{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,13]],"date-time":"2026-07-13T12:47:53Z","timestamp":1783946873268,"version":"3.55.0"},"reference-count":39,"publisher":"SAGE Publications","issue":"6","license":[{"start":{"date-parts":[[2024,2,12]],"date-time":"2024-02-12T00:00:00Z","timestamp":1707696000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/journals.sagepub.com\/page\/policies\/text-and-data-mining-license"}],"content-domain":{"domain":["journals.sagepub.com"],"crossmark-restriction":true},"short-container-title":["Journal of Computer Security"],"published-print":{"date-parts":[[2024,11,20]]},"abstract":"<jats:p>Detecting encrypted malware traffic promptly to halt the further propagation of an attack is critical. Currently, machine learning becomes a key technique for extracting encrypted malware traffic patterns. However, due to the dynamic nature of network environments and the frequent updates of malware, current methods face the challenges of detecting unknown malware traffic in open-world environment. To address the issue, we introduce MVDet, a novel method that employs machine learning to mine the behavioral features of malware traffic based on multi-view analysis. Unlike traditional methods, MVDet innovatively characterizes the behavioral features of malware traffic at 4-tuple flows from four views: statistical view, DNS view, TLS view, and business view, which is a more stable feature representation capable of handling complex network environments and malware updates. Additionally, we achieve a short-time behavioral features construction, significantly reducing the time cost for feature extraction and malware detection. As a result, we can detect malware behavior at an early stage promptly. Our evaluation demonstrates that MVDet can detect a wide variety of known malware traffic and exhibits efficient and robust detection in both open-world and unknown malware scenarios. MVDet outperforms state-of-the-art methods in closed-world known malware detection, open-world known malware detection, and open-world unknown malware detection.<\/jats:p>","DOI":"10.3233\/jcs-230024","type":"journal-article","created":{"date-parts":[[2024,2,13]],"date-time":"2024-02-13T11:46:37Z","timestamp":1707824797000},"page":"533-555","update-policy":"https:\/\/doi.org\/10.1177\/sage-journals-update-policy","source":"Crossref","is-referenced-by-count":8,"title":["MVDet: Encrypted malware traffic detection via multi-view analysis"],"prefix":"10.1177","volume":"32","author":[{"given":"Susu","family":"Cui","sequence":"first","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"},{"name":"School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Xueying","family":"Han","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"},{"name":"School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Cong","family":"Dong","sequence":"additional","affiliation":[{"name":"Zhongguancun Laboratory, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yun","family":"Li","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"},{"name":"School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Song","family":"Liu","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"},{"name":"School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Zhigang","family":"Lu","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"},{"name":"School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yuling","family":"Liu","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"},{"name":"School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"179","published-online":{"date-parts":[[2024,2,12]]},"reference":[{"key":"ref001","doi-asserted-by":"publisher","DOI":"10.1145\/2996758.2996768"},{"key":"ref002","doi-asserted-by":"publisher","DOI":"10.1145\/3097983.3098163"},{"key":"ref003","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-017-0306-6"},{"key":"ref004","doi-asserted-by":"crossref","unstructured":"S.\u00a0Cui, C.\u00a0Dong, M.\u00a0Shen, Y.\u00a0Liu, B.\u00a0Jiang and Z.\u00a0Lu, CBSeq: A channel-level behavior sequence for encrypted malware traffic detection, 2023.","DOI":"10.1109\/TIFS.2023.3300521"},{"key":"ref005","doi-asserted-by":"publisher","DOI":"10.1109\/IWCMC.2014.6906427"},{"key":"ref006","unstructured":"D.\u00a0Desai, The state of encrypted attacks, zscaler 24 (retrieved February 2021, 2020)."},{"key":"ref007","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2021.3071595"},{"key":"ref008","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484585"},{"key":"ref009","doi-asserted-by":"publisher","DOI":"10.1145\/2602945.2602949"},{"key":"ref010","doi-asserted-by":"publisher","DOI":"10.3390\/s22207791"},{"key":"ref011","doi-asserted-by":"publisher","DOI":"10.1109\/ICWR51868.2021.9443025"},{"key":"ref012","doi-asserted-by":"publisher","DOI":"10.3390\/app9163414"},{"key":"ref013","doi-asserted-by":"publisher","DOI":"10.1109\/CCWC54503.2022.9720753"},{"key":"ref014","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-16-0081-4_16"},{"key":"ref015","unstructured":"G.\u00a0Ke, Q.\u00a0Meng, T.\u00a0Finley, T.\u00a0Wang, W.\u00a0Chen, W.\u00a0Ma, Q.\u00a0Ye and T.\u00a0Liu, LightGBM: A highly efficient gradient boosting decision tree, in: Advances in Neural Information Processing Systems 30: Annual Conference on Neural Information Processing Systems 2017, Long Beach, CA, USA, December 4\u20139, 2017, I.\u00a0Guyon, U.\u00a0von Luxburg, S.\u00a0Bengio, H.M.\u00a0Wallach, R.\u00a0Fergus, S.V.N.\u00a0Vishwanathan and R.\u00a0Garnett, eds, 2017, pp.\u00a03146\u20133154."},{"key":"ref016","doi-asserted-by":"publisher","DOI":"10.1109\/ICTC55196.2022.9952872"},{"key":"ref017","unstructured":"A.H.\u00a0Lashkari, Y.\u00a0Zang, G.\u00a0Owhuo, M.\u00a0Mamun and G.\u00a0Gil, CICFlowMeter github, 2017."},{"key":"ref018","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-67090-0_8"},{"key":"ref019","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-79728-7_20"},{"key":"ref020","doi-asserted-by":"publisher","DOI":"10.1145\/3485447.3512217"},{"key":"ref021","doi-asserted-by":"publisher","DOI":"10.1109\/INFOCOM.2019.8737507"},{"key":"ref022","doi-asserted-by":"publisher","DOI":"10.23919\/IFIPNetworking55013.2022.9829791"},{"key":"ref023","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23204"},{"key":"ref024","doi-asserted-by":"publisher","DOI":"10.3390\/app12010155"},{"key":"ref025","doi-asserted-by":"publisher","DOI":"10.1145\/3457904"},{"key":"ref026","doi-asserted-by":"publisher","DOI":"10.1109\/ISCC50000.2020.9219609"},{"key":"ref027","first-page":"108","volume":"1","author":"Sharafaldin I.","year":"2018","journal-title":"ICISSp"},{"key":"ref028","doi-asserted-by":"publisher","DOI":"10.1109\/CCST.2019.8888419"},{"key":"ref029","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2019.01.064"},{"key":"ref030","doi-asserted-by":"crossref","unstructured":"M.\u00a0Shen, K.\u00a0Ye, X.\u00a0Liu, L.\u00a0Zhu, J.\u00a0Kang, S.\u00a0Yu, Q.\u00a0Li and K.\u00a0Xu, Machine learning-powered encrypted network traffic analysis: A comprehensive survey, IEEE Communications Surveys & Tutorials (2022).","DOI":"10.1109\/COMST.2022.3208196"},{"key":"ref031","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2021.3050608"},{"key":"ref032","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-99073-6_17"},{"key":"ref033","unstructured":"Stratosphere, Stratosphere laboratory datasets, 2015."},{"key":"ref034","doi-asserted-by":"publisher","DOI":"10.3390\/sym12091458"},{"key":"ref035","doi-asserted-by":"publisher","DOI":"10.1109\/SSCI50451.2021.9659955"},{"key":"ref036","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24412"},{"key":"ref037","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.3035967"},{"key":"ref038","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2021.102542"},{"key":"ref039","doi-asserted-by":"publisher","DOI":"10.1145\/3366423.3380090"}],"container-title":["Journal of Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-230024","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/full-xml\/10.3233\/JCS-230024","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-230024","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,29]],"date-time":"2026-04-29T20:45:51Z","timestamp":1777495551000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/10.3233\/JCS-230024"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,2,12]]},"references-count":39,"journal-issue":{"issue":"6","published-print":{"date-parts":[[2024,11,20]]}},"alternative-id":["10.3233\/JCS-230024"],"URL":"https:\/\/doi.org\/10.3233\/jcs-230024","relation":{},"ISSN":["0926-227X","1875-8924"],"issn-type":[{"value":"0926-227X","type":"print"},{"value":"1875-8924","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,2,12]]}}}