Deep learning for encrypted traffic classification in the face of data drift: An empirical study

Abstract

Deep learning models have shown to achieve high performance in encrypted traffic classification. However, when it comes to production use, multiple factors challenge the performance of these models. The emergence of new protocols, especially at the application layer, as well as updates to previous protocols affect the patterns in input data, making the model’s previously learned patterns obsolete. Furthermore, proposed model architectures for encrypted traffic classification are usually tested on datasets collected in controlled settings, which makes the reported performances unreliable for production use. In this paper, we study how the performances of two high-performing state-of-the-art encrypted traffic classifiers change on multiple real-world datasets collected over the course of two years from a major ISP’s network. We investigate the changes in traffic data patterns highlighting the extent to which these changes, also known as data drift, impact the performance of the two models in service-level as well as application-level classification. We propose best practices for architecture adaptations to improve the accuracy of the model in the face of data drift. We show that our best practices are generalizable to other encryption protocols and different levels of labeling granularity.