Akbar Telikani,Amir H. Gandomi,Kim-Kwang Raymond Choo,Jun Shen

DOI: https://doi.org/10.1109/tnsm.2021.3112283

2022-03-01

IEEE Transactions on Network and Service Management

Abstract:Network traffic classification (NTC) plays an important role in cyber security and network performance, for example in intrusion detection and facilitating a higher quality of service. However, due to the unbalanced nature of traffic datasets, NTC can be extremely challenging and poor management can degrade classification performance. While existing NTC methods seek to re-balance data distribution through resampling strategies, such approaches are known to suffer from information loss, overfitting, and increased model complexity. To address these challenges, we propose a new cost-sensitive deep learning approach to increase the robustness of deep learning classifiers against the imbalanced class problem in NTC. First, the dataset is divided into different partitions, and a cost matrix is created for each partition by considering the data distribution. Then, the costs are applied to the cost function layer to penalize classification errors. In our approach, costs are diverse in each type of misclassification because the cost matrix is specifically generated for each partition. To determine its utility, we implement the proposed cost-sensitive learning method in two deep learning classifiers, namely: stacked autoencoder and convolution neural networks. Our experiments on the ISCX VPN-nonVPN dataset show that the proposed approach can obtain higher classification performance on low-frequency classes, in comparison to three other NTC methods.

Mohammad Lotfollahi,Ramin Shirali Hossein Zade,Mahdi Jafari Siavoshani,Mohammdsadegh Saberian

DOI: https://doi.org/10.48550/arXiv.1709.02656

2018-07-04

Abstract:Internet traffic classification has become more important with rapid growth of current Internet network and online applications. There have been numerous studies on this topic which have led to many different approaches. Most of these approaches use predefined features extracted by an expert in order to classify network traffic. In contrast, in this study, we propose a \emph{deep learning} based approach which integrates both feature extraction and classification phases into one system. Our proposed scheme, called "Deep Packet," can handle both \emph{traffic characterization} in which the network traffic is categorized into major classes (\eg, FTP and P2P) and application identification in which end-user applications (\eg, BitTorrent and Skype) identification is desired. Contrary to most of the current methods, Deep Packet can identify encrypted traffic and also distinguishes between VPN and non-VPN network traffic. After an initial pre-processing phase on data, packets are fed into Deep Packet framework that embeds stacked autoencoder and convolution neural network in order to classify network traffic. Deep packet with CNN as its classification model achieved recall of $0.98$ in application identification task and $0.94$ in traffic categorization task. To the best of our knowledge, Deep Packet outperforms all of the proposed classification methods on UNB ISCX VPN-nonVPN dataset.

Machine Learning,Cryptography and Security,Networking and Internet Architecture

Xiang Zhou,Xi Xiao,Qing Li,Bin Zhang,Guangwu Hu,Xiapu Luo,Tianwei Zhang

DOI: https://doi.org/10.1145/3634737.3637664

2024-01-01

Abstract:Network traffic classification plays a crucial role in both network management and monitoring. Recently, an increasing number of Decentralized Applications (DApps) are appearing on various blockchain platforms. DApps employ encryption techniques such as SSL/TLS to safeguard the data transmitted over the network, making it more challenging to do traffic classification. In this paper, to tackle the challenge of insufficient classification accuracy in the existing classification of encrypted DApp traffic, we present Capsule-Former, a novel encrypted traffic classification model for DApps. CapsuleFormer utilizes capsule neurons instead of traditional scalar neurons, where the neurons within the capsule embody various attributes of particular entities. Furthermore, Transformer blocks are adopted to generate a high-dimensional representation of the capsule activation vector. Thus, CapsuleFormer has the capability to extract potential features from the encrypted traffic patterns of DApps. Moreover, we collect and open a dataset of more than 700,000 encrypted traffic flows from 10 different types of DApps. The results of the experiments on the dataset demonstrate that CapsuleFormer is superior to the current methods, with an accuracy rate of 98.7%.

Ammar Almomani

DOI: https://doi.org/10.1016/j.eij.2022.06.006

IF: 4.195

2022-07-27

Egyptian Informatics Journal

Abstract:Virtual Private Networks (VPNs) are one example of encrypted communication services commonly used to bypass censorship and access geographically locked services. This study performed VPN and non-VPN traffic analysis and developed a classification system based on the new techniques of machine learning classifiers known as stacking ensemble learning. The methods used for VPN and Non-VPN classification use three machine learning techniques: random forest, neural network, and support vector machine. To assess the proposed method's performance, we tested it on a dataset containing 61 features. The experiment results accurately prove the study's classifiers to differentiate between VPN and Non-VPN traffic. The accuracy level was approximately 99% in the training and testing phase. The study's classifiers also show the best standard deviation, with a 100% accuracy rate compared to other A.I. classifier methods.

computer science, information systems, artificial intelligence

Fengrui Xiao,Feng Yang,Shuangwu Chen,Jian Yang

DOI: https://doi.org/10.1007/978-3-030-94029-4_1

2022-01-01

Abstract:Nowadays, network traffic detection plays a very important role in protecting cyberspace security, and more and more applications realize data privacy protection through encryption technology. Regular expression matching based methods, such as deep packet inspection that relies on plaintext traffic cannot be applied to detecting encrypted random communication content, and the existing detecting methods based on time-series features often ignore the encryption protocol features. In this work, we design an ensemble learning system based on stack algorithms to identify encrypted malicious traffic, which can detect the interactive behavior and the encryption protocols simultaneously. In detail, we construct a deep learning classifier based on Long Short-Term Memory (LSTM) for time-series features, and a machine learning classifier based on random forests for encryption protocol features. Then, we use the stacking algorithm in ensemble learning to combine them to form a new classifier. Finally, relying on the Datacon2020 dataset, extensive experiments are conducted. The experimental results indicate that the proposed method improves the detection rate of encrypted malicious traffic while keeping a low false positive rate.

Gazy Abbas,Umar Farooq,Parvinder Singh,Surinder Singh Khurana,Paramjeet Singh

DOI: https://doi.org/10.1007/s42979-023-01944-5

2023-07-29

SN Computer Science

Abstract:With the rapid advancement in technology, the constant emergence of new applications and services has resulted in a drastic increase in Internet traffic, making it increasingly challenging for network analysts to maintain network security and classify traffic, especially when encrypted or tunneled. To address this issue, the proposed strategy aims to distinguish between regular traffic and traffic tunneled through a virtual private network and characterize traffic from seven different applications. The proposed approach utilizes various ensemble machine learning techniques, which are efficient and accurate and consume minimal computational time for training and prediction compared to conventional machine and deep learning models. These models were applied for both the classification and characterization of network traffic, deriving efficient results. The extreme and light gradient boosting algorithms performed well in multiclass classification, while AdaBoost and Light GBM performed well in binary classification. However, when all the datasets were merged and categorized into two classes and various feature engineering methods were applied, the proposed system achieved an accuracy of more than 99%, with minimal error scores using light GBM with min–max scaling over stratified fivefold, thereby outperforming all existing approaches. This research highlights the efficiency and potential of the proposed model in detecting network traffic.

Pengcheng Luo,Jian Chu,Genke Yang

DOI: https://doi.org/10.1016/j.jisa.2023.103519

IF: 4.96

2023-01-01

Journal of Information Security and Applications

Abstract:As the importance of personal data privacy increases, traffic encryption has become an important topic in network communication. In the field of network security and management, the development of encrypted traffic classification technology has drawn attention to deep learning methods. For raw encrypted traffic, deep learning models can realize end-to-end classification with high accuracy. However, deep learning methods do not explain which part of the encrypted traffic is critical to classification, and that will limit their application in some cyber security scenarios that demand high interpretability. The approach proposed in this paper features a novel feature engineering method named "BITization"to determine the encoding method of features and a sliding window technique to explore which bytes contribute the most to the classification. The accuracy of classical machine learning methods in encrypted traffic is improved by at least 14.1% through the proposed feature engineering approach. In the experiments, the enhanced methods achieve a 98.6% average accuracy and a 98.5% average F1-score on the ISCX-VPN-Service, Cross-Platform-IOS, Cross-Platform-Android, and USTC-TFC2016 datasets, from which we believe a state-of-the-art performance is achieved.

Boyu Sun,Wenyuan Yang,Mengqi Yan,Dehao Wu,Yuesheng Zhu,Zhiqiang Bai

DOI: https://doi.org/10.1109/ipccc50635.2020.9391542

2020-01-01

Abstract:The increase in the source and size of encrypted network traffic brings significant challenges for network traffic analysis. The challenging problem in the encrypted traffic classification field is obtaining high classification accuracy with small number of labeled samples. To solve this problem, we propose a novel encryption traffic classification method that learns the feature representation from the traffic structure and the traffic flow data in this paper. We construct a K-Nearest Neighbor (KNN) traffic graph to represent the structure of traffic data, which contains more similarity information about the traffic. We utilize a two-layer Graph Convolutional Network (GCN) architecture for flows feature extraction and encrypted traffic classification. We further use the autoencoder to learn the representation of the flow data itself and integrate it into the GCN-learned representation to form a more complete feature representation. The proposed method leverages the benefits of the GCN and the autoencoder, which can obtain higher classification performance with only very few labeled data. The experimental results on two public datasets demonstrate that our method achieves impressive results compared to the state-of-the-art competitors.

Xinxin Tong,Xiaobin Tan,Lingan Chen,Jian Yang,Quan Zheng

DOI: https://doi.org/10.1109/hoticn50779.2020.9350824

2020-01-01

Abstract:With the rapid development of network technology and encryption technology, network security issues have received more and more attention, and network encryption traffic is increasing, which results in a huge challenge for network traffic classification. Combining machine learning algorithms with manual design has become a mainstream approach to solve this problem, However, it requires a large amount of human effort to extract and process features, which depend on professional experience heavily. In this paper, We discuss the essential reason why convolutional neural network(CNN) can deal with the problem of encrypted traffic classification and propose a novel classification framework the Bidirectional Flow Sequence Network(BFSN) based on long short-term memory (LSTM). Compared with the traditional traffic classification scheme, the BFSN is an end-to-end classification model that learns representative features from the raw traffic and classifies them. Moreover, We apply the length and direction information of the encrypted traffic to construct the bidirectional traffic sequence and then process it based on LSTM. Our Experiments gains the excellent accuracy about 91% based the ISCX VPN-NonVPN dataset.

Xinyi Hu,Chunxiang Gu,Yihang Chen,Fushan Wei

DOI: https://doi.org/10.3390/s21248231

2021-12-09

Abstract:With the rapid increase in encrypted traffic in the network environment and the increasing proportion of encrypted traffic, the study of encrypted traffic classification has become increasingly important as a part of traffic analysis. At present, in a closed environment, the classification of encrypted traffic has been fully studied, but these classification models are often only for labeled data and difficult to apply in real environments. To solve these problems, we propose a transferable model called CBD with generalization abilities for encrypted traffic classification in real environments. The overall structure of CBD can be generally described as a of one-dimension CNN and the encoder of Transformer. The model can be pre-trained with unlabeled data to understand the basic characteristics of encrypted traffic data, and be transferred to other datasets to complete the classification of encrypted traffic from the packet level and the flow level. The performance of the proposed model was evaluated on a public dataset. The results showed that the performance of the CBD model was better than the baseline methods, and the pre-training method can improve the classification ability of the model.

Peng Zhu,Gang Wang,Jingheng He,Yueli Dong,Yu Chang

DOI: https://doi.org/10.1016/j.array.2024.100338

2024-03-01

Array

Abstract:As data privacy issues become more and more sensitive, increasing numbers of websites usually encrypt traffic when transmitting it. This method can largely protect privacy, but it also brings a huge challenge. Aiming at the problem that encrypted traffic classification makes it difficult to obtain a global optimal solution, this paper proposes an encrypted traffic identification model called the ET-BERT and 1D-CNN fusion network (BCFNet), based on multi-scale feature fusion. This method combines feature learning with classification tasks, unified into an end-to-end model. The local features of encrypted traffic extracted based on the improved Inception one-dimensional convolutional neural network structure are fused with the global features extracted by the ET-BERT model. The one-dimensional convolutional neural network is more suitable for the encrypted traffic of a one-dimensional sequence than the commonly used two-dimensional convolutional neural network. The proposed model can learn the nonlinear relationship between the input data and the expected label and obtain the global optimal solution with a greater probability. This paper verifies the ISCX VPN-nonVPN dataset and compares the results of the BCFNet model with the other five baseline models on accuracy, precision, recall, and F1 indicators. The experimental results demonstrate that the BCFNet model has a greater overall effect than the other five models. Its accuracy can reach 98.88%.

Sujatha S

DOI: https://doi.org/10.22214/ijraset.2024.61288

2024-04-30

International Journal for Research in Applied Science and Engineering Technology

Abstract:Abstract: The widespread adoption of Virtual Private Networks (VPNs) for secure communication over public networks has highlighted the need for accurate detection of encrypted network traffic. This study proposes a comprehensive approach utilizing machine and ensemble learning algorithms to address this detection challenge. Leveraging the ISCX VPN dataset, the project aims to develop a robust system capable of distinguishing between VPN and non-VPN traffic with high accuracy. Key stages include data acquisition, preprocessing, feature extraction, and model training using Decision Tree, Naive Bayes, Random Forest, and Adaboost algorithms. Through rigorous experimentation, the most effective algorithmic approach is identified. The project also offers insights into the diverse nature of encrypted network communication and its implications for network security. The anticipated outcomes include improved understanding and management of VPN traffic, enhancing overall network security and performance. This research contributes to advancing network security practices by offering practical solutions for encrypted traffic detection in real-world settings.

Xiuli Ma,Wenbin Zhu,Jieling Wei,Yanliang Jin,Dongsheng Gu,Rui Wang

DOI: https://doi.org/10.1016/j.cose.2023.103175

IF: 5.105

2023-01-01

Computers & Security

Abstract:With the advent of big data, encrypted traffic is widely used, and it is gradually becoming a new challenge for network security and management. Many researchers have obtained good results by converting encrypted traffic into images and feeding them to deep learning-based classification models. However, these methods have some limitations in that they cannot do sustainable learning. They have to retrain a new classifier when new traffic is encountered. To tackle this issue, we propose an extended encrypted traffic classification algorithm based on incremental learning. This approach extracts content and statistical information from encrypted traffic and supports multi-label prediction for VPN channels and applications. We can add new classes to the model without completely retraining and accelerate the update cycle of the model. The results show that the proposed model performs well in classification experiments, which can achieve 98.1% and 96.0% classification accuracy on ISCXVPN2016 and self-collected dataset respectively. In addition, our method can retain high accuracy under the situation of limited memory space while the number of new classes of data increases gradually. It demonstrates the superiority of constructing a generic unforgetting basis for classifying encrypted communication.

Tangda Yu,Futai Zou,Linsen Li,Ping Yi

DOI: https://doi.org/10.1109/cyberc.2019.00020

2019-01-01

Abstract:In recent years, with the widespread use of encrypted traffic communication technology, network traffic encryption has been gradually becoming a standard of communication. This phenomenon has a great impact on traditional traffic detection methods, especially on anomaly detection methods, which are highly dependent on the type of network protocol types and traffic data. By surveying the existing encrypted traffic classification and analyzing these methods, we found that there are two main methods for detection: payload-based detection and feature-based detection. On this basis, this paper puts forward an Encrypted Malicious Traffic Detection System which is based on multi-AEs(Autoencoder). We use malicious sandbox for traffic data collection, mark malicious flow and normal flow with labels. After that, we use multilayer networks of AEs for feature extraction and training classifier model. Our system analyzes the feature of cryptographic protocol from handshake phase to Authentication phase on the basis of existing research, and we extract the traffic feature for a better classification by further expanding flow feature vector to the higher dimensions. In addition, we compared the performance of our model with the traditional learning model under the same environment. The experimental results showed that our system had higher detection accuracy and lower loss rate. We also studied the influence of dataset imbalance on results in the detection of encrypted traffic by several experiments. According to the experimental evaluation, dataset imbalance will lead to the decrease of positive rate.

Shiming Tian,Feixiang Gong,Shuang Mo,Meng Li,Wenrui Wu,Ding Xiao

DOI: https://doi.org/10.19682/j.cnki.1005-8885.2020.0013

2020-01-01

The Journal of China Universities of Posts and Telecommunications

Abstract:Network traffic classification,which matches network traffic for a specific class of different granularities,plays a vital role in the domain of network administration and cyber security.With the rapid development of network communication techniques,more and more network applications adopt encryption techniques during communication,which brings significant challenges to traditional network traffic classification methods.On the one hand,traditional methods mainly depend on matching features on the application layer of the ISO/OSI reference model,which leads to the failure of classifying encrypted traffic.On the other hand,machine learning-based methods require human-made features from network traffic data by human experts,which renders it difficult for them to deal with complex network protocols.In this paper,the convolution attention network (CAT) is proposed to overcom those difficulties.As an end-to-end model,CAT takes raw data as input and returns classification results automatically,with engineering by human experts.In CAT,firstly,the importance of different bytes with an attention mechanism of network traffic is achieved.Then,convolution neural network (CNN) is used to learn features automatically and feed the output into a softmax function to get classification results.It enables CAT to learn enough information from network traffic data and ensure the classified accuracy.Extensive experiments on the public encrypted network traffic dataset ISCX2016 demonstrate the effectiveness of the proposed model.

Shiva Soleymanpour,Hossein Sadr,Mojdeh Nazari Soleimandarabi

DOI: https://doi.org/10.1007/s11063-021-10534-6

IF: 2.565

2021-06-17

Neural Processing Letters

Abstract:By the rapid development of the Internet and online applications, traffic classification not only has changed to an interesting topic in the field of computer networks but also plays a key role in cyber-security and network management. Although numerous studies have been conducted in recent years, encrypted traffic classification still remains a major challenge and unbalanced data is known as one of the most important problems in this field. Even though previous researches have focused on dealing with the class imbalance problem in the pre-processing step via machine learning and specifically deep learning methods, they are still confronted with some restrictions. To this end, a new traffic classification method is presented in this paper that aims to deal with the problem of unbalanced data along the training process. The proposed method utilized a Cost-Sensitive Convolution Neural Network (CSCNN) where a cost matrix was employed to assign a cost to each misclassification based on the distribution of each class. These costs were then utilized during the training process to increase the final classification accuracy. Various experiments were carried out to explore the performance of the proposed method for the tasks of traffic classification, traffic description, and application identification.‌ According to the obtained results, CSCNN achieved higher efficiency compared to both machine learning and deep learning based methods on the ISCX VPN-nonVPN dataset.

computer science, artificial intelligence

Cheng Wang,Wei Zhang,Hao Hao,Huiling Shi

DOI: https://doi.org/10.3390/electronics13071236

IF: 2.9

2024-03-28

Electronics

Abstract:The demand for encrypted communication is increasing with the continuous development of secure and trustworthy networks. In edge computing scenarios, the requirement for data processing security is becoming increasingly high. Therefore, the accurate identification of encrypted traffic has become a prerequisite to ensure edge intelligent device security. Currently, encrypted network traffic classification relies on single-feature extraction methods. These methods have simple feature extraction, making distinguishing encrypted network data flows and designing compelling manual features challenging. This leads to low accuracy in multi-classification tasks involving encrypted network traffic. This paper proposes a hybrid deep learning model for multi-classification tasks to address this issue based on the synergy of dilated convolution and gating unit mechanisms. The model comprises a Gated Dilated Convolution (GDC) module and a CA-LSTM module. The GDC module completes the spatial feature extraction of encrypted network traffic through dilated convolution and gating unit mechanisms. In contrast, the CA-LSTM module focuses on extracting temporal network traffic features. By employing a collaborative approach to extract spatio-temporal features, the model ensures feature extraction diversity, guarantees robustness, and effectively enhances the feature extraction rate. We evaluate our multi-classification model using the ISCX VPN-nonVPN public dataset. Experimental results show that the proposed method achieves an accuracy rate of over 95% and a recall rate of over 90%, significantly outperforming existing methods.

engineering, electrical & electronic,computer science, information systems,physics, applied

Mehdi Seydali,Farshad Khunjush,Javad Dogani

DOI: https://doi.org/10.1007/s10586-023-04234-0

2024-01-19

Cluster Computing

Abstract:Massive amounts of real-time streaming network data are generated quickly because of the exponential growth of applications. Analyzing patterns in generated flow traffic streaming offers benefits in reducing traffic congestion, enhancing network management, and improving the quality of service management. Processing massive volumes of generated traffic poses more challenges when data traffic encryption is raised. Classifying encrypted network traffic in real-time with deep learning networks has received attention because of their excellent performance. The substantial volume of incoming packets, characterized by high speed and wide variety, puts real-time traffic classification within the domain of big data problems. Classifying traffic with high speed and accuracy is a significant challenge in the era of big data. The real-time nature of traffic intensifies deep learning networks, necessitating a considerable number of parameters, layers, and resources for optimal network training. Until now, various datasets have been employed to evaluate the effectiveness of previous methods for classifying encrypted traffic. The primary objective has been to enhance accuracy, precision, and F1-measure. Presently, encrypted traffic classification performance depends on pre-existing datasets. The learning and testing phases are done offline, and more research is needed to investigate the feasibility of these methods in real-world scenarios. This paper examines the possibility of a tradeoff between evaluating the model's effectiveness, execution time, and utilization of processing resources when processing stream-based input data for traffic classification. We aim to explore the feasibility of establishing a tradeoff between these factors and determining optimal parameter settings. This paper used the ISCX VPN-Non VPN 2016 public dataset to evaluate the proposed method. All packets from the dataset were streamed continuously through Apache Kafka to the classification framework. Numerous experiments have been designed to demonstrate the efficacy of the proposed method. The experimental results show that the proposed method outperforms the baseline methods by 11% in the F1-measure when the number of workers is two and by 25% when the number of workers is equal to 32.

computer science, information systems, theory & methods

Saadat Izadi,Mahmood Ahmadi,Amir Rajabzadeh

DOI: https://doi.org/10.1007/s10922-021-09639-z

2022-01-20

Journal of Network and Systems Management

Abstract:The rapid growth of current computer networks and their applications has made network traffic classification more important. The latest approach in this field is the use of deep learning. But the problem of deep learning is that it needs a lot of data for training. On the other hand, the lack of a sufficient amount of data for different types of network traffic has a negative effect on the accuracy of the traffic classification. In this regard, one of the appropriate solutions to address this challenge is the use of data fusion methods in decision level. Data fusion techniques make possible to achieve better results by combining classifiers. In this paper, a network traffic classification approach based on deep learning and data fusion techniques is presented. The proposed method can identify encrypted traffic and distinguish between VPN and non-VPN network traffic. In the proposed approach, first, a preprocessing on the dataset is carried out, then three deep learning networks, namely, Deep Belief Network, Convolution Neural Network, and Multi-layer Perceptron to classify network traffic are employed. Finally, the results of all three classifiers using Bayesian decision fusion are combined. The experimental results on the ISCX VPN-nonVPN dataset show that the proposed method improves the classification accuracy and performs well on different network traffic types. The average accuracy of the proposed method is 97%.

computer science, information systems,telecommunications

Zitong Hu,Bo Qu,Xiang Li,Cong Li

DOI: https://doi.org/10.1007/978-981-97-5101-3_21

2024-01-01

Abstract:The exponential increase in encrypted traffic presents significant challenges to conventional traffic classification methodologies. The integration of deep learning and time series analysis has emerged as a contemporary approach, but the crucial higher interaction information among encrypted traffic packets is often neglected. Based on the fact that distinct categories of encrypted traffic manifest unique spatial structures and temporal patterns, we introduce a novel deep learning framework, termed Higher-Interaction-Graph encrypted classifier (HIGEC). This framework employs graph convolutional networks (GCN) and higher interaction information among packets for the precise classification of encrypted traffic flows. Initially, our approach incorporates a newly designed module that leverages metadata to transform each encrypted traffic flow into a graph structure, preserving the temporal information and spatial structure between packets. Subsequently, we introduce an advanced graph pooling and merge layer atop the GCN architecture that dynamically derives multi-order graph representations, augmenting our adaptability to diverse network environments. Meanwhile, we propose a new encrypted traffic dataset that addresses the inherent limitations of currently available public datasets to validate the effectiveness of our model. Comprehensive testing on our proposed dataset and two more public real-world datasets demonstrates that the HIGEC model significantly enhances accuracy, outperforming existing state-of-the-art methods.