Feature Importance analysis for encrypted brute-force attack detection based on machine learning techniques

Abstract

This paper explores the challenges and opportunities in detecting cyber-attacks within encrypted network traffic. While encryption ensures data privacy and secure communications, it also obscures malicious activities from traditional detection systems, necessitating advanced techniques for threat identification. Artificial intelligence (AI) models are widely applied in cybersecurity, but their effectiveness depends on high-quality training data. This study examines how static parameters and features derived from the X.509 standard in Transport Layer Security (TLS) influence the training performance of machine learning models. Using the HIKARI-2021 encrypted brute-force attack dataset, the research evaluates the significance of TLS and X.509 features compared to conventional IP and TCP header-based attributes. Feature importance is assessed through mutual information (MI) scoring, while model performance is analyzed using accuracy, recall, F1-score, and training time metrics. The results demonstrate that incorporating TLS and X.509 features enhances the detection of encrypted brute-force and slow brute-force attacks compared to traditional transport and IP protocol-based features.