MVTBA: A Novel Hybrid Deep Learning Model for Encrypted Malicious Traffic Identification

Encryption technology protects data security and user privacy, but attackers can misuse it to evade detection techniques. To detect encrypted malicious traffic, deep learning based approaches attract increasing interest due to the manual feature engineering of conventional machine learning based methods. However, existing deep learning based approaches suffer from insufficient traffic representation, especially in fine-grained identification. To this end, this paper proposes a hybrid deep learning model MVTBA that can achieve remarkable traffic representation by automatically extracting spatial-temporal features without decryption. MVTBA consists of two sub-networks: MViT and BiLSTM-Att. The local-global spatial features are extracted by MViT through convolutions and an Unfold-Transformer-Fold structure of the mobile vision transformer block. The temporal features are extracted by BiLSTM with Attention to representing the timing dependence between traffic bytes. Subsequently, the two separated feature vectors are fused with an optimal weight factor to obtain the temporal-spatial features, which are fed into the classifier for encrypted malicious traffic identification. Extensive experimental results show that the accuracy of MVTBA in binary classification is improved to 99.99%. Moreover, MVTBA significantly outperforms other benchmark deep learning methods in fine-grained malicious identification, especially in the context of small data samples.