Sort:
Open Access Research Article Issue
Enhanced Communication Behavior Recognition in Small Sample Contexts via MultiCenter Domain Adaptation (MCDA)
Tsinghua Science and Technology 2026, 31(5): 2337-2352
Published: 26 September 2025
Abstract PDF (5 MB) Collect
Downloads:77

The effectiveness of AI-driven cybersecurity threat detection heavily relies on extensive datasets for deep learning models. However, the scarcity of labeled samples poses a significant challenge to the applicability of deep learning technologies in this domain. To address this challenge, this paper proposes domain adaptation as a form of transfer learning, which leverages abundant labeled data from a source domain to enhance model training in the target domain. Specifically, this paper focuses on overfitting in small sample deep learning models for Advanced Persistent Threat (APT) communication behavior recognition, where traditional domain adaptation techniques have been proven by experimental results to be inadequate for this particular task. To overcome these challenges, we introduce the MultiCenter Domain Adaptation method (MCDA), which has been specifically designed to align with the distinct data distribution characteristics found in real-world communication datasets. Experimental results demonstrate that MCDA significantly improves model performance when addressing overfitting in small sample scenarios. Across various evaluation metrics, the proposed approach yields improvements ranging from 3.7% to 15.2%. As the scarcity of labeled samples is a prominent issue in various security analysis scenarios, our proposed MCDA approach serves as a valuable reference for enhancing threat detection models with limited labeled data.

Open Access Issue
DTA-HOC: Online HTTPS Traffic Service Identification Using DNS in Large-Scale Networks
Tsinghua Science and Technology 2020, 25(2): 239-254
Published: 02 September 2019
Abstract PDF (5.5 MB) Collect
Downloads:76

An increasing number of websites are making use of HTTPS encryption to enhance security and privacy for their users. However, HTTPS encryption makes it very difficult to identify the service over HTTPS flows, which poses challenges to network security management. In this paper we present DTA-HOC, a novel DNS-based two-level association HTTPS traffic online service identification method for large-scale networks, which correlates HTTPS flows with DNS flows using big data stream processing and association technologies to label the service in an HTTPS flow with a specific associated domain name. DTA-HOC has been specifically designed to address three practical challenges in the service identification process: domain name ambiguity, domain name query invisibility, and data association time window size contradictions. Several experiments on datasets collected from a 10-Gbps campus network are conducted alongside offline and online testing. Results show that DTA-HOC can achieve an average online association rate on HTTPS traffic of 83% and a generic accuracy of 86.16%. Its processing time for one minute of data is less than 20 seconds. These results indicate that DTA-HOC is an efficient method for online identification of services in HTTPS flows for large-scale networks. Moreover, our proposed method can contribute to the identification of other applications which make a Domain Name System (DNS) communication before establishing a connection.

Open Access Issue
An Anomalous Behavior Detection Model in Cloud Computing
Tsinghua Science and Technology 2016, 21(3): 322-332
Published: 13 June 2016
Abstract PDF (1.5 MB) Collect
Downloads:75

This paper proposes an anomalous behavior detection model based on cloud computing. Virtual Machines (VMs) are one of the key components of cloud Infrastructure as a Service (IaaS). The security of such VMs is critical to IaaS security. Many studies have been done on cloud computing security issues, but research into VM security issues, especially regarding VM network traffic anomalous behavior detection, remains inadequate. More and more studies show that communication among internal nodes exhibits complex patterns. Communication among VMs in cloud computing is invisible. Researchers find such issues challenging, and few solutions have been proposed—leaving cloud computing vulnerable to network attacks. This paper proposes a model that uses Software-Defined Networks (SDN) to implement traffic redirection. Our model can capture inter-VM traffic, detect known and unknown anomalous network behaviors, adopt hybrid techniques to analyze VM network behaviors, and control network systems. The experimental results indicate that the effectiveness of our approach is greater than 90%, and prove the feasibility of the model.

Total 3