Zhuoxue Song,Ziming Zhao,Fan Zhang,Gang Xiong,Guang Cheng,Xinjie Zhao,Shize Guo,Binbin Chen

DOI: https://doi.org/10.1109/TDSC.2023.3245411

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Traffic classification occupies a significant role in cybersecurity and network management. The widespread of encryption transmission protocols such as SSL/TLS has led to the dominance of deep learning based approaches. In cybersecurity, strong adversaries often complicate their strategies by constantly developing emerging attacks. Meanwhile, security practitioners desire to grasp the reasons for inference results. However, existing deep learning approaches lack efficient adaptation for incremental traffic types and often have less interpretability. In this paper, we propose I <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$^{2}$</tex-math></inline-formula> RNN, an Incremental and Interpretable Recurrent Neural Network for encrypted traffic classification. The I <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$^{2}$</tex-math></inline-formula> RNN proposes a novel propagation process to extract the sequence fingerprints from sessions with local robustness. Meanwhile, this proposal provides interpretability including time-series feature attribution and inter-class similarity portrait. Moreover, we design I <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$^{2}$</tex-math></inline-formula> RNN in an incremental manner to adapt to emerging traffic types. The I <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$^{2}$</tex-math></inline-formula> RNN only needs to train an additional set of parameters for the newly added traffic type rather than retraining the whole model with the entire dataset. Extensive experimental results show that our I <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$^{2}$</tex-math></inline-formula> RNN can achieve remarkable performance in traffic classification, incremental learning, and model interpretability. Compared with other local interpretability methods, our I <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$^{2}$</tex-math></inline-formula> RNN exhibits excellent stability, robustness, and effectiveness in the interpretation of network traffic data.

Ziming Zhao,Zhaoxuan Li,Jialun Jiang,Fengyuan Yu,Fan Zhang,Congyuan Xu,Xinjie Zhao,Rui Zhang,Shize Guo

DOI: https://doi.org/10.1109/tdsc.2023.3242134

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Traffic detection systems based on machine learning have been proposed to defend against cybersecurity threats, such as intrusion attacks and malware. However, they did not take the impact of network-induced phenomena into consideration, such as packet loss, retransmission, and out-of-order. These phenomena will introduce additional misclassifications in the real world. In this paper, we present ${sf ERNN}$, a robust and end-to-end RNN model that is specially designed against network-induced phenomena. As its core, ${sf ERNN}$ is designed with a novel gating unit named as session gate that includes: (i) four types of actions to simulate common network-induced phenomena during model training; and (ii) the Mealy machine to update states of session gate that adjusts the probability distribution of network-induced phenomena. Taken together, ${sf ERNN}$ advances state-of-the-art by realizing the model robustness for network-induced phenomena in an error-resilient manner. We implement ${sf ERNN}$ and evaluate it extensively on both intrusion detection and malware detection systems. By practical evaluation with dynamic bandwidth utilization and different network topologies, we demonstrate that ${sf ERNN}$ can still identify 98.63% of encrypted intrusion traffic when facing about 16% abnormal packet sequences on a 10 Gbps dataplane. Similarly, ${sf ERNN}$ can still robustly identify more than 97% of the encrypted malware traffic in multi-user concurrency scenarios. ${sf ERNN}$ can realize $sim$4% accuracy more than SOTA methods. Based on the Integrated Gradients method, we interpret the gating mechanism can reduce the dependencies on local packets (termed dependency dispersion). Moreover, we demonstrate that ${sf ERNN}$ possesses superior stability and scalability in terms of parameter settings and feature selection.

computer science, information systems, software engineering, hardware & architecture

Xinming Ren,Huaxi Gu,Wenting Wei

DOI: https://doi.org/10.1016/j.eswa.2020.114363

IF: 8.5

2021-04-01

Expert Systems with Applications

Abstract:Network traffic classification plays an important role in network monitoring and network management. With the continuous development of network technology, traditional methods of traffic classification have more limitations in accuracy to deal with encrypted traffic. Fortunately, deep neural network (DNN) is an effective method for handling traffic classification due to its ability to learn inherent data features. However, this method generally classifies network traffic with only the single classifier, which makes it relatively less effective in some classes for the problem of large classification. In this paper, we propose a tree structural recurrent neural network (Tree-RNN), which divides a large classification into small classifications by using the tree structure. A specific classifier is set for each small classification after division. With multiple classifiers employed, Tree-RNN can complement each other in classification performance, and the problem of the single classifier is solved. Since multiple classifiers are all end-to-end frameworks, Tree-RNN can automatically learn the nonlinear relationship between input data and output data without feature extraction. To verify the validity of our model, we compare Tree-RNN with state-of-the-art methods using the ISCX public traffic dataset. Experimental results show that Tree-RNN can achieve higher performance in less training time. The average accuracy of Tree-RNN is 4.88% higher than other state-of-the-art methods, and it has higher average precision and average recall.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Junchi Xing,Chunming Wu

DOI: https://doi.org/10.1109/INFOCOMWKSHPS50562.2020.9162940

2020-01-01

Abstract:The widely used encryption of network traffic poses a great challenge to anomaly detection. Currently, the supervised and semi-supervised solutions suffer from the problems of noisy label of data, non-stationary traffic distribution, and huge resource consumption for offline training. To address this, in this paper, we present an unsupervised, robust, and online anomaly detection method for encrypted traffic by using deep dictionary learning, called D2LAD. D2LAD offers the potential to extract sequential features from raw encrypted traffic data with the help of an LSTM-based autoencoder. Then, according to the sequential features, D2LAD is able to explore the hidden normal patterns by iterative deep dictionary learning. Eventually, D2LAD can obtain the anomaly score of raw data by calculating its relevance to the deep dictionary. We implement a prototype of D2LAD and evaluate its effectiveness and performance by experiments using realistic datasets. The experimental results show that our method achieves high accuracy and low resource usage, and outperforms the representative state-of-the-art methods in real-world settings.

Kunda Lin,Xiaolong Xu,Honghao Gao

DOI: https://doi.org/10.1016/j.comnet.2021.107974

IF: 5.493

2021-05-01

Computer Networks

Abstract:In the Industrial Internet of Things (IIoT) in the 5G era, the growth of smart devices will generate a large amount of data traffic, bringing a huge challenge of network traffic classification, which is the prerequisite of IIoT traffic engineering, quality of service (QoS), cyberspace security, etc. It is difficult for current traffic classification methods to distinguish encrypted dataflow and design effective handcraft features. In this paper, a novel identification scheme of encrypted traffic, TSCRNN, is proposed to automatically extract features for efficient traffic classification, which is based on spatiotemporal features. TSCRNN includes the preprocessing phase and the classification phase. In the preprocessing phase, raw traffic data are processed with flow segmentation, sampling, and vectorization, etc. To solve the classification problem of long time flow, sampling strategies are used to collect samples from the middle of the long-lived flow. In the classification phase, TSCRNN extracts abstract spatial features by CNN and then introduces stack bidirectional LSTM to learn the temporal characteristics. The experiments were performed on the dataset ISCXTor2016. The experimental results show that TSCRNN outperforms other typical methods in all scenarios, which achieves the accuracy up to 99.4% and 95.0% respectively in Tor/nonTor binary classification tasks and sixteen classification tasks. Furthermore, TSCRNN is applied to other real network datasets obtained the satisfactory performance, which validates its feasibility and universality. It means that TSCRNN can effectively identify encrypted and anonymous traffic, provide a fine-grained traffic characterization mechanism, which will support the development of core technologies in the Industrial Internet of Things.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Zhiyong Bu,Bin Zhou,Pengyu Cheng,Kecheng Zhang,Zhen-Hua Ling

DOI: https://doi.org/10.1109/ACCESS.2020.3010637

IF: 3.9

2020-01-01

IEEE Access

Abstract:Network traffic classification aims to recognize different application or traffic types by analyzing received data packets. This paper presents a neural network model with deep and parallel network-in-network (NIN) structures for classifying encrypted network traffic. Comparing with standard convolutional neural networks (CNN), NIN adopts a micro network after each convolution layer to enhance local modeling. Besides, NIN utilizes a global average pooling instead of traditional fully connected layers before final classification, which reduces the number of model parameters significantly. In our proposed method, deep NIN models with multiple MLP convolutional layers are built to map fixed-length packet vectors towards application or traffic labels. Furthermore, a parallel decision strategy of building two sub-networks to process packet header and packet body separately is designed considering that they may carry different kinds of clues for classification. The results of our experiments on the "ISCX VPN-nonVPN" encrypted traffic dataset show that NIN models can achieve a better balance between classification accuracy and model complexity than conventional CNNs. The parallel decision strategy can further improve the accuracy of using single NIN model for encrypted network traffic classification. Finally, the test set F1 scores of 0.983 and 0.985 are achieved for traffic characterization and application identification respectively.

Licheng Qu,Jiao Lyu,Wei Li,Dongfang Ma,Haiwei Fan

DOI: https://doi.org/10.1016/j.neucom.2021.03.054

IF: 6

2021-01-01

Neurocomputing

Abstract:Accurate traffic speed forecasting is critical in advanced transportation management and traveler route planing. Considering the important influences of spatial–temporal factors and excellent performance of recurrent neural networks (RNNs) in the field of time series analyzing, in this paper, the features injected recurrent neural networks (FI-RNNs) were proposed, which combines sequential time data with contextual factors to mine the potential relationship between traffic state and its context. In this model, a stacked RNN was used to learn the sequence features of traffic data. Meanwhile, a sparse Autoencoder was trained to expand the contextual features, which are high-level coding and abstract representations of contextual factors. Then an merging mechanism which injects contextual features into sequence features was explored to generate fusion features. Finally, the new fused features were fed to the predictor to learn the traffic patterns and predict future speed. Case studies based on two real-world data sets show that the injection of contextual features can greatly improve the accuracy of time series prediction. Comparison with ten frequently used models, including k-nearest neighbor (k-NN), support vector machine (SVM), decision tree (DT), gradient booting decision tree (GBDT), random forest (RF), stacked autoencoder (SAE), and four classic RNNs, also shows the proposed models outperform these state-of-the-art traffic prediction methods in terms of accuracy and stability.

Xu Yang,Kaisa Zhang,Gang Chuai,Zibin Chen,Xiangyu Chen,Zihao Xiong,Yichao Xu

DOI: https://doi.org/10.1109/cac59555.2023.10450905

2023-01-01

Abstract:The development of Internet has led to increasingly serious network security issues. Although encryption technology applied to network communication do users the favour of protecting data privacy to a certain extent, the existence of encrypted traffic also provides a cover for malicious attacks in the network. Accurate identification of encrypted traffic is crucial for maintaining network security. However, improving classification performance for low labeled rate scenarios remains a challenge in current research. Therefore, we propose an encryption traffic classification method based on Deep Learning, named RM-Net. This method combines ResNet, MobileNet and LSTM models and fully leverages their advantages to extract data features from both spatial and temporal dimensions, while continuously learning complex relationships between features. To verify the effectiveness of proposed model, we conduct multiple experiments using real network encrypted traffic data under a 5 % labeled rate scenario, and compare them with ResNet and LSTM. The experimental results show that our method performs well in accuracy, precision, recall and Fl-score metrics, achieving an accuracy rate of 97.72 % with only 5 % labeled data.

Zitong Hu,Bo Qu,Xiang Li,Cong Li

DOI: https://doi.org/10.1007/978-981-97-5101-3_21

2024-01-01

Abstract:The exponential increase in encrypted traffic presents significant challenges to conventional traffic classification methodologies. The integration of deep learning and time series analysis has emerged as a contemporary approach, but the crucial higher interaction information among encrypted traffic packets is often neglected. Based on the fact that distinct categories of encrypted traffic manifest unique spatial structures and temporal patterns, we introduce a novel deep learning framework, termed Higher-Interaction-Graph encrypted classifier (HIGEC). This framework employs graph convolutional networks (GCN) and higher interaction information among packets for the precise classification of encrypted traffic flows. Initially, our approach incorporates a newly designed module that leverages metadata to transform each encrypted traffic flow into a graph structure, preserving the temporal information and spatial structure between packets. Subsequently, we introduce an advanced graph pooling and merge layer atop the GCN architecture that dynamically derives multi-order graph representations, augmenting our adaptability to diverse network environments. Meanwhile, we propose a new encrypted traffic dataset that addresses the inherent limitations of currently available public datasets to validate the effectiveness of our model. Comprehensive testing on our proposed dataset and two more public real-world datasets demonstrates that the HIGEC model significantly enhances accuracy, outperforming existing state-of-the-art methods.

Wei Wang,Ming Zhu,Jinlin Wang,Xuewen Zeng,Zhongzhen Yang

DOI: https://doi.org/10.1109/isi.2017.8004872

2017-07-01

Abstract:Traffic classification plays an important and basic role in network management and cyberspace security. With the widespread use of encryption techniques in network applications, encrypted traffic has recently become a great challenge for the traditional traffic classification methods. In this paper we proposed an end-to-end encrypted traffic classification method with one-dimensional convolution neural networks. This method integrates feature extraction, feature selection and classifier into a unified end-to-end framework, intending to automatically learning nonlinear relationship between raw input and expected output. To the best of our knowledge, it is the first time to apply an end-to-end method to the encrypted traffic classification domain. The method is validated with the public ISCX VPN-nonVPN traffic dataset. Among all of the four experiments, with the best traffic representation and the fine-tuned model, 11 of 12 evaluation metrics of the experiment results outperform the state-of-the-art method, which indicates the effectiveness of the proposed method.

Boyu Sun,Wenyuan Yang,Mengqi Yan,Dehao Wu,Yuesheng Zhu,Zhiqiang Bai

DOI: https://doi.org/10.1109/ipccc50635.2020.9391542

2020-01-01

Abstract:The increase in the source and size of encrypted network traffic brings significant challenges for network traffic analysis. The challenging problem in the encrypted traffic classification field is obtaining high classification accuracy with small number of labeled samples. To solve this problem, we propose a novel encryption traffic classification method that learns the feature representation from the traffic structure and the traffic flow data in this paper. We construct a K-Nearest Neighbor (KNN) traffic graph to represent the structure of traffic data, which contains more similarity information about the traffic. We utilize a two-layer Graph Convolutional Network (GCN) architecture for flows feature extraction and encrypted traffic classification. We further use the autoencoder to learn the representation of the flow data itself and integrate it into the GCN-learned representation to form a more complete feature representation. The proposed method leverages the benefits of the GCN and the autoencoder, which can obtain higher classification performance with only very few labeled data. The experimental results on two public datasets demonstrate that our method achieves impressive results compared to the state-of-the-art competitors.

Ziming Zhao,Zhaoxuan Li,Zhuoxue Song,Fan Zhang

DOI: https://doi.org/10.1109/rtss59052.2023.00045

2023-01-01

Abstract:Existing Deep Learning (DL)-based network Intrusion Detection System (IDS) is able to characterize sequence semantics of traffic and discover malicious behaviors. Yet DL models are often nonlinear and highly non-convex functions that are difficult for in-network real-time deployment, i.e., existing DL solutions are essentially offline analysis. In this paper, we present RIDS, a hardware-friendly Recurrent Neural Network (RNN) model that is co-designed with programmable switches. As its core, RIDS is powered by two tightly-coupled components: (i) rLearner, the RNN learning module with in-network deployability as the first-class requirement; and (ii) rEnforcer, the concrete pipeline design to realize rLearner-generated models inside the network dataplane. We implement a prototype of RIDS and evaluate it on our physical testbed. The experiments show that RIDS could satisfy both detection performance and high-speed bandwidth adaptation simultaneously, when none of the other existing approaches could do so. Inspiringly, RIDS realizes remarkable intrusion/malware detection effect (e.g., ∽99% F1 score) and model deployment (e.g., 100 Gbps per port), while only imposing nanoseconds of latency.

Ziming Zhao,Zhaoxuan Li,Zhuoxue Song,Fan Zhang,Binbin Chen

DOI: https://doi.org/10.1109/infocom52122.2024.10621290

2024-01-01

Abstract:Existing Deep Learning (DL)-based network Intrusion Detection System (IDS) is able to characterize sequence semantics of traffic and discover malicious behaviors. Yet DL models are often nonlinear and highly non-convex functions that are difficult for in-network deployment. In this paper, we present RIDS, a hardware-friendly Recurrent Neural Network (RNN) model that is co-designed with programmable switches. As its core, RIDS is powered by two tightly-coupled components: (i) rLearner, the RNN learning module with in-network deployability as the first-class requirement; and (ii) rEnforcer, the concrete pipeline design to realize rLearner-generated models inside the network dataplane. We implement a prototype of RIDS and evaluate it on our physical testbed. The experiments show that RIDS could satisfy both detection performance and high-speed bandwidth adaptation simultaneously, when none of the other existing approaches could do so. Inspiringly, RIDS realizes remarkable intrusion/malware detection effect (e.g., similar to 99% F1 score) and model deployment (e.g., 100 Gbps per port), while only imposing nanoseconds of latency.

Haipeng Yao,Chong Liu,Peiying Zhang,Sheng Wu,Chunxiao Jiang,Shui Yu

DOI: https://doi.org/10.1109/tbdata.2019.2940675

2022-02-01

IEEE Transactions on Big Data

Abstract:Network traffic classification has become an important part of network management, which is beneficial for achieving intelligent network operation and maintenance, enhancing the network quality of service (QoS), and for network security. Given the rapid development of various applications and protocols, more and more encrypted traffic has emerged in networks. Traditional traffic classification methods exhibited the unsatisfied performance since the encrypted traffic is no longer in plain text. In this work, we modeled the time-series network traffic by the recurrent neural network (RNN). Moreover, the attention mechanism was introduced for assisting network traffic classification in the form of the following two models, the attention aided long short term memory (LSTM) as well as the hierarchical attention network (HAN). Finally, relying on the ISCX VPN-NonVPN dataset, extensive experiments were conducted, showing that the proposed methods achieved 91.2 percent in accuracy while the highest accuracy of other methods was 89.8 percent relying on the same dataset.

computer science, information systems, theory & methods

Benjamin J. Radford,Leonardo M. Apolonio,Antonio J. Trias,Jim A. Simpson

DOI: https://doi.org/10.48550/arXiv.1803.10769

2018-03-28

Abstract:We show that a recurrent neural network is able to learn a model to represent sequences of communications between computers on a network and can be used to identify outlier network traffic. Defending computer networks is a challenging problem and is typically addressed by manually identifying known malicious actor behavior and then specifying rules to recognize such behavior in network communications. However, these rule-based approaches often generalize poorly and identify only those patterns that are already known to researchers. An alternative approach that does not rely on known malicious behavior patterns can potentially also detect previously unseen patterns. We tokenize and compress netflow into sequences of "words" that form "sentences" representative of a conversation between computers. These sentences are then used to generate a model that learns the semantic and syntactic grammar of the newly generated language. We use Long-Short-Term Memory (LSTM) cell Recurrent Neural Networks (RNN) to capture the complex relationships and nuances of this language. The language model is then used predict the communications between two IPs and the prediction error is used as a measurement of how typical or atyptical the observed communication are. By learning a model that is specific to each network, yet generalized to typical computer-to-computer traffic within and outside the network, a language model is able to identify sequences of network activity that are outliers with respect to the model. We demonstrate positive unsupervised attack identification performance (AUC 0.84) on the ISCX IDS dataset which contains seven days of network activity with normal traffic and four distinct attack patterns.

Computers and Society,Human-Computer Interaction,Machine Learning

Xi Xiao,Shuo Wang,Guangwu Hu,Qing Li,Kelong Mao,Xiapu Luo,Bin Zhang,Shutao Xia

DOI: https://doi.org/10.1109/tdsc.2024.3478838

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Network traffic classification plays a crucial role in network management and cyberspace security. As the Internet evolves with new applications and protocols, traditional machine learning-based methods relying on feature mining have become obsolete. Instead, deep learning-based methods are becoming more popular in the field of traffic classification due to their end-to-end processing approach. However, the vulnerability of neural networks to adversarial examples significantly compromises their performance. In this paper, we propose Robust Byte-Label Joint Attention Network (RBLJAN), an efficient and robust deep learning-based framework for encrypted network traffic classification at both the packet-level and the flow-level. RBLJAN comprises a classifier and an adversarial traffic generator. The classifier utilizes mechanisms such as header-payload parallel processing and byte-label joint attention learning to capture implicit correlations between bytes and labels, enabling the construction of powerful packet representations. The generator produces adversarial examples that are fed to the classifier to enhance its robustness. Experimental results demonstrate that RBLJAN achieves over 99% average F1-score on real-world legitimate traffic datasets and achieves 97.86% average F1-score on malware identification. Moreover, RBLJAN exhibits superior performance in terms of detection speed and robustness compared to state-of-the-art methods in real-world scenarios.

VishnuPriya. A,Hiran Kumar Singh,SivaChaitanyaPrasad. M,JaiSivaSai. G

DOI: https://doi.org/10.1080/23335777.2021.1924284

2021-05-24

Abstract:<span>Tor is an anonymous browser software running on an overlay network. Due to the nature of the end-to-end encryption channel, it is hard to analyse the network traffic. Thus, intruders prefer the Tor browser to hide their identity and access the offensive content. Tor relays are secure from network monitoring, tracking and surveillance. There are so many research contributions for tracking the network traffic and classifying it based on various features and attributes. In this paper, we explained RNN-LSTM-based deep learning model to classify the network traffic based on their nature Tor/non-Tor. We have tested the model with open data sets ISCXTor2016 data sets and samples retrieved in our environment using CIC-flowmeter-4.0. The binary classification model using RNN-LSTM classifies the network traffic with better accuracy and precision. The same experiment conducted in the traditional deep neural network model provides large false positives and false negatives. Here we also present a detailed study and analysis of the model compare with ANN classifiers and genetic-based feature selection method.</span>

Wenbin Zhu,Xiuli Ma,Yanliang Jin,Rui Wang

DOI: https://doi.org/10.1016/j.comnet.2023.109602

IF: 5.493

2023-04-01

Computer Networks

Abstract:With the constant updating of applications and the emergence of various encryption technologies, it is important to achieve continuous learning of encrypted traffic. Traditional encrypted traffic classification techniques can only handle a fixed number of traffic classes and require all traffic data to be available at the same time, which consume a huge amount of memory to save the traffic data. In this paper, we propose an incremental learning method for encrypted traffic classification, called ILETC, to achieve continuous learning of encrypted traffic. ILETC can learn new encrypted traffic classes while avoiding forgetting knowledge of old encrypted traffic, with limited memory resources. It uses WGAN-GP to model the data distribution of encrypted traffic and design an exemplar set to select and store representative real traffic data. When learning from a new class of encrypted traffic, ILETC replays the knowledge of the old classes with the generated samples and exemplars to mitigate catastrophic forgetting. The ISCX VPN-nonVPN dataset and self-collected dataset are used to test the performance of ILETC. The results show that ILETC is superior to the state-of-the-art methods with an accuracy of over 98% on the ISCX dataset and over 94% in the two datasets together.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Xi Xiao,Wentao Xiao,Rui Li,Xiapu Luo,Haitao Zheng,Shutao Xia

DOI: https://doi.org/10.1109/tdsc.2021.3101311

2022-01-01

Abstract:Network traffic classification is important to intrusion detection and network management. Most of existing methods are based on machine learning techniques and rely on the features extracted manually from flows or packets. However, with the rapid growth of network applications, it is difficult for these approaches to handle new complex applications. In this article, we design a novel neural network, the Extended Byte Segment Neural Network (EBSNN), to classify netwrk traffic. EBSNN first divides a packet into header segments and payload segments, which are then fed into encoders composed of the recurrent neural networks with the attention mechanism. Based on the outputs, another encoder learns the high-level representation of the whole packet. In particular, side-channel features are learned from header segments to improve the performance. Finally, the label of the packet is obtained by the softmax function. Furthermore, EBSNN can classify network flows by examining the first few packets. Thorough experiments on the real-world datasets show that EBSNN achieves better performance than the state-of-the-art methods in both the application identification task and the website identification task.

Kevin Fauvel,Fuxing Chen,Dario Rossi

2023-06-06

Abstract:Traffic classification, i.e. the identification of the type of applications flowing in a network, is a strategic task for numerous activities (e.g., intrusion detection, routing). This task faces some critical challenges that current deep learning approaches do not address. The design of current approaches do not take into consideration the fact that networking hardware (e.g., routers) often runs with limited computational resources. Further, they do not meet the need for faithful explainability highlighted by regulatory bodies. Finally, these traffic classifiers are evaluated on small datasets which fail to reflect the diversity of applications in real-world settings. Therefore, this paper introduces a new Lightweight, Efficient and eXplainable-by-design convolutional neural network (LEXNet) for Internet traffic classification, which relies on a new residual block (for lightweight and efficiency purposes) and prototype layer (for explainability). Based on a commercial-grade dataset, our evaluation shows that LEXNet succeeds to maintain the same accuracy as the best performing state-of-the-art neural network, while providing the additional features previously mentioned. Moreover, we illustrate the explainability feature of our approach, which stems from the communication of detected application prototypes to the end-user, and we highlight the faithfulness of LEXNet explanations through a comparison with post hoc methods.

Machine Learning