TGPrint: Attack fingerprint classification on encrypted network traffic based graph convolution attention networks

Nowadays, most network traffic is encrypted, which protects user privacy but hides attack traces, further hindering identifying attacks to inspect traffic packages. Machine Learning (ML) methods are widely applied to attack classification on encrypted traffic owing to no need for manual analysis. However, existing studies only concentrate on basic statistical features and cannot obtain the crucial attack behaviors hiding in the encrypted traffic. Worse still, attackers constantly update attack vectors to evade detection, which means outdated features extracted from historical traffic fail to recognize unseen attacks. As a solution, we propose an attack classification approach, attack fingerprint based on graphs of time-window (TGPrint). We first filter normal traffic flows using ML models to eliminate the impact of useless, noisy data for attack classification and maintain suspicious traffic. Then, we create attack graphs to depict interaction behaviors of attack-victim hosts from suspicious traffic containing crucial attack behaviors. Besides, we divide a specific duration for each attack to precisely elaborate attack graphs, where temporal, statistical, and aggregate features are extracted to portray attack behaviors. Finally, we utilize Graph Neural Networks (GNNs) to mine and grasp the crucial behavior patterns from attack graphs to generate fingerprints and classify attacks, even unseen attacks. Extensive experiments are conducted on well-known datasets to verify our approach. It achieves a precision of 99% in attack classification on encrypted traffic, an average higher than other ML methods of 50%. Meanwhile, it classifies unseen attacks with an average accuracy of over 80% and has a strong robustness to false positives.