Intrusion Detection for Encrypted Flows Using Single Feature Based On Graph Integration Theory

To ensure the privacy and security of Internet of Things data, encrypted transmission of data has become a common approach. However, this has also introduced limitations for the detection of malicious network flows, often requiring reliance on only a few selected features for categorizing malicious flows. In this paper, we proposed a novel Graph Integration Theory and applied it to construct graphs based solely on packet length sequences, aiming to enhance the detection capability of single-feature-based methods, such as packet length sequences. Our proposed approach not only demonstrated its applicability in binary and multi-class classification problems but also provided a detailed analysis of the underlying reasons for its effectiveness in detecting different types of attacks and in various classification networks. Additionally, we proposed the use of the Tree-Like structure to construct Traffic Interaction Graphs and verified that the Graph Integration Theory achieved excellent classification results in both the Tree-Like and Cross-Linked list structures. Specifically, the average detection accuracy achieved in the Tree-Like structure was 0.9842, while that in the Cross-Linked list structure was 0.9836. These results significantly outperformed those obtained using either original graph structure or packet length sequences alone for detection. In the ten-class classification problem, the proposed approach achieved a detection accuracy of 0.8557, which was much higher than the accuracy of 0.6252 obtained using only packet length sequences, as well as the accuracy of 0.6634 obtained using only the original graph structure.