{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,3]],"date-time":"2026-05-03T11:01:30Z","timestamp":1777806090974,"version":"3.51.4"},"reference-count":39,"publisher":"SAGE Publications","issue":"5","license":[{"start":{"date-parts":[[2019,7,17]],"date-time":"2019-07-17T00:00:00Z","timestamp":1563321600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/journals.sagepub.com\/page\/policies\/text-and-data-mining-license"}],"content-domain":{"domain":["journals.sagepub.com"],"crossmark-restriction":true},"short-container-title":["Journal of Computer Security"],"published-print":{"date-parts":[[2019,9,17]]},"abstract":"<jats:p>During the past years, deep packet inspection has been prevalent in network intrusion detection systems. Most solutions employ complex algorithms to analyze the intended behaviour and underlying characteristics of packets and their payloads, in an effort to detect and prevent malicious users and software from communicating over business intranets and wider networks. Still, there are multiple issues that inhibit their success rate. Most signature-based security software is plagued by false positives and\/or false negatives. On the other hand, behavioral-based solutions achieve better detection rates but need to analyze large amounts of traffic. In this article, we present a real-time network traffic monitoring system that implements machine learning over side channel characteristics of TCP network packets to distinguish normal from malicious TCP sessions, even when encryption is in place. We test in university networks and test multiple different types of traffic. We show that, our approach (i)\u00a0requires notably less information to achieve similar (if not better) detection rates, (ii)\u00a0works over encrypted traffic as well, and (iii)\u00a0has notably low false positives and false negatives in everyday case study scenarios.<\/jats:p>","DOI":"10.3233\/jcs-191286","type":"journal-article","created":{"date-parts":[[2019,7,19]],"date-time":"2019-07-19T10:41:44Z","timestamp":1563532904000},"page":"507-520","update-policy":"https:\/\/doi.org\/10.1177\/sage-journals-update-policy","source":"Crossref","is-referenced-by-count":10,"title":["Using side channel TCP features for real-time detection of malware connections"],"prefix":"10.1177","volume":"27","author":[{"given":"George","family":"Stergiopoulos","sequence":"first","affiliation":[{"name":"Information Security and Critical Infrastructure Protection (INFOSEC) Laboratory, Department of Informatics, Athens University of Economics and Business, Athens, Greece. E-mails:\u00a0,\u00a0,\u00a0,\u00a0,\u00a0"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Georgia","family":"Chronopoulou","sequence":"additional","affiliation":[{"name":"Information Security and Critical Infrastructure Protection (INFOSEC) Laboratory, Department of Informatics, Athens University of Economics and Business, Athens, Greece. E-mails:\u00a0,\u00a0,\u00a0,\u00a0,\u00a0"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Evangelos","family":"Bitsikas","sequence":"additional","affiliation":[{"name":"Information Security and Critical Infrastructure Protection (INFOSEC) Laboratory, Department of Informatics, Athens University of Economics and Business, Athens, Greece. E-mails:\u00a0,\u00a0,\u00a0,\u00a0,\u00a0"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Nikolaos","family":"Tsalis","sequence":"additional","affiliation":[{"name":"Information Security and Critical Infrastructure Protection (INFOSEC) Laboratory, Department of Informatics, Athens University of Economics and Business, Athens, Greece. E-mails:\u00a0,\u00a0,\u00a0,\u00a0,\u00a0"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Dimitris","family":"Gritzalis","sequence":"additional","affiliation":[{"name":"Information Security and Critical Infrastructure Protection (INFOSEC) Laboratory, Department of Informatics, Athens University of Economics and Business, Athens, Greece. E-mails:\u00a0,\u00a0,\u00a0,\u00a0,\u00a0"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"179","published-online":{"date-parts":[[2019,7,17]]},"reference":[{"key":"ref001","doi-asserted-by":"crossref","unstructured":"C.\u00a0Alcaraz, L.\u00a0Cazorla and G.\u00a0Fernandez, Context-awareness using anomaly-based detectors for smart grid domains, in: International Conference on Risks and Security of Internet and Systems, Springer, 2014, pp.\u00a017\u201334.","DOI":"10.1007\/978-3-319-17127-2_2"},{"key":"ref002","unstructured":"J.\u00a0Beale, A.R.\u00a0Baker and J.\u00a0Esler, Snort: IDS and IPS Toolkit, Syngress, 2007."},{"key":"ref003","unstructured":"J.R.\u00a0Binkley and S.\u00a0Singh, An algorithm for anomaly-based botnet detection, in: SRUTI\u201906: Proceedings of the 2nd Conference on Steps to Reducing Unwanted Traffic on the Internet, 2006."},{"key":"ref004","doi-asserted-by":"publisher","DOI":"10.1109\/JSYST.2015.2487684"},{"key":"ref005","doi-asserted-by":"crossref","unstructured":"S.\u00a0Chen, R.\u00a0Wang, X.\u00a0Wang and K.\u00a0Zhang, Side-channel leaks in web applications: A reality today, a challenge tomorrow, in: 2010 IEEE Symposium on Security and Privacy, IEEE, 2010, pp.\u00a0191\u2013206. doi:10.1109\/SP.2010.20.","DOI":"10.1109\/SP.2010.20"},{"key":"ref006","unstructured":"Cisco, Encrypted Traffic Analytics, White paper, vol.\u00a0Cisco. (20, 2018."},{"key":"ref007","first-page":"6","volume":"5","author":"Cooke E.","year":"2005","journal-title":"SRUTI"},{"key":"ref008","doi-asserted-by":"publisher","DOI":"10.1145\/1198255.1198257"},{"key":"ref009","unstructured":"Ctu-13 dataset, Ctu University, Czech Republic, 2011, https:\/\/mcfp.felk.cvut.cz\/publicDatasets\/CTU-Malware-Capture-Botnet-1\/. Accessed: 2019-01-30."},{"key":"ref010","unstructured":"M.\u00a0Fontanini, Libtins: Packet crafting and sniffing library, 2016."},{"key":"ref011","unstructured":"S.\u00a0Franti\u0161ek, Detection of HTTPS malware traffic, 2017."},{"key":"ref012","unstructured":"General data protection regulation \u2013 gdpr, https:\/\/eur-lex.europa.eu\/eli\/reg\/2016\/679\/oj. Accessed: 2019-06-10."},{"key":"ref013","unstructured":"G.\u00a0Gu, P.\u00a0Porras and V.\u00a0Yegneswaran, Bothunter: Detecting malware infection through ids-driven dialog correlation, in: Proceedings of the 16th USENIX Security Symposium (Security\u201907), 2007."},{"key":"ref014","unstructured":"Hands-on network forensics \u2013 training pcap dataset from first 2015, www.first.org\/_assets\/conf2015\/networkforensics_virtualbox.zip. Accessed: 2019-01-30."},{"key":"ref015","unstructured":"D.\u00a0Kennedy, J.\u00a0O\u2019gorman, D.\u00a0Kearns and M.\u00a0Aharoni, Metasploit: The Penetration Tester\u2019s Guide, No Starch Press, 2011."},{"key":"ref016","doi-asserted-by":"crossref","unstructured":"J.\u00a0Kohout and T.\u00a0Pevny, Automatic discovery of web servers hosting similar applications, in: Proceedings of the 2015 IFIP\/IEEE International Symposium on Integrated Network Management, IM 2015, 2015, pp.\u00a01310\u20131315.","DOI":"10.1109\/INM.2015.7140487"},{"key":"ref017","doi-asserted-by":"crossref","unstructured":"A.\u00a0Lakhina, K.\u00a0Papagiannaki, M.\u00a0Crovella, C.\u00a0Diot, E.D.\u00a0Kolaczyk and N.\u00a0Taft, Structural analysis of network traffic flows, ACM SIGMETRICS Performance Evaluation Review (2004).","DOI":"10.1145\/1005686.1005697"},{"key":"ref018","doi-asserted-by":"crossref","unstructured":"J.\u00a0Liu, Y.\u00a0Fu, J.\u00a0Ming, Y.\u00a0Ren, L.\u00a0Sun and H.\u00a0Xiong, Effective and real-time in-app activity analysis in encrypted Internet traffic streams, in: Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, ACM, 2017, pp.\u00a0335\u2013344. doi:10.1145\/3097983.3098049.","DOI":"10.1145\/3097983.3098049"},{"key":"ref019","doi-asserted-by":"crossref","unstructured":"C.\u00a0Livadas, R.\u00a0Walsh, D.\u00a0Lapsley and W.T.\u00a0Strayer, Using machine learning techniques to identify botnet traffic, in: Proceedings \u2013 Conference on Local Computer Networks, LCN, 2006.","DOI":"10.1109\/LCN.2006.322210"},{"key":"ref020","doi-asserted-by":"crossref","unstructured":"J.\u00a0Loko\u010d, J.\u00a0Kohout, P.\u00a0\u010cech, T.\u00a0Skopal and T.\u00a0Pevn\u00fd, k-NN classification of malware in HTTPS traffic using the metric space approach, in: Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), pp.\u00a0131\u2013145, 2016.","DOI":"10.1007\/978-3-319-31863-9_10"},{"key":"ref021","unstructured":"W.\u00a0McKinney and PyData Development Team, Pandas \u2013 powerful python data analysis toolkit, 2015."},{"key":"ref022","doi-asserted-by":"publisher","DOI":"10.1109\/JPROC.2015.2512235"},{"key":"ref023","unstructured":"Milicenso, ponmocup malware dataset (update 2012-10-07), http:\/\/security-research.dyndns.org\/pub\/botnet\/ponmocup\/analysis_2012-10-05\/analysis.txt. Accessed: 2019-01-30."},{"key":"ref024","unstructured":"Open Information Security Foundation, Suricata: Intrusion detection system and intrusion prevention system, Stable release: 4.0.5 \/ July 18, 2018."},{"key":"ref025","unstructured":"V.\u00a0Paxson, Zeek: Software network analysis framework, Stable release: 2.5.5 \/ August 28, 2018."},{"key":"ref026","unstructured":"Pcap file with powershell empire (tcp 8081) and ssl wrapped c2 (tcp 445) traffic from cert.se, https:\/\/drive.google.com\/open?id=0B7pTM0QU5apSdnF0Znp1Tko0ams https:\/\/www.cert.se\/2017\/09\/cert-se-tekniska-rad-med-anledning-av-det-aktuella-dataintrangsfallet-b-8322-16. Accessed: 2019-01-30."},{"key":"ref027","unstructured":"P.Prasse, G.\u00a0Gruben, L.Machlika, T.Pevn\u00fd, M.Sofka and T.Scheffer, Malware detection by https traffic analysis, 2017."},{"key":"ref028","doi-asserted-by":"crossref","unstructured":"C.\u00a0Sanderson and R.\u00a0Curtin, Armadillo: A template-based C++ library for linear algebra, The Journal of Open Source Software (2016).","DOI":"10.21105\/joss.00026"},{"key":"ref029","unstructured":"Seladb, PcapPlusPlus: Ultiplatform C++ network sniffing and packet parsing and crafting framework, Latest release: August 2018 Release (v18.08)."},{"key":"ref030","unstructured":"K.W.\u00a0Smith, Cython: A Guide for Python Programmers, O\u2019Reilly Media, Inc., 2015."},{"key":"ref031","doi-asserted-by":"crossref","unstructured":"R.\u00a0Sommer and V.\u00a0Paxson, Outside the closed world: On using machine learning for network intrusion detection, in: Proceedings \u2013 IEEE Symposium on Security and Privacy, 2010.","DOI":"10.1109\/SP.2010.25"},{"key":"ref032","unstructured":"D.\u00a0Song, Timing analysis of keystrokes and ssh timing attacks, in: Proc. of 10th USENIX Security Symposium, 2001, 2001."},{"key":"ref033","doi-asserted-by":"crossref","unstructured":"G.\u00a0Stergiopoulos, A.\u00a0Talavari, E.\u00a0Bitsikas and D.\u00a0Gritzalis, Automatic detection of various malicious traffic using side channel features on tcp packets, in: Computer Security, J.\u00a0Lopez, J.\u00a0Zhou and M.\u00a0Soriano, eds, Springer International Publishing, Cham, 2018, pp.\u00a0346\u2013362.","DOI":"10.1007\/978-3-319-99073-6_17"},{"key":"ref034","unstructured":"J.\u00a0Stretch, Scapy, Packetlife.net cheatsheets, 2017."},{"key":"ref035","doi-asserted-by":"crossref","unstructured":"C.\u00a0Taylor and J.\u00a0Alves-Foss, Nate \u2013 network analysis of anomalous traffic events, a low-cost approach, in: Proceedings of the 2001 Workshop on New Security Paradigms \u2013 NSPW \u201901, 2001, p.\u00a089. doi:10.1145\/508171.508186.","DOI":"10.1145\/508185.508186"},{"key":"ref036","unstructured":"J.Terrell, K.Jeffay, F.D.Smith, L.Zhang, H.Shen, Z.Zhu and A.Nobel, Multivariate SVD analyses for network anomaly detection, in: (Poster) Proc. of ACM SIGCOMM, 2005."},{"key":"ref037","unstructured":"R.\u00a0Timofeev, Classification and regression trees (cart) theory and applications, Humboldt University, Berlin, 2004."},{"key":"ref038","doi-asserted-by":"crossref","unstructured":"C.V.\u00a0Wright, L.\u00a0Ballard, S.E.\u00a0Coull, F.\u00a0Monrose and G.M.\u00a0Masson, Spot me if you can: Uncovering spoken phrases in encrypted voip conversations, in: 2008 IEEE Symposium on Security and Privacy (Sp 2008), IEEE, 2008, pp.\u00a035\u201349. doi:10.1109\/SP.2008.21.","DOI":"10.1109\/SP.2008.21"},{"key":"ref039","doi-asserted-by":"crossref","unstructured":"T.F.\u00a0Yen and M.K.\u00a0Reiter, Traffic aggregation for malware detection, in: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Springer, 2008, pp.\u00a0207\u2013227. doi:10.1007\/978-3-540-70542-0_11.","DOI":"10.1007\/978-3-540-70542-0_11"}],"container-title":["Journal of Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-191286","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/full-xml\/10.3233\/JCS-191286","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-191286","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,29]],"date-time":"2026-04-29T20:45:19Z","timestamp":1777495519000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/10.3233\/JCS-191286"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,7,17]]},"references-count":39,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2019,9,17]]}},"alternative-id":["10.3233\/JCS-191286"],"URL":"https:\/\/doi.org\/10.3233\/jcs-191286","relation":{},"ISSN":["0926-227X","1875-8924"],"issn-type":[{"value":"0926-227X","type":"print"},{"value":"1875-8924","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,7,17]]}}}