{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,21]],"date-time":"2026-05-21T17:30:35Z","timestamp":1779384635439,"version":"3.53.1"},"reference-count":37,"publisher":"MDPI AG","issue":"3","license":[{"start":{"date-parts":[[2025,7,17]],"date-time":"2025-07-17T00:00:00Z","timestamp":1752710400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"XJTLU AI University Research Center, Jiangsu Province Engineering Research Center of Data Science and Cognitive Computation at XJTLU, and SIP AI innovation platform","award":["YZCXPT2022103"],"award-info":[{"award-number":["YZCXPT2022103"]}]},{"name":"XJTLU AI University Research Center, Jiangsu Province Engineering Research Center of Data Science and Cognitive Computation at XJTLU, and SIP AI innovation platform","award":["RDF-21-02-012"],"award-info":[{"award-number":["RDF-21-02-012"]}]},{"name":"XJTLU AI University Research Center, Jiangsu Province Engineering Research Center of Data Science and Cognitive Computation at XJTLU, and SIP AI innovation platform","award":["TDF21\/22-R24-177"],"award-info":[{"award-number":["TDF21\/22-R24-177"]}]},{"name":"XJTLU Research Development Funding","award":["YZCXPT2022103"],"award-info":[{"award-number":["YZCXPT2022103"]}]},{"name":"XJTLU Research Development Funding","award":["RDF-21-02-012"],"award-info":[{"award-number":["RDF-21-02-012"]}]},{"name":"XJTLU Research Development Funding","award":["TDF21\/22-R24-177"],"award-info":[{"award-number":["TDF21\/22-R24-177"]}]},{"name":"XJTLU Teaching Development Funding","award":["YZCXPT2022103"],"award-info":[{"award-number":["YZCXPT2022103"]}]},{"name":"XJTLU Teaching Development Funding","award":["RDF-21-02-012"],"award-info":[{"award-number":["RDF-21-02-012"]}]},{"name":"XJTLU Teaching Development Funding","award":["TDF21\/22-R24-177"],"award-info":[{"award-number":["TDF21\/22-R24-177"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["JCP"],"abstract":"<jats:p>With the increasing sophistication of network attacks, machine learning (ML)-based methods have showcased promising performance in attack detection. However, ML-based methods often suffer from high false rates when tackling encrypted malicious traffic. To break through these bottlenecks, we propose EFTransformer, an encrypted flow transformer framework which inherits semantic perception and multi-scale feature fusion, can robustly and efficiently detect encrypted malicious traffic, and make up for the shortcomings of ML in the context of modeling ability and feature adequacy. EFTransformer introduces a channel-level extraction mechanism based on quintuples and a noise-aware clustering strategy to enhance the recognition ability of traffic patterns; adopts a dual-channel embedding method, using Word2Vec and FastText to capture global semantics and subword-level changes; and uses a Transformer-based classifier and attention pooling module to achieve dynamic feature-weighted fusion, thereby improving the robustness and accuracy of malicious traffic detection. Our systematic experiments on the ISCX2012 dataset demonstrate that EFTransformer achieves the best detection performance, with an accuracy of up to 95.26%, a false positive rate (FPR) of 6.19%, and a false negative rate (FNR) of only 5.85%. These results show that EFTransformer achieves high detection performance against encrypted malicious traffic.<\/jats:p>","DOI":"10.3390\/jcp5030047","type":"journal-article","created":{"date-parts":[[2025,7,17]],"date-time":"2025-07-17T11:25:17Z","timestamp":1752751517000},"page":"47","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":3,"title":["A Multi-Feature Semantic Fusion Machine Learning Architecture for Detecting Encrypted Malicious Traffic"],"prefix":"10.3390","volume":"5","author":[{"given":"Shiyu","family":"Tang","sequence":"first","affiliation":[{"name":"School of Advanced Technology, Xi\u2019an Jiaotong-Liverpool University, Suzhou 215123, China"},{"name":"Jiangsu Future Networks Innovation Institute, Nanjing 211111, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2655-9307","authenticated-orcid":false,"given":"Fei","family":"Du","sequence":"additional","affiliation":[{"name":"School of Advanced Technology, Xi\u2019an Jiaotong-Liverpool University, Suzhou 215123, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Zulong","family":"Diao","sequence":"additional","affiliation":[{"name":"School of Computer Science and Engineering, Hunan University of Science and Technology, Xiangtan 411201, China"},{"name":"Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100190, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7363-9695","authenticated-orcid":false,"given":"Wenjun","family":"Fan","sequence":"additional","affiliation":[{"name":"School of Advanced Technology, Xi\u2019an Jiaotong-Liverpool University, Suzhou 215123, China"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"1968","published-online":{"date-parts":[[2025,7,17]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Aas, J., Barnes, R., Case, B., Durumeric, Z., Eckersley, P., Flores-L\u00f3pez, A., Halderman, J.A., Hoffman-Andrews, J., Kasten, J., and Rescorla, E. (2019, January 11\u201315). Let\u2019s Encrypt: An automated certificate authority to encrypt the entire web. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, London, UK.","DOI":"10.1145\/3319535.3363192"},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3457904","article-title":"A survey on encrypted network traffic analysis applications, techniques, and countermeasures","volume":"54","author":"Papadogiannaki","year":"2021","journal-title":"ACM Comput. Surv. (CSUR)"},{"key":"ref_3","first-page":"1","article-title":"A Survey and Analysis of TLS Interception Mechanisms and Motivations: Exploring how end-to-end TLS is made \u201cend-to-me\u201d for web traffic","volume":"55","year":"2023","journal-title":"ACM Comput. Surv."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Alwhbi, I.A., Zou, C.C., and Alharbi, R.N. (2024). Encrypted network traffic analysis and classification utilizing machine learning. Sensors, 24.","DOI":"10.3390\/s24113509"},{"key":"ref_5","first-page":"1","article-title":"A Survey of TLS Traffic Analysis and Detection Techniques","volume":"53","author":"Wang","year":"2020","journal-title":"ACM Comput. Surv. (CSUR)"},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Fernandes, S., Antonello, R., Lacerda, T., Santos, A., Sadok, D., and Westholm, T. (2009, January 19\u201325). Slimming down deep packet inspection systems. Proceedings of the IEEE INFOCOM Workshops 2009, Rio De Janeiro, Brazil.","DOI":"10.1109\/INFCOMW.2009.5072188"},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"2334","DOI":"10.1109\/TNET.2018.2868816","article-title":"Bitcoding: Network traffic classification through encoded bit level signatures","volume":"26","author":"Hubballi","year":"2018","journal-title":"IEEE\/ACM Trans. Netw."},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Liu, J., Fan, W., Dai, Y., Lim, E.G., Pan, Z., and Lisitsa, A. (2024, January 17\u201321). Leveraging semi-supervised learning for enhancing anomaly-based ids in automotive ethernet. Proceedings of the IEEE 23rd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Sanya, China.","DOI":"10.1109\/TrustCom63139.2024.00216"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Liu, J., Fan, W., Dai, Y., Lim, E.G., and Lisitsa, A. (2024, January 17\u201320). A lightweight and responsive on-line ids towards intelligent connected vehicles system. Proceedings of the 43rd International Conference on Computer Safety, Reliability, and Security, Florence, Italy.","DOI":"10.1007\/978-3-031-68606-1_12"},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"676","DOI":"10.1016\/j.dcan.2022.09.009","article-title":"Network traffic classification: Techniques, datasets, and challenges","volume":"10","author":"Azab","year":"2024","journal-title":"Digit. Commun. Netw."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Anderson, B., and McGrew, D. (2017, January 13\u201317). Machine learning for encrypted malware traffic classification: Accounting for noisy labels and non-stationarity. Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Halifax, NS, Canada.","DOI":"10.1145\/3097983.3098163"},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"30387","DOI":"10.1109\/ACCESS.2020.2973023","article-title":"An unsupervised deep learning model for early network traffic anomaly detection","volume":"8","author":"Hwang","year":"2020","journal-title":"IEEE Access"},{"key":"ref_13","unstructured":"Black, V.C. (2020). The Value of Threat Visibility in the Age of Encryption, VMware. Technical Report; White Paper."},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Benabderrahmane, S., Valtchev, P., Cheney, J., and Rahwan, T. (2025). APT-LLM: Embedding-Based Anomaly Detection of Cyber Advanced Persistent Threats Using Large Language Models. arXiv.","DOI":"10.1109\/ISDFS65363.2025.11011912"},{"key":"ref_15","unstructured":"Zhang, H., Sediq, A.B., Afana, A., and Erol-Kantarci, M. (2024). Generative ai-in-the-loop: Integrating llms and gpts into the next generation networks. arXiv."},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"103792","DOI":"10.1016\/j.cose.2024.103792","article-title":"A Comprehensive Survey on Cyber Deception Techniques to Improve Honeypot Performance","volume":"140","author":"Javadpour","year":"2024","journal-title":"Comput. Secur."},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"101941","DOI":"10.1016\/j.cose.2020.101941","article-title":"An anomaly detection framework for cyber-security data","volume":"97","author":"Evangelou","year":"2020","journal-title":"Comput. Secur."},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"76","DOI":"10.1109\/MCOM.2019.1800819","article-title":"Deep learning for encrypted traffic classification: An overview","volume":"57","author":"Rezaei","year":"2019","journal-title":"IEEE Commun. Mag."},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"453","DOI":"10.1007\/s10462-021-10037-9","article-title":"A survey on intrusion detection system: Feature selection, model, performance measures, application perspective, challenges, and future research directions","volume":"55","author":"Thakkar","year":"2022","journal-title":"Artif. Intell. Rev."},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"5011","DOI":"10.1109\/TIFS.2023.3300521","article-title":"CBSeq: A channel-level behavior sequence for encrypted malware traffic detection","volume":"18","author":"Cui","year":"2023","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"110984","DOI":"10.1016\/j.comnet.2024.110984","article-title":"A survey on encrypted network traffic: A comprehensive survey of identification\/classification techniques, challenges, and future directions","volume":"257","author":"Sharma","year":"2025","journal-title":"Comput. Netw."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"23","DOI":"10.1007\/s10922-021-09589-6","article-title":"As-ids: Anomaly and signature based ids for the internet of things","volume":"29","author":"Otoum","year":"2021","journal-title":"J. Netw. Syst. Manag."},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"104016","DOI":"10.1016\/j.cose.2024.104016","article-title":"A survey of large language models for cyber threat detection","volume":"145","author":"Chen","year":"2024","journal-title":"Comput. Secur."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"8462","DOI":"10.1080\/03772063.2024.2387293","article-title":"Security Assessment Framework for DDoS Attack Detection via Deep Learning","volume":"70","author":"Misbha","year":"2024","journal-title":"IETE J. Res."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"1125","DOI":"10.1007\/s10207-023-00682-2","article-title":"A systematic literature review for network intrusion detection system (IDS)","volume":"22","author":"Abdulganiyu","year":"2023","journal-title":"Int. J. Inf. Secur."},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Fu, C., Li, Q., Xu, K., and Wu, J. (2023, January 26\u201330). Point cloud analysis for ML-based malicious traffic detection: Reducing majorities of false positive alarms. Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, Copenhagen, Denmark.","DOI":"10.1145\/3576915.3616631"},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"19","DOI":"10.1016\/j.jnca.2015.11.016","article-title":"A survey of network anomaly detection techniques","volume":"60","author":"Ahmed","year":"2016","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_28","unstructured":"Aghaei, E., Niu, X., Shadid, W., and Al-Shaer, E. (2022, January 17\u201319). Securebert: A domain-specific language model for cybersecurity. Proceedings of the 18th EAI International Conference on Security and Privacy in Communication Networks, Kansas City, MO, USA."},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"78","DOI":"10.1016\/j.dcan.2016.07.004","article-title":"Visible light communication: Applications, architecture, standardization and research challenges","volume":"3","author":"Khan","year":"2017","journal-title":"Digit. Commun. Netw."},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"7550","DOI":"10.1109\/ACCESS.2020.3048198","article-title":"Intrusion detection of imbalanced network traffic based on machine learning and deep learning","volume":"9","author":"Liu","year":"2020","journal-title":"IEEE Access"},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Fu, C., Li, Q., Shen, M., and Xu, K. (2021, January 15\u201319). Realtime robust malicious traffic detection via frequency domain analysis. Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event.","DOI":"10.1145\/3460120.3484585"},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Ji, I.H., Lee, J.H., Kang, M.J., Park, W.J., Jeon, S.H., and Seo, J.T. (2024). Artificial intelligence-based anomaly detection technology over encrypted traffic: A systematic literature review. Sensors, 24.","DOI":"10.3390\/s24030898"},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Albasheer, H., Md Siraj, M., Mubarakali, A., Elsier Tayfour, O., Salih, S., Hamdan, M., Khan, S., Zainal, A., and Kamarudeen, S. (2022). Cyber-attack prediction based on network intrusion detection systems for alert correlation techniques: A survey. Sensors, 22.","DOI":"10.3390\/s22041494"},{"key":"ref_34","unstructured":"Shiravi, A., Shiravi, H., Tavallaee, M., and Ghorbani, A.A. (2025, April 27). Intrusion Detection Evaluation Dataset (ISCXIDS2012). Available online: https:\/\/www.unb.ca\/cic\/datasets\/ids.html."},{"key":"ref_35","unstructured":"Lashkari, A.H., Draper-Gil, G., Mamun, M.S.I., and Ghorbani, A.A. (2017, January 19\u201321). Characterization of Tor Traffic Using Time Based Features. Proceedings of the 3rd International Conference on Information Systems Security and Privacy (ICISSP), Porto, Portugal."},{"key":"ref_36","doi-asserted-by":"crossref","first-page":"499","DOI":"10.1007\/978-1-4614-6154-8_49","article-title":"An Effective Technique for Intrusion Detection Using Neuro-Fuzzy and Radial SVM Classifier","volume":"Volume 131","author":"Chandrasekhar","year":"2013","journal-title":"Computer Networks & Communications (NetCom)"},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Yin, Y., Jang-Jaccard, J., Sabrina, F., and Kwak, J. (2023, January 24\u201326). Improving Multilayer-Perceptron (MLP)-based Network Anomaly Detection with Birch Clustering on CICIDS-2017 Dataset. Proceedings of the IEEE 26th International Conference on Computer Supported Cooperative Work in Design (CSCWD), Rio de Janeiro, Brazil.","DOI":"10.1109\/CSCWD57460.2023.10152640"}],"container-title":["Journal of Cybersecurity and Privacy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2624-800X\/5\/3\/47\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T18:11:01Z","timestamp":1760033461000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2624-800X\/5\/3\/47"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,7,17]]},"references-count":37,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2025,9]]}},"alternative-id":["jcp5030047"],"URL":"https:\/\/doi.org\/10.3390\/jcp5030047","relation":{},"ISSN":["2624-800X"],"issn-type":[{"value":"2624-800X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,7,17]]}}}