{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,9]],"date-time":"2026-04-09T12:28:36Z","timestamp":1775737716653,"version":"3.50.1"},"reference-count":38,"publisher":"Oxford University Press (OUP)","issue":"5","license":[{"start":{"date-parts":[[2022,3,7]],"date-time":"2022-03-07T00:00:00Z","timestamp":1646611200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/academic.oup.com\/journals\/pages\/open_access\/funder_policies\/chorus\/standard_publication_model"}],"funder":[{"DOI":"10.13039\/501100012166","name":"National Key Research and Development Program of China","doi-asserted-by":"publisher","award":["2018YFB0204301"],"award-info":[{"award-number":["2018YFB0204301"]}],"id":[{"id":"10.13039\/501100012166","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Nature Science Foundation of China","doi-asserted-by":"publisher","award":["62072466"],"award-info":[{"award-number":["62072466"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Nature Science Foundation of China","doi-asserted-by":"publisher","award":["U1811462"],"award-info":[{"award-number":["U1811462"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100007085","name":"NUDT","doi-asserted-by":"publisher","award":["ZK19-38"],"award-info":[{"award-number":["ZK19-38"]}],"id":[{"id":"10.13039\/501100007085","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2023,5,19]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>Traffic encrypted technology enables Internet users to protect their data secrecy, but it also brings a challenge to malicious package detection. To tackle this issue, researchers have investigated into encrypted traffic analysis (ETA) in recent years. Existing works, however, only focus on the accuracy of malicious flow identification. Using ETA as a technical black box, they pay little attention to the internal details and explanation of models. In this paper, we, for the first time, introduce interpretable machine learning into ETA. We aim to provide a reasonable explanation for detection results, so as to enable one to understand and further trust network security analysts. We develop a complete analysis framework, named DEV-ETA (detection, explanation and verification of ETA). DEV-ETA applies post hoc interpretation methods to explain the detection results and verify the explanation using the joint distribution of support features on the dataset. We run thorough experiments to explain the detection result using three popular explanation approaches, namely SHAP, LIME and MSS, and we verify the explanation via the feature distribution plot. The experimental results show that our design can interpret the detection result of ETA model instead of just simply treating the model as a black box.<\/jats:p>","DOI":"10.1093\/comjnl\/bxac008","type":"journal-article","created":{"date-parts":[[2022,3,6]],"date-time":"2022-03-06T20:06:23Z","timestamp":1646597183000},"page":"1213-1227","source":"Crossref","is-referenced-by-count":12,"title":["DEV-ETA: An Interpretable Detection Framework for Encrypted Malicious Traffic"],"prefix":"10.1093","volume":"66","author":[{"given":"Luming","family":"Yang","sequence":"first","affiliation":[{"name":"College of Computer , National University of Defense Technology, Changsha, China"}]},{"given":"Shaojing","family":"Fu","sequence":"additional","affiliation":[{"name":"College of Computer , National University of Defense Technology, Changsha, China"}]},{"given":"Yongjun","family":"Wang","sequence":"additional","affiliation":[{"name":"College of Computer , National University of Defense Technology, Changsha, China"}]},{"given":"Kaitai","family":"Liang","sequence":"additional","affiliation":[{"name":"Delft University of Technology , Delft, Nederland"}]},{"given":"Fan","family":"Mo","sequence":"additional","affiliation":[{"name":"DBAPPSecurity Ltd , Hangzhou , China"}]},{"given":"Bo","family":"Liu","sequence":"additional","affiliation":[{"name":"DBAPPSecurity Ltd , Hangzhou , China"}]}],"member":"286","published-online":{"date-parts":[[2022,3,7]]},"reference":[{"key":"2023052000433844400_ref1","doi-asserted-by":"crossref","first-page":"35","DOI":"10.1145\/2996758.2996768","article-title":"Identifying encrypted malware traffic with contextual flow data","volume-title":"Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security (AISec \u201816)","author":"Anderson","year":"2016"},{"key":"2023052000433844400_ref2","doi-asserted-by":"crossref","first-page":"1723","DOI":"10.1145\/3097983.3098163","article-title":"Machine learning for encrypted malware traffic classification: accounting for noisy labels and non-stationarity","volume-title":"Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD \u201817)","author":"Anderson","year":"2017"},{"key":"2023052000433844400_ref3","doi-asserted-by":"crossref","first-page":"195","DOI":"10.1007\/s11416-017-0306-6","article-title":"Deciphering malware\u2019s use of tls (without decryption)","volume":"14","author":"Anderson","year":"2018","journal-title":"Journal of Computer Virology and Hacking Techniques"},{"key":"2023052000433844400_ref4","volume-title":"Explaining deep neural networks","author":"Camburu","year":"2020"},{"key":"2023052000433844400_ref5","article-title":"A survey of privacy-preserving techniques for encrypted traffic inspection over network middleboxes","volume":"abs\/2101.04338","author":"Poh","year":"2021","journal-title":"CoRR"},{"key":"2023052000433844400_ref6","first-page":"267","article-title":"Limitless http in an https world: Inferring the semantics of the https protocol without decryption","volume-title":"Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy (CODASPY 2019)","author":"Anderson","year":"2019"},{"key":"2023052000433844400_ref7","doi-asserted-by":"crossref","first-page":"379","DOI":"10.1145\/3355369.3355601","article-title":"Tls beyond the browser: Combining end host and network data to understand application behavior","volume-title":"Proceedings of the Internet Measurement Conference (IMC \u201819)","author":"Anderson","year":"2019"},{"key":"2023052000433844400_ref8","doi-asserted-by":"crossref","first-page":"131","DOI":"10.1007\/978-3-319-31863-9_10","article-title":"k-nn classification of malware in https traffic using the metric space approach","volume-title":"Intelligence and Security Informatics - 11th Pacific Asia Workshop (PAISI 2016)","author":"Loko\u010d","year":"2016"},{"key":"2023052000433844400_ref9","volume-title":"Malware detection by https traffic analysis","author":"Prasse","year":"2017"},{"key":"2023052000433844400_ref10","doi-asserted-by":"crossref","first-page":"130","DOI":"10.1016\/j.eswa.2019.01.064","article-title":"Feature analysis of encrypted malicious traffic","volume":"125","author":"Shekhawat","year":"2019","journal-title":"Expert Systems with Applications"},{"key":"2023052000433844400_ref11","first-page":"734","article-title":"Detecting anomalies in encrypted traffic via deep dictionary learning","volume-title":"39th IEEE Conference on Computer Communications (INFOCOM Workshops 2020)","author":"Xing","year":"2020"},{"key":"2023052000433844400_ref12","first-page":"1","article-title":"Poster: Feasibility of malware traffic analysis through tls-encrypted flow visualization","volume-title":"2020 IEEE 28th International Conference on Network Protocols (ICNP 2020)","author":"Kim","year":"2020"},{"key":"2023052000433844400_ref13","first-page":"2","article-title":"A comparative review of malware analysis and detection in https traffic","volume":"10","author":"Singh","year":"2020","journal-title":"International Journal of Computing and Digital Systems"},{"key":"2023052000433844400_ref14","article-title":"Distilling a neural network into a soft decision tree","volume-title":"Proceedings of the First International Workshop on Comprehensibility and Explanation in AI and ML 2017 co-located with 16th International Conference of the Italian Association for Artificial Intelligence (AI*IA 2017)","author":"Frosst","year":"2017"},{"key":"2023052000433844400_ref15","first-page":"1563","article-title":"Global model interpretation via recursive partitioning","volume-title":"20th IEEE International Conference on High Performance Computing and Communications; 16th IEEE International Conference on Smart City; 4th IEEE International Conference on Data Science and Systems (HPCC\/SmartCity\/DSS 2018)","author":"Yang","year":"2018"},{"key":"2023052000433844400_ref16","doi-asserted-by":"crossref","first-page":"279","DOI":"10.1145\/3306618.3314230","article-title":"Global explanations of neural networks: Mapping the landscape of predictions","volume-title":"Proceedings of the 2019 AAAI\/ACM Conference on AI, Ethics, and Society (AIES \u201819)","author":"Ibrahim","year":"2019"},{"key":"2023052000433844400_ref17","doi-asserted-by":"crossref","first-page":"1135","DOI":"10.1145\/2939672.2939778","article-title":"\u201cwhy should i trust you?\u201d: Explaining the predictions of any classifier","volume-title":"Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD \u201816)","author":"Ribeiro","year":"2016"},{"key":"2023052000433844400_ref18","first-page":"4765","article-title":"A unified approach to interpreting model predictions","volume-title":"Advances in Neural Information Processing Systems 30: Annual Conference on Neural Information Processing Systems 2017 (NIPS 2017)","author":"Lundberg","year":"2017"},{"key":"2023052000433844400_ref19","first-page":"307","article-title":"A value for n-person games","volume":"2","author":"Shapley","year":"1953","journal-title":"Contributions to the Theory of Games"},{"key":"2023052000433844400_ref20","first-page":"25","article-title":"Consistent individualized feature attribution for tree ensembles","volume":"5","author":"Lundberg","journal-title":"Methods"},{"key":"2023052000433844400_ref21","doi-asserted-by":"crossref","first-page":"2522","DOI":"10.1038\/s42256-019-0138-9","article-title":"From local explanations to global understanding with explainable ai for trees","volume":"2","author":"Lundberg","year":"2020","journal-title":"Nature Machine Intelligence"},{"key":"2023052000433844400_ref22","first-page":"567","article-title":"What made you do this? understanding black-box decisions with sufficient input subsets","volume-title":"The 22nd International Conference on Artificial Intelligence and Statistics (AISTATS 2019)","author":"Carter","year":"2019"},{"key":"2023052000433844400_ref23","first-page":"618","volume-title":"Grad-cam: Visual explanations from deep networks via gradient-based localization","author":"Selvaraju","year":"2017"},{"key":"2023052000433844400_ref24","first-page":"839","volume-title":"Grad-cam++: Generalized gradient-based visual explanations for deep convolutional networks","author":"Chattopadhay","year":"2018"},{"key":"2023052000433844400_ref25","author":"David McGrew","year":"2020"},{"key":"2023052000433844400_ref26","first-page":"278","article-title":"Random decision forests","volume-title":"Third International Conference on Document Analysis and Recognition (ICDAR 1995)","author":"Ho","year":"1995"},{"key":"2023052000433844400_ref27","doi-asserted-by":"crossref","first-page":"785","DOI":"10.1145\/2939672.2939785","article-title":"Xgboost: A scalable tree boosting system","volume-title":"Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD \u201816)","author":"Chen","year":"2016"},{"key":"2023052000433844400_ref28","first-page":"1189","article-title":"Greedy function approximation: A gradient boosting machine","volume":"29","author":"Friedman","year":"2000","journal-title":"The Annals of Statistics"},{"key":"2023052000433844400_ref29","volume-title":"Tree boosting with xgboost-why does xgboost win \u201devery\u201d machine learning competition?","author":"Nielsen","year":"2016"},{"key":"2023052000433844400_ref30","first-page":"55","article-title":"Ridge regression: Biased estimation for nonorthogonal problems","volume":"12","author":"Hoerl","year":"1970","journal-title":"Dent. Tech."},{"key":"2023052000433844400_ref31","author":"Molnar","year":"2018"},{"key":"2023052000433844400_ref32","doi-asserted-by":"crossref","first-page":"321","DOI":"10.1613\/jair.953","article-title":"Smote: synthetic minority over-sampling technique","volume":"16","author":"Chawla","year":"2002","journal-title":"Journal of artificial intelligence research"},{"key":"2023052000433844400_ref33","article-title":"Transport layer security (tls) extensions. RFC 3546. Internet Engineering Task Force","author":"Blake-Wilson","year":"2003"},{"key":"2023052000433844400_ref34","volume-title":"The transport layer security (tls) protocol version 1.1. RFC 3436","author":"Dierks","year":"2006"},{"key":"2023052000433844400_ref35","doi-asserted-by":"crossref","DOI":"10.17487\/rfc5077","article-title":"Transport layer security (tls) session resumption without server-side state","author":"Salowey","year":"2008"},{"key":"2023052000433844400_ref36","volume-title":"The tls protocol version 1.0. RFC 2246","author":"Dierks","year":"1999"},{"key":"2023052000433844400_ref37","doi-asserted-by":"crossref","DOI":"10.17487\/rfc5246","volume-title":"The transport layer security (tls) protocol version 1.2","author":"Dierks","year":"2008"},{"key":"2023052000433844400_ref38","doi-asserted-by":"crossref","DOI":"10.17487\/RFC8446","volume-title":"The transport layer security (tls) protocol version 1.3","author":"Rescorla","year":"2018"}],"container-title":["The Computer Journal"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/comjnl\/article-pdf\/66\/5\/1213\/50397336\/bxac008.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/comjnl\/article-pdf\/66\/5\/1213\/50397336\/bxac008.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,5,20]],"date-time":"2023-05-20T00:44:20Z","timestamp":1684543460000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/comjnl\/article\/66\/5\/1213\/6543491"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,3,7]]},"references-count":38,"journal-issue":{"issue":"5","published-online":{"date-parts":[[2022,3,7]]},"published-print":{"date-parts":[[2023,5,19]]}},"URL":"https:\/\/doi.org\/10.1093\/comjnl\/bxac008","relation":{},"ISSN":["0010-4620","1460-2067"],"issn-type":[{"value":"0010-4620","type":"print"},{"value":"1460-2067","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2023,5]]},"published":{"date-parts":[[2022,3,7]]}}}