A data skew-based unknown traffic classification approach for TLS applications

Abstract

With the continuous development of network technology, the volume of encrypted traffic from unknown applications rises sharply, posing a significant challenge to conventional traffic classification methods. While these methods achieve a certain level of success in recognizing specific application traffic, they fail to classify unknown traffic, especially encrypted traffic. Existing traffic classification methods are usually constrained by the assumption that classes encountered in testing are also present in training, which is not consistent with the open environment of the real world. In this paper, we propose a novel data skew-based classification method for Transport Layer Security (TLS) application unknown traffic (DSCU) to achieve consistent classification of TLS applications. First, DSCU constructs skew data, and then the one-class classifiers generated based on the skew data limit the input space scope of the known class and reserve space for the unknown class. This enables DSCU to separate known flows (i.e., flows from applications contained in the training set) from unknown flows (i.e., flows without any application information regarding them during training). After separation, the fine-grained classification of known flows can improve the accuracy of known flow classification. Three groups of experiments conducted on a real-world dataset covering 25 applications show that DSCU reliably achieves outstanding performance on TLS flow classification.