Explore the vast range of titles available.

Cyber bots have become prevalent across the Internet ecosystem, making behavioral understanding essential for threat intelligence. Since bot behaviors are encoded in traffic payloads that blend with normal traffic, honeypot sensors are widely adopted for capture and analysis. However, previous works face adaptation challenges when analyzing large-scale, diverse payloads from evolving bot techniques. In this paper, we conduct an 11-month measurement study to map cyber bot behaviors through payload pattern analysis in honeypot traffic. We propose TrafficPrint, a pattern extraction framework to enable adaptable analysis of diverse honeypot payloads. TrafficPrint combines representation learning with clustering to automatically extract human-understandable payload patterns without requiring protocol-specific expertise. Our globally distributed honeypot sensors collected 21.5 M application-layer payloads. Starting from only 168 K labeled payloads (0.8% of data), TrafficPrint extracted 296 patterns that automatically labeled 83.57% of previously unknown payloads. Our pattern-based analysis reveals actionable threat intelligence: 82% of patterns employ semi-customized structures balancing automation with targeted modifications; 13% contain distinctive identity markers enabling threat actor attribution, including CENSYS’s unique signature; and bots exploit techniques like masquerading as crawlers, embedding commands in brute-force attacks, and using base64 encoding for detection evasion.

The classification of encrypted HTTPS traffic is a critical task for network management and security, where traditional port or payload-based methods are ineffective due to encryption and evolving traffic patterns. This study addresses the challenge using the public Kaggle dataset (145,671 flows, 88 features, six traffic categories: Download, Live Video, Music, Player, Upload, Website). An automated preprocessing pipeline is developed to detect the label column, normalize classes, perform a stratified 70/15/15 split into training, validation, and testing sets, and apply imbalance-aware weighting. Multiple deep learning architectures are benchmarked, including DNN, CNN, RNN, LSTM, and GRU, capturing different spatial and temporal patterns of traffic features. Experimental results show that CNN achieved the strongest single-model performance (Accuracy 0.9934, F1_macro 0.9912, ROC-AUC_macro 0.9999). To further improve robustness, a stacked ensemble meta-learner based on multinomial logistic regression was trained on model outputs, achieving state-of-the-art performance with Accuracy 0.9949, Precision_macro 0.9923, Recall_macro 0.9941, F1_macro 0.9932, and ROC-AUC_macro 0.9998. The framework also outputs confusion matrices, ROC curves, and learning curves for interpretability. To ensure reproducibility and practical use, the full codebase is publicly available on GitHub, providing researchers and practitioners with a deployment-ready pipeline for encrypted traffic analytics where ensemble learning surpasses individual models.

In recent years, traffic encryption technology has been widely adopted for user information protection, leading to a substantial increase in encrypted traffic in communication networks. To address issues such as unclear local key features and low classification accuracy in traditional malicious traffic detection and normal application classification, this paper introduces an encrypted traffic classification encoder based on lightweight graph representation. By converting packet byte sequences into graphs to construct byte-level traffic graphs, we propose building a weighted output applied through a weight matrix to facilitate model lightweighting. The lightweight graph representation serves as the network input, and the design mainly includes an embedding layer, a traffic encoder layer based on graph neural networks, and a time information extraction layer, which can separately embed headers and payloads. We propose using GraphSAGE with sampling averaging to encode each byte-level traffic graph into an overall representation vector for each packet. For end-to-end training, an improved Transformer-based model is employed with relative position encoding of time series to generate final classification results for downstream tasks. To evaluate the reliability of the method, the proposed approach is tested on three application classification datasets: WWT, ISCX-2012, and ISCX-Tor, for classifying network encrypted traffic and conducting ablation experiments for comparison. Ultimately, comparison are made with more than 12 baseline models. The results show that the F1 scores reached 0.9938 and 0.9856 on ISCX-2012 and ISCX-Tor, respectively. Through lightweight experiments, it is found that the number of parameters is reduced by 18.2% compared to that of the original model TFE-GNN. Therefore, the results indicate that the proposed improved method can enhance the accuracy of detecting network traffic applications and abnormal behaviors while reducing the model’s parameter count. Considering both the model parameters and accuracy dimensions, this paper introduces a lightweight graph representation-based encrypted traffic classification encoder that outperforms various existing models.

A smart city is a urban developed city that delivers the solution to the residents smarter especially using Information and Communication Technology. The conventional smart city management modules use sensors or IoT devices in conjunction with Intelligent Traffic System (ITS), however, these frameworks fail in managing the Electric Vehicles (EVs) routing with security or scheduling the EV for charging and smart energy distribution for the EVs. In this paper, we present a novel Smart City Management System (SCMS) with the integration of three immersive technologies are adopted to improve the management of garbage disposal EVs (GDEVs). Initially, the study uses IoT devices to collect the status of garbage bins. Secondly, the ITS is integrated with Deep Neural Networks (DNNs) to manage the GDEVs for effective traffic management and speed monitoring based on the collected information like garbage payloads, climatic conditions and distance between the collection, disposal of waste etc. Finally, the entire transmitted data between IoTs and EVs are secured effectively using blockchain technology, which protects them against cybersecurity attacks. The experimental validation on proposed SCMS with DNN-ITS and secured blockchain model offers improved energy efficiency, faster transmission and enhanced security capabilities than existing methods.

With the rapid development of IoT technology, a large of number complex and diverse IoT devices are widely deployed, which brings new challenges for device identification due to the heterogeneous nature of devices. This paper proposes a network traffic-based IoT device recognition method, in order to solve the high cost problem of traditional recognition methods in the feature extraction process and the potential privacy leakage problem. The proposed method requires only a short period of time in the network traffic data of IoT devices, and extracts the protocol statistical features and flow-level statistical features of this data. It avoids in-depth inspection of packet payloads and reduces the cost of feature extraction effectively. It is demonstrated that the proposed method can improve the performance of device identification while ensuring privacy security through empirical studies on two widely recognized public datasets. The proposed method provides users with a low-cost, high-efficiency IoT device identification solution with strong privacy protection, which promotes wider and more secure application of IoT technology.

In recent years, the number of exposed vulnerabilities has grown rapidly and more and more attacks occurred to intrude on the target computers using these vulnerabilities such as different malware. Malware detection has attracted more attention and still faces severe challenges. As malware detection based traditional machine learning relies on exports’ experience to design efficient features to distinguish different malware, it causes bottleneck on feature engineer and is also time-consuming to find efficient features. Due to its promising ability in automatically proposing and selecting significant features, deep learning has gradually become a research hotspot. In this paper, aiming to detect the malicious payload and identify their categories with high accuracy, we proposed a packet-based malicious payload detection and identification algorithm based on object detection deep learning network. A dataset of malicious payload on code execution vulnerability has been constructed under the Metasploit framework and used to evaluate the performance of the proposed malware detection and identification algorithm. The experimental results demonstrated that the proposed object detection network can efficiently find and identify malicious payloads with high accuracy.

Classifying encrypted sensor traffic is critical for the security and management of Internet of Things networks, particularly in Mobile Edge Computing (MEC) environments. Existing methods often require extensive task-specific labeled data to adapt to emerging traffic categories and may also fail to distinguish intrinsic traffic behaviors from patterns introduced by shared communication libraries, which can degrade classification accuracy under distribution shifts. To address these issues, we propose CDTF, a contrastive dual-task framework for transferable and few-shot traffic representation learning. CDTF adopts a hybrid pre-training strategy that jointly optimizes supervised triplet pretraining (STP) and self-supervised dynamic burst masking (DBM). STP uses base-class labels as structural anchors to explicitly constrain distance relationships by aligning intra-class samples and separating inter-class samples, thereby mitigating interference from shared network components. DBM models global semantic structures and enhances the robustness of traffic representations against network noise and distribution shifts. By learning discriminative and contextual representations in a shared embedding space via these two tasks, CDTF can rapidly adapt to novel categories through lightweight fine-tuning, thereby substantially reducing the reliance on large-scale fine-grained supervision in downstream tasks. Experimental results across seven public and two custom datasets, across diverse environments, show that the proposed framework outperforms state-of-the-art methods. Under the few-shot setting, CDTF improves Precision by 4.61 percentage points over the strongest baseline, with statistical significance confirmed by a paired -test (p<0.05).

Anonymous proxies are used by criminals for illegal network activities due to their anonymity, such as data theft and cyber attacks. Therefore, anonymous proxy traffic detection is very essential for network security. In recent years, detection based on deep learning has become a hot research topic, since deep learning can automatically extract and select traffic features. To make (heterogeneous) network traffic adapt to the homogeneous input of typical deep learning algorithms, a major branch of existing studies convert network traffic into images for detection. However, such studies are commonly subject to the limitation of large-sized image representation of network traffic, resulting in very large storage and computational resource overhead. To address this limitation, a novel method for anonymous proxy traffic detection is proposed. The method is one of the solutions to reduce storage and computational resource overhead. Specifically, it converts the sequences of the size and inter-arrival time of the first N packets of a flow into images, and then categorizes the converted images using the one-dimensional convolutional neural network. Both proprietary and public datasets are used to validate the proposed method. The experimental results show that the converted images of the method are at least 90% smaller than that of existing image-based deep learning methods. With substantially smaller image sizes, the method can still achieve F1 scores up to 98.51% in Shadowsocks traffic detection and 99.8% in VPN traffic detection.

Satellite communications (SatComs) systems are facing a massive increase in traffic demand. However, this increase is not uniform across the service area due to the uneven distribution of users and changes in traffic demand diurnal. This problem is addressed by using flexible payload architectures, which allow payload resources to be flexibly allocated to meet the traffic demand of each beam. While optimization-based radio resource management (RRM) has shown significant performance gains, its intense computational complexity limits its practical implementation in real systems. In this paper, we discuss the architecture, implementation and applications of Machine Learning (ML) for resource management in multibeam GEO satellite systems. We mainly focus on two systems, one with power, bandwidth, and/or beamwidth flexibility, and the second with time flexibility, i.e., beam hopping. We analyze and compare different ML techniques that have been proposed for these architectures, emphasizing the use of Supervised Learning (SL) and Reinforcement Learning (RL). To this end, we define whether training should be conducted online or offline based on the characteristics and requirements of each proposed ML technique and discuss the most appropriate system architecture and the advantages and disadvantages of each approach.

The widespread use of encrypted traffic poses challenges to network management and network security. Traditional machine learning-based methods for encrypted traffic classification no longer meet the demands of management and security. The application of deep learning technology in encrypted traffic classification significantly improves the accuracy of models. This study focuses primarily on encrypted traffic classification in the fields of network analysis and network security. To address the shortcomings of existing deep learning-based encrypted traffic classification methods in terms of computational memory consumption and interpretability, we introduce a Parameter-Efficient Fine-Tuning method for efficiently tuning the parameters of an encrypted traffic classification model. Experimentation is conducted on various classification scenarios, including Tor traffic service classification and malicious traffic classification, using multiple public datasets. Fair comparisons are made with state-of-the-art deep learning model architectures. The results indicate that the proposed method significantly reduces the scale of fine-tuning parameters and computational resource usage while achieving performance comparable to that of the existing best models. Furthermore, we interpret the learning mechanism of encrypted traffic representation in the pre-training model by analyzing the parameters and structure of the model. This comparison validates the hypothesis that the model exhibits hierarchical structure, clear organization, and distinct features.