPA Transactions on Signal and Information Processing > Vol 12 > Issue 2

Malicious Network Traffic Detection for DNS over HTTPS using Machine Learning Algorithms

Lionel F. Gonzalez Casanova, Department of Electrical Engineering, Yuan Ze University, Taiwan, Po-Chiang Lin, Department of Electrical Engineering, Yuan Ze University, Taiwan, pclin@saturn.yzu.edu.tw
 
Suggested Citation
Lionel F. Gonzalez Casanova and Po-Chiang Lin (2023), "Malicious Network Traffic Detection for DNS over HTTPS using Machine Learning Algorithms", APSIPA Transactions on Signal and Information Processing: Vol. 12: No. 2, e11. http://dx.doi.org/10.1561/116.00000058

Publication Date: 19 Apr 2023
© 2023 L. F. Gonzalez Casanova and P.-C. Lin
 
Subjects
 
Keywords
Network attackAnomaly detectionMachine learningRecurrent neural network
 

Share

Open Access

This is published under the terms of CC BY-NC.

Downloaded: 824 times

In this article:
Introduction 
Related Work 
Problem Description 
Proposed Method 
Performance Evaluation 
Conclusion 
References 

Abstract

Machine learning is an effective analysis tool to tackle the challenges to detect any suspicious events in the network traffic flow. In this paper, our major contribution is to process and transform the CIRA-CIC-DoHBrw-2020-time series dataset to train deep learning models for network intrusion detection. The main focus of our detection algorithms is to classify the data in a two-layer network approach. At the first layer, we classify DNS over HTTPS (DoH) and non-DoH traffic, and at the second layer, we characterize benign-DoH and malicious-DoH. We use 26 features out of the 34 features describing every pattern of network traffic. We use the DoH predictions in the first layer and pass it to the second layer for characterization of benign or malicious DoH. We then feed data to a fully connected neural network and four types of Recurrent Neural Networks. They are the Long Short-Term Memory, Bidirectional Long Short-Term Memory, Gated Recurrent Unit, and Deep Recurrent Neural Network. The proposed methods are simple and efficient, so that they can be applied to computer systems with limited resources. The generated models are small, so that they can be easily and quickly deployed into the internet network environment.

DOI:10.1561/116.00000058

Companion

APSIPA Transactions on Signal and Information Processing Special Issue - Learning, Security, AIoT for Emerging Communication/Networking Systems
See the other articles that are part of this special issue.