MODELING NEUROVIRUS CAMPAIGNS IN NETWORK TRAFFIC BASED ON A COMBINATION OF STREAM, LOG AND BYTE FEATURES

DOI: 10.31673/2409-7292.2025.032156

Authors

  • Ю. Є. Хохлачова, (Khokhlachova Yu.Ye.) State University of Trade and Economics, Kyiv, Ukraine
  • С. В. Флоров, (Florov S.V.) University of Customs and Finance, Dnipro, Ukraine
  • О. В. Черкаський, (Cherkaskyi O.V.) University of Customs and Finance, Dnipro, Ukraine
  • Д. О. Черкаський, (Cherkaskyi D.O.) University of Customs and Finance, Dnipro, Ukraine
  • Д. О. Переметчик, (Peremetchik D.O.) University of Customs and Finance, Dnipro, Ukraine
  • М. В. Білан, (Bilan M.V.) University of Customs and Finance, Dnipro, Ukraine

DOI:

https://doi.org/10.31673/2409-7292.2025.032156

Abstract

The paper investigates the problem of detecting "neuroviruses" - malicious software structures that combine classical
network methods with machine learning technologies for obfuscation and adaptability. The main goal is to increase the accuracy
of detecting new and hidden attacks in network traffic through a comprehensive analysis of data of various natures: aggregated
flows (NetFlow), detailed records of the Zeek network analyzer, logs of security information and event management systems
(Security Information and Event Management, hereinafter SIEM) and byte artifacts of firmware. Architectures based on
convolutional and recurrent neural networks (Convolutional Neural Network + Long Short-Term Memory, hereinafter
CNN+LSTM) for modeling time sequences and autoencoders with long short-term memory (Autoencoder + LSTM, hereinafter
AE+LSTM) for unsupervised anomaly detection are proposed. Byte sequences are converted into fixed-dimensional grayscale
images using the Byte2Image method, which unifies the processing of Transport Layer Security / Secure Sockets Layer
(TLS/SSL) and Simple Network Management Protocol (SNMP) artifacts, including those from vulnerable network hardware
firmware. The method involves time window synchronization, class balancing, and training a model on a weighted loss function
taking into account the cost of different types of errors. Experiments were conducted on subsets of NetFlow, Zeek, and SIEM
to reproduce hybrid attack scenarios: covert scanning, TLS control channels with downgrade, SNMPv2c exploitation with
typical community strings, and firmware injections. Comparison with baseline methods (Random Forest, Isolation Forest,
recurrent neural networks) showed an increase in the integral F1 score to 0.94 for unknown attack families and a 27% reduction
in the average response delay in real time. The proposed architecture is consistent with the principles of Zero Trust, supports
correlation with the MITRE ATT&CK matrix and ensures reproducibility. The practical contribution is to increase the resilience
of operator and corporate networks to wave hybrid attacks and to form a regulated package of methodology, model specification,
data map, test protocol and topology drawing. The results can become the basis for automating access policies, adaptive
telemetry selection and integration with threat intelligence platforms.
Keywords: neurovirus, multimodal neural networks, convolutional and recurrent model, autoencoder, Byte2Image,
NetFlow, Zeek, security information and event management system, intrusion detection system, Zero Trust, SNMP, firmware
attacks.

References
1. Smith J., Nguyen T. Multimodal Deep Learning for Network Intrusion Detection. IEEE Transactions on
Network and Service Management. 2022. Vol. 19, No. 3. P. 2741–2755. https://doi.org/10.1109/TNSM.2022.3152349.
2. Zhang L., Chen H. Autoencoder-based Anomaly Detection for Encrypted Traffic. Computers & Security. 2021.
Vol. 105. Art. 102234. https://doi.org/10.1016/j.cose.2021.102234.
3. Gerhards R. The Syslog Protocol. RFC 5424. IETF, 2009. https://doi.org/10.17487/RFC5424.
4. Case J., Mundy R., Partain D., Stewart B. Simple Network Management Protocol (SNMPv3) Framework. RFC
3411. IETF, 2002. https://doi.org/10.17487/RFC3411.
5. Rescorla E. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446. IETF, 2018.
https://doi.org/10.17487/RFC8446.
6. Nataraj L., Karthikeyan S., Jacob G., Manjunath B. Malware images: visualization and automatic classification.
VizSec. 2011. P. 1–7. https://doi.org/10.1145/2016904.2016908.
7. Moustafa N., Slay J. UNSW-NB15: a comprehensive data set for network intrusion detection. MILCOM 2015
– IEEE Military Communications Conference. 2015. P. 1–6. https://doi.org/10.1109/MILCOM.2015.7356528.
8. Sharafaldin I., Lashkari A., Ghorbani A. Toward Generating a New Intrusion Detection Dataset. ICISSP 2018
4th International Conference on Information Systems Security and Privacy. 2018. P. 108–116. https://doi.org/
10.5220/0006639801080116.
9. Mirsky Y., Doitshman T., Elovici Y., Shabtai A. Kitsune: An Ensemble of Autoencoders for Online Network
Intrusion Detection. NDSS Symposium. 2018. https://doi.org/10.14722/ndss.2018.23241.
10. Breiman L. Random Forests. Machine Learning. 2001. Vol. 45. P. 5–32. https://doi.org/10.1023/A:
1010933404324.
11. Hochreiter S., Schmidhuber J. Long Short-Term Memory. Neural Computation. 1997. Vol. 9, No. 8. P. 1735–
1780. https://doi.org/10.1162/neco.1997.9.8.1735.
12. LeCun Y., Bottou L., Bengio Y., Haffner P. Gradient-based learning applied to document recognition.
Proceedings of the IEEE. 1998. Vol. 86, No. 11. P. 2278–2324. https://doi.org/10.1109/5.726791.
13. Kingma D.P., Welling M. Auto-Encoding Variational Bayes. International Conference on Learning
Representations (ICLR). 2014. https://doi.org/10.48550/arXiv.1312.6114.
14. Goodfellow I., Bengio Y., Courville A. Deep Learning. MIT Press, 2016. 800 p. https://doi.org/10.7551/
mitpress/10234.001.0001.
15. Zaddach J., Kurmus A., Francillon A., Balzarotti D. AVATAR: A Framework to Explore Embedded Firmware.
NDSS Workshop. 2014. https://doi.org/10.14722/ndss.2014.23257.
16. Aviram N., Schinzel S., Somorovsky J., et al. DROWN: Breaking TLS using SSLv2. USENIX Security
Symposium. 2016. P. 689–706. https://doi.org/10.5555/2976749.2977335.
17. Papernot N., McDaniel P., Sinha A., Wellman M. SoK: Security and Privacy in Machine Learning. IEEE
European Symposium on Security and Privacy. 2018. P. 399–414. https://doi.org/10.1109/EuroSP.2018.00035.
18. Rigaki M., Garcia S. Bringing a GAN to a Knife-Fight: Adapting Malware Communication to Avoid Detection.
IEEE Security and Privacy Workshops. 2018. P. 70–75. https://doi.org/10.1109/SPW.2018.00020.
19. Kim T., Ryu J., Choi H. Ransomware Detection Using Memory Analysis and Machine Learning Techniques.
IEEE Access. 2020. Vol. 8. P. 99460–99471. https://doi.org/10.1109/ACCESS.2020.2995830.
20. Apruzzese G., Colajanni M., Ferretti L., Guido A., Marchetti M. On the Effectiveness of Machine and Deep
Learning for Cyber Security. 10th International Conference on Cyber Conflict (CyCon). 2018. P. 371–390.
https://doi.org/10.23919/CYCON.2018.8405026.
21. Conti M., Dehghantanha A., Franke K., Watson S. Internet of Things security and forensics: Challenges and
opportunities. Future Generation Computer Systems. 2018. Vol. 78. P. 544–546. https://doi.org/10.1016/ j.future.
2017.07.060.
22. Alsirhani A., Alqahtani A., Chatterjee M. A Survey of Machine Learning for Big Code and Naturalness. ACM
Computing Surveys. 2022. Vol. 55, No. 7. Art. 137. https://doi.org/10.1145/3524091.
23. Buczak A., Guven E. A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion
Detection. IEEE Communications Surveys & Tutorials. 2016. Vol. 18, No. 2. P. 1153–1176. https://doi.org/10.1109/
COMST.2015.2494502.
24. Ahmed M., Mahmood A.N., Hu J. A survey of network anomaly detection techniques. Journal of Network and
Computer Applications. 2016. Vol. 60. P. 19–31. https://doi.org/10.1016/j.jnca.2015.11.016.
25. Shone N., Ngoc T.N., Phai V.D., Shi Q. A Deep Learning Approach to Network Intrusion Detection. IEEE
Transactions on Emerging Topics in Computational Intelligence. 2018. Vol. 2, No. 1. P. 41–50. https://doi.org/
10.1109/TETCI.2017.2772792.
26. Yin C., Zhu Y., Fei J., He X. A Deep Learning Approach for Intrusion Detection Using Recurrent Neural
Networks. IEEE Access. 2017. Vol. 5. P. 21954–21961. https://doi.org/10.1109/ACCESS.2017.2762418.
27. Li W., Chen Y., Zhang Z., Xu L. Software Vulnerability Detection Using Deep Neural Networks: A Survey.
IEEE Access. 2021. Vol. 9. P. 12736–12752. https://doi.org/10.1109/ACCESS.2021.3050949.
28. Umer M.F., Sher M., Bi Y. Towards Machine Learning-Based Malware Detection in IoT Devices. Computers
& Security. 2020. Vol. 89. Art. 101660. https://doi.org/10.1016/j.cose.2019.101660.
29. Ferrag M.A., Maglaras L., Moschoyiannis S., Janicke H. Deep learning for cyber security intrusion detection:
Approaches, datasets, and comparative study. Journal of Information Security and Applications. 2020. Vol. 50. Art.
102419. https://doi.org/10.1016/j.jisa.2019.102419.
30. Lin P., Ye K., Xu C.Z., Zheng Z. Anomaly Detection for Industrial Control Systems Using Machine Learning:
A Survey. IEEE Transactions on Industrial Informatics. 2022. Vol. 18, No. 7. P. 4415–4429. https://doi.org/
10.1109/TII.2021.3110829.
31. Lopez-Martin M., Carro B., Sanchez-Esguevillas A. Application of deep reinforcement learning to intrusion
detection for IoT. IEEE Access. 2017. Vol. 7. P. 145270–145282. https://doi.org/10.1109/ACCESS.2019.2944063.

Downloads

Published

2025-10-26

Issue

No. 3 (2025)

Section

Articles