CENTIME: A Direct Comprehensive Traffic Features Extraction for Encrypted Traffic Classification

Abstract

With the rapid development of the network, encrypted traffic classification plays a vital role in guaranteeing the quality of network services and ensuring the security of the network. Recent studies show that machine learning approaches based on statistical features and raw traffic sessions are effective for this task. However, the performance of the statistical-based approaches largely depends on the quality of the features. Experts need to design different features for different encrypted traffic classification tasks, which is time-consuming. Meanwhile, the raw traffic-based approach needs to uniformize the traffic size; this will cause the loss of information about the overall structure of the network traffic; for example, we do not know the time from the first packet to the last packet in a session. This paper proposes the CENTIME, which can extract comprehensive information based on ResNet and AutoEncoder to identify encrypted traffic. ResNet is used to extract information from uniformized traffic, and AutoEncoder is used to encode statistical features. The statistical features are used to compensate for the information loss caused by traffic uniformization. They only need to be designed once rather than be designed separately for different tasks. Moreover, the pooling layers are removed, and 1D convolution layers are used to help CENTIME make more effective use of raw traffic information. We evaluate the CENTIME on the public dataset “ISCX VPN-nonVPN”, and the results demonstrate the CENTIME outperforms the state-of-the-art encrypted traffic classification methods. More importantly, comprehensive traffic features generated in the CENTIME can represent different classes of traffic well.