Detection and utilization of new-type encrypted network traffic in distributed scenarios

Abstract

Encrypted Network Traffic Classification (ENTC) is a crucial task in network management. The existing ENTC schemes usually imply two hypotheses. First, adopting a centralized processing mode. Second, the number of network traffic categories is fixed. However, it is usually unreasonable to collect all network traffic to the centralized node for processing which may cause network congestion. In addition, new traffic types emerge in endlessly, and the existing models cannot classify them. This paper studies the ENTC problem in distributed scenarios, where multiple monitoring nodes coexist, and both the existing types and new types of encrypted traffic exist at the same time. These nodes cooperate to train models, which can alleviate the challenges of limited numbers and types faced by each single node. In order to solve the proposed ENTC problem, firstly, we propose a feature extraction method in the distributed scenario. Then a detection method for new type traffic and a classification method for existing type traffic are proposed. Finally, a globally consistent automatic category labeling method and classification model updating method for new types encrypted traffic are proposed. We also take Security Information and Event Management (SIEM) as an example to discuss the managerial implications.