Zhuoxue Song,Ziming Zhao,Fan Zhang,Gang Xiong,Guang Cheng,Xinjie Zhao,Shize Guo,Binbin Chen

DOI: https://doi.org/10.1109/TDSC.2023.3245411

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Traffic classification occupies a significant role in cybersecurity and network management. The widespread of encryption transmission protocols such as SSL/TLS has led to the dominance of deep learning based approaches. In cybersecurity, strong adversaries often complicate their strategies by constantly developing emerging attacks. Meanwhile, security practitioners desire to grasp the reasons for inference results. However, existing deep learning approaches lack efficient adaptation for incremental traffic types and often have less interpretability. In this paper, we propose I <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$^{2}$</tex-math></inline-formula> RNN, an Incremental and Interpretable Recurrent Neural Network for encrypted traffic classification. The I <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$^{2}$</tex-math></inline-formula> RNN proposes a novel propagation process to extract the sequence fingerprints from sessions with local robustness. Meanwhile, this proposal provides interpretability including time-series feature attribution and inter-class similarity portrait. Moreover, we design I <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$^{2}$</tex-math></inline-formula> RNN in an incremental manner to adapt to emerging traffic types. The I <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$^{2}$</tex-math></inline-formula> RNN only needs to train an additional set of parameters for the newly added traffic type rather than retraining the whole model with the entire dataset. Extensive experimental results show that our I <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$^{2}$</tex-math></inline-formula> RNN can achieve remarkable performance in traffic classification, incremental learning, and model interpretability. Compared with other local interpretability methods, our I <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$^{2}$</tex-math></inline-formula> RNN exhibits excellent stability, robustness, and effectiveness in the interpretation of network traffic data.

Zhuoxue Song,Ziming Zhao,Fan Zhang,Gang Xiong,Guang Cheng,Xinjie Zhao,Shize Guo,Binbin Chen

DOI: https://doi.org/10.1109/tdsc.2023.3245411

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Traffic classification occupies a significant role in cybersecurity and network management. The widespread of encryption transmission protocols such as SSL/TLS has led to the dominance of deep learning based approaches. In cybersecurity, strong adversaries often complicate their strategies by constantly developing emerging attacks. Meanwhile, security practitioners desire to grasp the reasons for inference results. However, existing deep learning approaches lack efficient adaptation for incremental traffic types and often have less interpretability. In this paper, we propose I $^{2}$ RNN, an Incremental and Interpretable Recurrent Neural Network for encrypted traffic classification. The I $^{2}$ RNN proposes a novel propagation process to extract the sequence fingerprints from sessions with local robustness. Meanwhile, this proposal provides interpretability including time-series feature attribution and inter-class similarity portrait. Moreover, we design I $^{2}$ RNN in an incremental manner to adapt to emerging traffic types. The I $^{2}$ RNN only needs to train an additional set of parameters for the newly added traffic type rather than retraining the whole model with the entire dataset. Extensive experimental results show that our I $^{2}$ RNN can achieve remarkable performance in traffic classification, incremental learning, and model interpretability. Compared with other local interpretability methods, our I $^{2}$ RNN exhibits excellent stability, robustness, and effectiveness in the interpretation of network traffic data.

Tao Liu,Xiting Ma,Ling Liu,Xin Liu,Yue Zhao,Ning Hu,Kayhan Zrar Ghafoor

DOI: https://doi.org/10.3390/math12111624

IF: 2.4

2024-05-23

Mathematics

Abstract:Encrypted traffic classification is a crucial part of privacy-preserving research. With the great success of artificial intelligence technology in fields such as image recognition and natural language processing, how to classify encrypted traffic based on AI technology has become an attractive topic in information security. With good generalization ability and high training accuracy, pre-training-based encrypted traffic classification methods have become the first option. The accuracy of this type of method depends highly on the fine-tuning model. However, it is a challenge for existing fine-tuned models to effectively integrate the representation of packet and byte features extracted via pre-training. A novel fine-tuning model, LAMBERT, is proposed in this article. By introducing an attention mechanism to capture the relationship between BiGRU and byte sequences, LAMBERT not only effectively improves the sequence loss phenomenon of BiGRU but also improves the processing performance of encrypted stream classification. LAMBERT can quickly and accurately classify multiple types of encrypted traffic. The experimental results show that our model performs well on datasets with uneven sample distribution, no pre-training, and large sample classification. LAMBERT was tested on four datasets, namely, ISCX-VPN-Service, ISCX-VPN-APP, USTC-TFC and CSTNET-TLS 1.3, and the F1 scores reached 99.15%, 99.52%, 99.30%, and 97.41%, respectively.

mathematics

Pan Wang,Shuhang Li,Feng Ye,Zixuan Wang,Moxuan Zhang

DOI: https://doi.org/10.1109/icc40277.2020.9148946

2020-06-01

Abstract:With the popularity of Deep Learning (DL), researchers have begun to apply DL to tackle with encrypted traffic classification problems. Although these methods can automatically extract traffic features to improve the ability of feature engineering of traditional methods like DPI, a large amount of data is still needed to learn the characteristics of various types of traffic. Therefore, the performance of classification model always significantly depends on the quality of datasets. Nonetheless, the building of datasets is a time-consuming and costly task, especially encrypted traffic. Apparently, it is often more difficult to collect a large amount of traffic samples of those unpopular applications than well-known ones, which often leads to the problem of class imbalance between major and minor encrypted applications in datasets. In this paper, we proposed a novel traffic data augmenting method called PacketCGAN using Conditional GAN, which can control the modes of data to be generated. PacketCGAN exploit the benefit of CGAN to generate specified samples with the input of applications’ types as conditional and thereby achieve data balancing. As a proof of concept, three classical DL models including CNN were adopted to classify four types of encrypted traffic datasets augmented by Random Over Sampling (ROS), SMOTE(Synthetic Minority Over-sampling Techinique), vanilla GAN and PacketCGAN respectively using public datasets. The experimental evaluation results demonstrate that DL based encrypted traffic classifier over our new dataset augmented by PacketCGAN can achieve better performance than the other three in terms of encrypted traffic classification.

Jianjin Zhao,Qi Li,Yueping Hong,Meng Shen

DOI: https://doi.org/10.1109/tnsm.2024.3350080

2024-01-01

IEEE Transactions on Network and Service Management

Abstract:Encrypted Traffic Classification (ETC) is crucial for network security management and Quality of Service (QoS) improvement. There have been many attempts to tackle various ETC tasks, however, which generally suffer from task dependency and limited adaptability, falling short of meeting practical requirements. Under the realistic assumptions of complex network environments, diverse encryption techniques and ever-changing application landscapes coexist. It is highly desirable to learn the generic encrypted traffic representations to investigate the common knowledge across different ETC tasks and rapidly adapt to the dynamic shifts. To fill the gap, we propose MetaRockETC, a generic encrypted traffic classification framework, which extracts protocol-agnostic features to learn the common knowledge and rapidly adapt to novel ETC tasks and evolving network environments. In MetaRockETC, we first model packet length sequences of encrypted sessions as multivariate time series and perform random convolution kernel transformations to summarize discriminatory behavioral patterns across channels. By integrating MetaRockETC into an advanced Model-Agnostic Meta-Learning (MAML) framework, we learn a task-adaptive loss function to facilitate better generalization and transferability across diverse ETC tasks. Extensive experimental results demonstrate the superiority of MetaRockETC in both across-task and few-shot scenarios, highlighting its potential to provide a practical solution for encrypted traffic classification in real-world scenarios.

computer science, information systems

Xiaohui Nie,Youjian Zhao,Zhihan Li,Guo Chen,Kaixin Sui,Jiyang Zhang,Zijie Ye,Dan Pei

DOI: https://doi.org/10.1109/jsac.2019.2904350

IF: 16.4

2019-06-01

IEEE Journal on Selected Areas in Communications

Abstract:Despite many years of improvements to it, TCP still suffers from an unsatisfactory performance. For services dominated by short flows (e.g., web search and e-commerce), TCP suffers from the flow startup problem and cannot fully utilize the available bandwidth in the modern Internet: TCP starts from a conservative and static initial window (IW, 2–4 or 10), while most of the web flows are too short to converge to the best sending rate before the session ends. For services dominated by long flows (e.g., video streaming and file downloading), the congestion control (CC) scheme manually and statically configured might not offer the best performance for the latest network conditions. To address these two challenges, we propose TCP-RL, which uses reinforcement learning (RL) techniques to dynamically configure IW and CC in order to improve the performance of TCP flow transmission. Basing on the latest network conditions observed at the server side of a web service, TCP-RL dynamically configures a suitable IW for short flows through group-based RL, and dynamically configures a suitable CC scheme for long flows through deep RL. Our extensive experiments show that for short flows, TCP-RL can reduce the average transmission time by about 23%; and for long flows, compared with the performance of 14 CC schemes, TCP-RL’s performance ranks top 5 for about 85% of the 288 given static network conditions, whereas for about 90% of conditions, its performance drops by less than 12% compared with that of the best-performing CC schemes for the same network conditions.

telecommunications,engineering, electrical & electronic

Idio Guarino,Chao Wang,Alessandro Finamore,Antonio Pescape,Dario Rossi

2023-06-03

Abstract:The popularity of Deep Learning (DL), coupled with network traffic visibility reduction due to the increased adoption of HTTPS, QUIC and DNS-SEC, re-ignited interest towards Traffic Classification (TC). However, to tame the dependency from task-specific large labeled datasets we need to find better ways to learn representations that are valid across tasks. In this work we investigate this problem comparing transfer learning, meta-learning and contrastive learning against reference Machine Learning (ML) tree-based and monolithic DL models (16 methods total). Using two publicly available datasets, namely MIRAGE19 (40 classes) and AppClassNet (500 classes), we show that (i) using large datasets we can obtain more general representations, (ii) contrastive learning is the best methodology and (iii) meta-learning the worst one, and (iv) while ML tree-based cannot handle large tasks but fits well small tasks, by means of reusing learned representations, DL methods are reaching tree-based models performance also for small tasks.

Machine Learning,Networking and Internet Architecture

Haitao Zhang,Lei Luo,Yun Li,Lirong Chen,Xiaobo Wu

DOI: https://doi.org/10.1109/dsc55868.2022.00076

2022-01-01

Abstract:More and more data is transferred in encrypted ways, especially over HTTPS. As a result, network attackers often use encryption algorithms to transmit control commands to avoid detection. Malware or unidentified users may use unauthorized encrypted proxy to communicate and access malicious websites. Confirming the details of these behaviors facilitates the analysis of suspicious events, but intercepted encrypted traffic cannot be parsed. Since the payload of encrypted traffic is not observable, machine learning algorithm combined with domain knowledge is the mainstream method to detect malicious encrypted traffic. Considering the complexity of decrypting traffic, we start from host level and flow level, exploit packet length histogram, sequence features and statistical features to describe traffic. In particular, we use Word2Vec algorithm to represent packet length sequence. In experiment, we collect the encrypted traffic generated by malware communicating with multiple websites through encrypted proxy. Experiment result shows the effectiveness of our framework and achieve 96.2% Accuracy.

Yige Chen,Tianning Zang,Yongzheng Zhang,Yuan Zhouz,Yipeng Wang,Yuan Zhou

DOI: https://doi.org/10.1109/icnp.2019.8888043

2019-10-01

Abstract:With the unprecedented prevalence of mobile network applications, cryptographic protocols, such as the Secure Socket Layer/Transport Layer Security (SSL/TLS), are widely used in mobile network applications for communication security. The proven methods for encrypted video stream classification or encrypted protocol detection are unsuitable for the SSL/TLS traffic. Consequently, application-level traffic classification based networking and security services are facing severe challenges in effectiveness. Existing encrypted traffic classification methods exhibit unsatisfying accuracy for applications with similar state characteristics. In this paper, we propose a multiple-attribute-based encrypted traffic classification system named Multi-Attribute Associated Fingerprints (MAAF). We develop MAAF based on the two key insights that the DNS traces generated during the application runtime contain classification guidance information and that the handshake certificates in the encrypted flows can provide classification clues. Apart from the exploitation of key insights, MAAF employs the context of the encrypted traffic to overcome the attribute-lacking problem during the classification. Our experimental results demonstrate that MAAF achieves 98.69% accuracy on the real-world traceset that consists of 16 applications, supports the early prediction, and is robust to the scale of the training traceset. Besides, MAAF is superior to the state-of-the-art methods in terms of both accuracy and robustness.

Jin Cheng,Yulei Wu,Junling You,Tong Li,Hui Li,Jingguo Ge,Yuepeng E

DOI: https://doi.org/10.1016/j.comnet.2021.108472

IF: 5.493

2021-11-01

Computer Networks

Abstract:Increased awareness of privacy protection has led to a surge in the volume of encrypted traffic, which creates a heavy burden for efficient network management (e.g. quality-of-service guarantees). The opacity of encrypted traffic essentially requires high computational overheads to make traffic classification, which is even worse when encrypted traffic surges. However, existing deep learning approaches sacrifice the efficiency to obtain high-precision classification results, which are no longer suitable for scenarios with large volumes of encrypted traffic. In this paper, a lightweight and online approach implemented as MATEC is proposed. The way we optimize the classification process follows the "Maximizing the reuse of thin modules" design principle. The multi-head attention and the convolutional network are adopted in the thin module. Attributed to the one-step interaction of all packets and the parallel computing of the multi-head attention mechanism, a key advantage of our model is that the number of parameters and running time are significantly reduced. In addition, the effectiveness and efficiency of convolutional networks have been proved in traffic classification. Comparisons to the existing state-of-the-art models on three typical datasets demonstrate that the proposed MATEC model has higher accuracy and running efficiency. In addition, the number of parameters is reduced to 1.8% of the state-of-the-art models and the training time halves.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Xu Yang,Kaisa Zhang,Gang Chuai,Zibin Chen,Xiangyu Chen,Zihao Xiong,Yichao Xu

DOI: https://doi.org/10.1109/cac59555.2023.10450905

2023-01-01

Abstract:The development of Internet has led to increasingly serious network security issues. Although encryption technology applied to network communication do users the favour of protecting data privacy to a certain extent, the existence of encrypted traffic also provides a cover for malicious attacks in the network. Accurate identification of encrypted traffic is crucial for maintaining network security. However, improving classification performance for low labeled rate scenarios remains a challenge in current research. Therefore, we propose an encryption traffic classification method based on Deep Learning, named RM-Net. This method combines ResNet, MobileNet and LSTM models and fully leverages their advantages to extract data features from both spatial and temporal dimensions, while continuously learning complex relationships between features. To verify the effectiveness of proposed model, we conduct multiple experiments using real network encrypted traffic data under a 5 % labeled rate scenario, and compare them with ResNet and LSTM. The experimental results show that our method performs well in accuracy, precision, recall and Fl-score metrics, achieving an accuracy rate of 97.72 % with only 5 % labeled data.

Guang-Lu Sun,Yibo Xue,Yingfei Dong,Dongsheng Wang,Chenglong Li

DOI: https://doi.org/10.1109/GLOCOM.2010.5683649

2010-01-01

Abstract:Classifying encrypted traffic is critical to effective network analysis and management. While traditional payload- based methods are powerless to deal with encrypted traffic, machine learning methods have been proposed to address this issue. However, these methods often bring heavy overhead into the system. In this paper, we propose a hybrid method that combines signature-based methods and statistical analysis methods to address this issue. We first identify SSL/TLS traffic with signature matching methods, and then apply statistical analysis to determine concrete application protocols. Our experimental results show that the proposed method is able to recognize over 99% of SSL/TLS traffic and achieve 94.52% in F-score for protocols identification.

Wang,Gu

DOI: https://doi.org/10.3390/s24103078

IF: 3.9

2024-05-13

Sensors

Abstract:The widespread use of encrypted traffic poses challenges to network management and network security. Traditional machine learning-based methods for encrypted traffic classification no longer meet the demands of management and security. The application of deep learning technology in encrypted traffic classification significantly improves the accuracy of models. This study focuses primarily on encrypted traffic classification in the fields of network analysis and network security. To address the shortcomings of existing deep learning-based encrypted traffic classification methods in terms of computational memory consumption and interpretability, we introduce a Parameter-Efficient Fine-Tuning method for efficiently tuning the parameters of an encrypted traffic classification model. Experimentation is conducted on various classification scenarios, including Tor traffic service classification and malicious traffic classification, using multiple public datasets. Fair comparisons are made with state-of-the-art deep learning model architectures. The results indicate that the proposed method significantly reduces the scale of fine-tuning parameters and computational resource usage while achieving performance comparable to that of the existing best models. Furthermore, we interpret the learning mechanism of encrypted traffic representation in the pre-training model by analyzing the parameters and structure of the model. This comparison validates the hypothesis that the model exhibits hierarchical structure, clear organization, and distinct features.

engineering, electrical & electronic,instruments & instrumentation,chemistry, analytical

Navid Malekghaini,Elham Akbari,Mohammad A. Salahuddin,Noura Limam,Raouf Boutaba,Bertrand Mathieu,Stephanie Moteau,Stephane Tuffin

DOI: https://doi.org/10.1109/TNSM.2023.3324936

2023-10-13

Abstract:Deep learning (DL) has been successfully applied to encrypted network traffic classification in experimental settings. However, in production use, it has been shown that a DL classifier's performance inevitably decays over time. Re-training the model on newer datasets has been shown to only partially improve its performance. Manually re-tuning the model architecture to meet the performance expectations on newer datasets is time-consuming and requires domain expertise. We propose AutoML4ETC, a novel tool to automatically design efficient and high-performing neural architectures for encrypted traffic classification. We define a novel, powerful search space tailored specifically for the early classification of encrypted traffic using packet header bytes. We show that with different search strategies over our search space, AutoML4ETC generates neural architectures that outperform the state-of-the-art encrypted traffic classifiers on several datasets, including public benchmark datasets and real-world TLS and QUIC traffic collected from the Orange mobile network. In addition to being more accurate, AutoML4ETC's architectures are significantly more efficient and lighter in terms of the number of parameters. Finally, we make AutoML4ETC publicly available for future research.

Networking and Internet Architecture,Artificial Intelligence,Cryptography and Security,Machine Learning

Xi Xiao,Shuo Wang,Guangwu Hu,Qing Li,Kelong Mao,Xiapu Luo,Bin Zhang,Shutao Xia

DOI: https://doi.org/10.1109/tdsc.2024.3478838

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Network traffic classification plays a crucial role in network management and cyberspace security. As the Internet evolves with new applications and protocols, traditional machine learning-based methods relying on feature mining have become obsolete. Instead, deep learning-based methods are becoming more popular in the field of traffic classification due to their end-to-end processing approach. However, the vulnerability of neural networks to adversarial examples significantly compromises their performance. In this paper, we propose Robust Byte-Label Joint Attention Network (RBLJAN), an efficient and robust deep learning-based framework for encrypted network traffic classification at both the packet-level and the flow-level. RBLJAN comprises a classifier and an adversarial traffic generator. The classifier utilizes mechanisms such as header-payload parallel processing and byte-label joint attention learning to capture implicit correlations between bytes and labels, enabling the construction of powerful packet representations. The generator produces adversarial examples that are fed to the classifier to enhance its robustness. Experimental results demonstrate that RBLJAN achieves over 99% average F1-score on real-world legitimate traffic datasets and achieves 97.86% average F1-score on malware identification. Moreover, RBLJAN exhibits superior performance in terms of detection speed and robustness compared to state-of-the-art methods in real-world scenarios.

Shilo Daum,Tal Shapira,Anat Bremler-Barr,David Hay

2024-07-10

Abstract:With 95% of Internet traffic now encrypted, an effective approach to classifying this traffic is crucial for network security and management. This paper introduces ECHO -- a novel optimization process for ML/DL-based encrypted traffic classification. ECHO targets both classification time and memory utilization and incorporates two innovative techniques. The first component, HO (Hyperparameter Optimization of binnings), aims at creating efficient traffic representations. While previous research often uses representations that map packet sizes and packet arrival times to fixed-sized bins, we show that non-uniform binnings are significantly more efficient. These non-uniform binnings are derived by employing a hyperparameter optimization algorithm in the training stage. HO significantly improves accuracy given a required representation size, or, equivalently, achieves comparable accuracy using smaller representations. Then, we introduce EC (Early Classification of traffic), which enables faster classification using a cascade of classifiers adapted for different exit times, where classification is based on the level of confidence. EC reduces the average classification latency by up to 90\%. Remarkably, this method not only maintains classification accuracy but also, in certain cases, improves it. Using three publicly available datasets, we demonstrate that the combined method, Early Classification with Hyperparameter Optimization (ECHO), leads to a significant improvement in classification efficiency.

Networking and Internet Architecture,Cryptography and Security,Machine Learning

Ying Zheng,Lixiang Lin,Tianqi Zhang,Haoyu Chen,Qingyang Duan,Yuedong Xu,Xin Wang

DOI: https://doi.org/10.1109/jsac.2021.3126085

IF: 16.4

2021-01-01

IEEE Journal on Selected Areas in Communications

Abstract:The past few years have witnessed a surge of interest towards deep reinforcement learning (DRL) in computer networks. With extraordinary ability of feature extraction, DRL has the potential to re-engineer the fundamental resource allocation problems in networking without relying on pre-programmed models or assumptions about dynamic environments. However, such black-box systems suffer from poor robustness, showing high performance variance and poor tail performance. In this work, we propose a unified Teacher-Student learning framework that harnesses rich domain knowledge to improve robustness. The domain-specific algorithms, less performant but more trustable than DRL, play the role of teachers providing advice at critical states; the student neural network is steered to maximize the expected reward as usual and mimic the teacher's advice meanwhile. The Teacher-Student method comprises of three modules where the confidence check module locates wrong decisions and risky decisions, the reward shaping module designs a new updating function to stimulate the learning of student network, and the prioritized experience replay module to effectively utilize the advised actions. We further implement our Teacher-Student framework in existing video streaming (Pensieve), load balancing (DeepLB), and TCP congestion control (Aurora). Experimental results manifest that the proposed approach reduces the performance standard deviation of DeepLB by 37%; it improves the 90th, 95th, and 99th tail performance of Pensieve by 7.6%, 8.8%, and 10.7% respectively; and it accelerates the growth rate of Aurora by 2x at the initial stage, and achieves a more stable performance in dynamic environments.

Minghao Chen,Rongpeng Li,Jon Crowcroft,Jianjun Wu,Zhifeng Zhao,Honggang Zhang

DOI: https://doi.org/10.1109/tcomm.2021.3123130

IF: 6.166

2022-01-01

IEEE Transactions on Communications

Abstract:In this paper, we aim to propose a novel transmission control protocol (TCP) congestion control method from a cross-layer-based perspective and present a deep reinforcement learning (DRL)-driven method called DRL-3R (DRL for congestion control with Radio access network information and Reward Redistribution) so as to learn the TCP congestion control policy in a superior manner. In particular, we incorporate the RAN information to timely grasp the dynamics of RAN, and empower DRL to learn from the delayed RAN information feedback potentially induced by several consecutive actions. Meanwhile, we relax the implicit assumption (that the feedback to one specific action returns at a round-trip-time (RTT) after the action is applied) in previous researches, by redistributing the rewards and evaluating the merits of actions more accurately. Experiment results show that besides maintaining a reasonable fairness, DRL-3R significantly outperforms classical congestion control methods (e.g., TCP Reno, Westwood, Cubic, BBR and DRL-CC) on network utility by achieving a higher throughput while reducing delay in various network environments.

Yuxuan Chen,Rongpeng Li,Zhifeng Zhao,Honggang Zhang

2024-11-20

Abstract:We present MERLOT, a scalable mixture-of-expert (MoE) based refinement of distilled large language model optimized for encrypted traffic classification. By applying model distillation techniques in a teacher-student paradigm, compact models derived from GPT-2-base retain high classification accuracy while minimizing computational costs. These models function as specialized experts in an MoE architecture, dynamically assigned via a gating network. Unlike generation-based methods, our approach directly classifies encrypted traffic using the final decoder token with contextual feature embedding as input. Experiments on 10 datasets show superior or competitive performance over the state-of-the-art models while significantly reducing resource demands, underscoring its effectiveness and robustness.

Machine Learning,Cryptography and Security

Mehdi Seydali,Farshad Khunjush,Javad Dogani

DOI: https://doi.org/10.1007/s10586-023-04234-0

2024-01-19

Cluster Computing

Abstract:Massive amounts of real-time streaming network data are generated quickly because of the exponential growth of applications. Analyzing patterns in generated flow traffic streaming offers benefits in reducing traffic congestion, enhancing network management, and improving the quality of service management. Processing massive volumes of generated traffic poses more challenges when data traffic encryption is raised. Classifying encrypted network traffic in real-time with deep learning networks has received attention because of their excellent performance. The substantial volume of incoming packets, characterized by high speed and wide variety, puts real-time traffic classification within the domain of big data problems. Classifying traffic with high speed and accuracy is a significant challenge in the era of big data. The real-time nature of traffic intensifies deep learning networks, necessitating a considerable number of parameters, layers, and resources for optimal network training. Until now, various datasets have been employed to evaluate the effectiveness of previous methods for classifying encrypted traffic. The primary objective has been to enhance accuracy, precision, and F1-measure. Presently, encrypted traffic classification performance depends on pre-existing datasets. The learning and testing phases are done offline, and more research is needed to investigate the feasibility of these methods in real-world scenarios. This paper examines the possibility of a tradeoff between evaluating the model's effectiveness, execution time, and utilization of processing resources when processing stream-based input data for traffic classification. We aim to explore the feasibility of establishing a tradeoff between these factors and determining optimal parameter settings. This paper used the ISCX VPN-Non VPN 2016 public dataset to evaluate the proposed method. All packets from the dataset were streamed continuously through Apache Kafka to the classification framework. Numerous experiments have been designed to demonstrate the efficacy of the proposed method. The experimental results show that the proposed method outperforms the baseline methods by 11% in the F1-measure when the number of workers is two and by 25% when the number of workers is equal to 32.

computer science, information systems, theory & methods