ANOMALY DETECTION IN ENCRYPTED NETWORK TRAFFIC USING DEEP LEARNING

Authors

DOI:

https://doi.org/10.28925/2663-4023.2025.29.897

Keywords:

encrypted traffic, anomaly detection, deep learning, self-supervised learning, cybersecurity, ET SSL, CNN+LSTM, autoencoder, QUIC, zero-day attacks

Abstract

The increasing dominance of encrypted traffic in modern network communications poses significant challenges to cybersecurity monitoring, especially for traditional intrusion detection systems that rely on packet content inspection. This study addresses the problem of anomaly detection in encrypted traffic using deep learning approaches that analyze metadata without requiring decryption. A comprehensive experimental comparison of three architectures - Autoencoder, CNN+LSTM, and ET SSL (a contrastive self-supervised learning model) - was performed using three publicly available datasets: CIC-Darknet2020, UNSW-NB15, and QUIC-TLS, each representing diverse encrypted protocols and attack types. All datasets were preprocessed into flow-based formats with 75 standardized numerical features. The models were evaluated based on classification accuracy, F1 score, and false positive rate (FPR). The ET SSL model demonstrated the most consistent and superior performance, achieving up to 96.8% accuracy and 0.961 F1 score, with an FPR as low as 1.2%. CNN+LSTM achieved slightly lower but still competitive results, while the Autoencoder model exhibited limitations in adapting to high-level traffic obfuscation, especially in QUIC-based flows. Additionally, a hyperparameter sensitivity analysis was conducted to explore the influence of learning rate, time window size, and dropout regularization. The findings confirmed the critical role of adaptive configuration in optimizing model performance for specific deployment environments. For instance, lowering the learning rate improved accuracy but increased training time, while extending the temporal window improved F1 at the cost of computational overhead.

The empirical results substantiate the practical applicability of deep learning models for encrypted traffic monitoring without decryption. In particular, the ET SSL architecture stands out as a promising candidate for deployment in real-time threat detection systems due to its robustness, high generalization capability, and low false positive rate. Furthermore, its reliance on self-supervised learning allows for effective operation in scenarios with limited or no labeled data, making it especially suitable for detecting zero-day attacks. Future research directions include expanding the diversity of training datasets to reflect evolving encryption standards (e.g., Encrypted SNI, DoQ), integrating detection models into scalable, low-latency IDS/IPS environments, applying explainable AI (XAI) methods to increase trust and interpretability, and developing adversarially robust models. The presented findings serve as a foundation for the development of next-generation, adaptive, and context-aware cyber threat monitoring systems.

Downloads

Download data is not yet available.

References

Draper-Gil, G., Lashkari, A. H., Mamun, M. S. I., & Ghorbani, A. A. (2016). Characterization of encrypted and VPN traffic using time-related features. In Proceedings of the 2nd International Conference on Information Systems Security and Privacy (ICISSP 2016) (pp. 407–414). https://doi.org/10.5220/0005740704070414

Sharafaldin, I., Lashkari, A. H., & Ghorbani, A. A. (2018). Toward generating a new intrusion detection dataset and intrusion traffic characterization. In Proceedings of the 4th International Conference on Information Systems Security and Privacy (ICISSP 2018). https://www.unb.ca/cic/datasets/ids-2017.html

Liu, Q., Zhang, Y., & Chen, T. (2023). DETD: A deep autoencoder-based anomaly detection framework for encrypted traffic. Computational Intelligence and Neuroscience, 2023, Article 3316642. https://doi.org/10.1155/2023/3316642

Wang, W., Zhu, M., Zeng, X., Ye, X., & Sheng, Y. (2018). HAST-IDS: Learning hierarchical spatial-temporal features using deep neural networks to improve intrusion detection. IEEE Access, 6, 1792–1806. https://doi.org/10.1109/ACCESS.2017.2780250

Fu, C., Li, Q., & Xu, K. (2023). HyperVision: Real-time encrypted traffic anomaly detection with contrastive learning. arXiv preprint arXiv:2301.13686. https://arxiv.org/abs/2301.13686

Sattar, S., Rehman, A., Khan, M., & Hussain, S. (2025). Anomaly detection in encrypted network traffic using self-supervised learning. Scientific Reports, 15, Article 26585. https://www.nature.com/articles/s41598-025-08568-0

Canadian Institute for Cybersecurity. (2020). CIC-Darknet2020 dataset. https://www.unb.ca/cic/datasets/darknet2020.html

Moustafa, N., & Slay, J. (2015). UNSW-NB15: A comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In Military Communications and Information Systems Conference (MilCIS 2015) (pp. 1–6). IEEE. https://doi.org/10.1109/MilCIS.2015.7348942

Aceto, G., Persico, V., & Pescapé, A. (2019). A survey on information and communication technologies for Industry 4.0: State-of-the-art, taxonomy, and open challenges. Computer Networks, 159, 99–124. https://doi.org/10.1016/j.comnet.2019.05.010

Rokach, L., & Maimon, O. (2014). Data mining with decision trees: Theory and applications (2nd ed.). World Scientific Publishing. https://doi.org/10.1142/9097

Lotfollahi, M., Shirali Hossein Z., Jafari, S., & Saberian, M. (2020). Deep Packet: A novel approach for encrypted traffic classification using deep learning. Soft Computing, 24, 1999–2012. https://doi.org/10.1007/s00500-019-04106-2

Lashkari, A. H., Draper-Gil, G., Mamun, M. S. I., & Ghorbani, A. A. (2017). Characterization of Tor traffic using time-based features. In Proceedings of the 3rd International Conference on Information Systems Security and Privacy (ICISSP 2017). https://doi.org/10.5220/0006097702530260

Alsoufi, M., Liu, W., Khan, R., & Alazab, M. (2021). A survey of machine and deep learning methods for Internet of Things (IoT) security. Sensors, 21(15), Article 5112. https://doi.org/10.3390/s21155112

Nanda, S., Zulkernine, M., & Haque, A. (2016). Predicting network attack patterns in encrypted traffic using machine learning. In Proceedings of the IEEE International Conference on Big Data (Big Data). https://doi.org/10.1109/BigData.2016.7840625

Shbair, W., Zarpelão, B., & Granville, L. (2016). Efficient early detection of advanced persistent threats using network flow forensics. In Proceedings of the 14th Annual Conference on Privacy, Security and Trust (PST). https://doi.org/10.1109/PST.2016.7906959

Lin, W., Xiao, X., Song, W., & Xue, Y. (2020). ID-RNN: An intrusion detection system based on a recurrent neural network. Security and Communication Networks, 2020, Article 7690423. https://doi.org/10.1155/2020/7690423

Berman, D. S., Buczak, A. L., Chavis, J. S., & Corbett, C. L. (2019). A survey of deep learning methods for cyber security. Information, 10(4), Article 122. https://doi.org/10.3390/info10040122

Nguyen, T. T., & Armitage, G. (2008). A survey of techniques for Internet traffic classification using machine learning. IEEE Communications Surveys & Tutorials, 10(4), 56–76. https://doi.org/10.1109/SURV.2008.080406

Downloads


Abstract views: 8

Published

2025-09-26

How to Cite

Підгорний, П., & Lavryk, T. (2025). ANOMALY DETECTION IN ENCRYPTED NETWORK TRAFFIC USING DEEP LEARNING. Electronic Professional Scientific Journal «Cybersecurity: Education, Science, Technique», 1(29), 525–535. https://doi.org/10.28925/2663-4023.2025.29.897

Issue

Vol. 1 No. 29 (2025): Cybersecurity: Education, Science, Technique

Section

Articles

License

Copyright (c) 2025 Павло Підгорний, Тетяна Лаврик

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.