Traffic Classification Method Research Articles

Adversarial Attacks on Pre-trained Deep Learning Models for Encrypted Traffic Analysis

For web security, it’s essential to accurately classify traffic across various web applications to detect malicious activities lurking within network traffic. However, the encryption protocols for privacy protection, such as TLS 1.3 and IPSec, make it difficult to apply traditional traffic classification methods like deep packet inspection (DPI). Recently, the advent of deep learning has significantly advanced the field of encrypted traffic analysis (ETA), outperforming traditional traffic analysis approaches. Notably, pre-trained deep learning based ETA models have demonstrated superior analytical capabilities. However, the security aspects of these deep learning models are often overlooked during the design and development process. In this paper, we conducted adversarial attacks to evaluate the security of pre-trained ETA models. We targeted ET-BERT, a state-of-the-art model demonstrating superior performance, to generate adversarial traffic examples. To carry out the adversarial example generation, we drew inspiration from adversarial attacks on discrete data, such as natural language, defining fluency from a network traffic perspective and proposing a new attack algorithm that can preserve this fluency. Finally, in our experiments, we showed our target model is vulnerable to the proposed adversarial attacks.

BCBA: An IIoT encrypted traffic classifier based on a serial network model

With the rapid development of the Industrial Internet of Things (IIoT), ensuring the security and privacy of network traffic has become particularly important. Classifying and identifying encrypted traffic is a critical step in enhancing network security, but traditional traffic classification methods often struggle to handle the complexities of the IIoT environment. In this paper, we propose the BCBA model, a bidirectional encoder representation from transformers (BERT)-based serial network model, which significantly improves the encrypted traffic classification performance and can be trained more than four times faster than the original BERT classifier. The BCBA method obtains word vector representations from the embedding layer of the pretrained BERT model, uses convolutional neural networks (CNNs) to extract local features, employs bidirectional long short-term memory (BiLSTM) networks to capture temporal dependencies in traffic data, and leverages a multihead self-attention mechanism to improve global dependency understanding. In experiments on six types of regular encrypted traffic from the ISCXVPN2016 dataset, the BCBA model achieved an F1 score of 99.10%, outperforming traditional traffic classification techniques across multiple performance metrics. This study demonstrates the effectiveness of deep learning in enhancing the security of the IIoT. It also provides new perspectives and technical routes for future research, particularly in encrypted traffic processing and classification applications.

A lightweight model design approach for few-shot malicious traffic classification

Classifying malicious traffic, which can trace the lineage of attackers’ malicious families, is fundamental to safeguarding cybersecurity. However, the deep learning approaches currently employed require substantial volumes of data, conflicting with the challenges in acquiring and accurately labeling malicious traffic data. Additionally, edge network devices vulnerable to cyber-attacks often cannot meet the computational demands required to deploy deep learning models. The rapid mutation of malicious activities further underscores the need for models with strong generalization capabilities to adapt to evolving threats. This paper introduces an innovative few-shot malicious traffic classification method that is precise, lightweight, and exhibits enhanced generalization. By refining traditional transfer learning, the source model is segmented into public and private feature extractors for stepwise transfer, enhancing parameter alignment with specific target tasks. Neuron importance is then sorted based on the task of each feature extractor, enabling precise pruning to create an optimal lightweight model. An adversarial network guiding principle is adopted for retraining the public feature extractor parameters, thus strengthening the model’s generalization power. This method achieves an accuracy of over 97% on few-shot datasets with no more than 15 samples per class, has fewer than 50 K model parameters, and exhibits superior generalization compared to baseline methods.

Network Traffic Prediction Performance Using LSTM

As networks expand to support various applications involving text, audio, video, and images, data traffic increases correspondingly. Traffic classification, which identifies the origin of observed traffic, has multiple applications, including dynamic bandwidth allocation, traffic analysis, quality of service, and network security. Traditional network traffic classification methods like deep packet inspection rely on manually creating and maintaining communication profiles for various applications. However, these methods face challenges such as dynamic port changes and encrypted traffic. Machine Learning (ML) classifiers offer effective solutions to these issues, providing accurate network traffic classification. Due to these advancements, deep learning models are now utilized for network traffic classification and prediction. Long Short-Term Memory (LSTM) has emerged as a highly effective deep learning technique for addressing time series prediction challenges. This study aims to analyze the performance of forecasting network traffic using LSTM, with different activation functions and optimizers with Mean Absolute Error (MAE), Mean Absolute Percentage Error (MAPE), Mean Squared Error (MSE), Root Mean Squared Error (RMSE) and Coefficient of Determination (R-Squared) parameters as the model evaluation index. This demonstrates how these parameters impact network traffic forecasting performance.

Traffic Classification in Software-Defined Networking Using Genetic Programming Tools

The classification of Software-Defined Networking (SDN) traffic is an essential tool for network management, network monitoring, traffic engineering, dynamic resource allocation planning, and applying Quality of Service (QoS) policies. The programmability nature of SDN, the holistic view of the network through SDN controllers, and the capability for dynamic adjustable and reconfigurable controllersare fertile ground for the development of new techniques for traffic classification. Although there are enough research works that have studied traffic classification methods in SDN environments, they have several shortcomings and gaps that need to be further investigated. In this study, we investigated traffic classification methods in SDN using publicly available SDN traffic trace datasets. We apply a series of classifiers, such as MLP (BFGS), FC2 (RBF), FC2 (MLP), Decision Tree, SVM, and GENCLASS, and evaluate their performance in terms of accuracy, detection rate, and precision. Of the methods used, GenClass appears to be more accurate in separating the categories of the problem than the rest, and this is reflected in both precision and recall. The key element of the GenClass method is that it can generate classification rules programmatically and detect the hidden associations that exist between the problem features and the desired classes. However, Genetic Programming-based techniques require significantly higher execution time compared to other machine learning techniques. This is most evident in the feature construction method where at each generation of the genetic algorithm, a set of learning models is required to be trained to evaluate the generated artificial features.

FedETC: Encrypted traffic classification based on federated learning

The current popular traffic classification methods based on feature engineering and machine learning are difficult to obtain suitable traffic feature sets for multiple traffic classification tasks. Besides, data privacy policies prohibit network operators from collecting and sharing traffic data that might compromise user privacy. To address these challenges, we propose FedETC, a federated learning framework that allows multiple participants to learn global traffic classifiers, while keeping locally encrypted traffic invisible to other participants. In addition, FedETC adopts one-dimensional convolutional neural network as the base model, which avoids manual traffic feature design. In the experiments, we evaluate the FedETC framework for the tasks of both application identification and traffic characterization in a publicly available real-world dataset. The results show that FedETC can achieve promising accuracy rates that are close to centralized learning schemes.

Online network traffic classification based on external attention and convolution by IP packet header

Network traffic classification is an important part of network monitoring and network management. Three traditional methods for network traffic classification are flow-based, session-based, and packet-based, while flow-based and session-based methods cannot meet the real-time requirements and existing packet-based methods will violate user’s privacy. To solve the above problems, we propose a network traffic classification method only by the IP packet header, which satisfies the requirements of both the user’s privacy protection and online classification performances. Through statistical analyses, we find that IP packet header information is effective on the network traffic classification tasks and this conclusion is also demonstrated by experiments. Furthermore, we propose a novel external attention and convolution mixed (ECM) model for online network traffic classification. This model adopts both low-computational complexity external attention and convolution to respectively extract the byte-level and packet-level characteristics for traffic classification. Therefore, it can achieve high classification accuracy and low time consumption. The experiments show that ECM can reach over 96% classification accuracy on four datasets and the classification time is 0.36 ms per packet which can meet the real-time requirements. The code is available at https://github.com/CNZZQ1030/ECM-for-Network-Traffic-Classification.

A novel and effective encrypted traffic classification method based on channel attention and deformable convolution

With the rapid development of the Internet and 5G communication technologies, encrypted traffic classification, recognized as a fundamental task in network management, has gained increasing attention from researchers. An accurate traffic classification is crucial for improving network service quality, optimizing network operations, and ensuring information security. However, most of the existing neural network-based methods lack attention to key information and have insufficient traffic feature extraction capability. Motivated by the above limitations, we proposed a novel and effective end-to-end model based on channel attention and deformable convolution, called CAD-Net. Specifically, a novel channel attention mechanism and a powerful deformable convolution technique are introduced in the residual network, which provides the model with the capability of focusing on the most relevant features and capturing the implicit features among the traffic bytes. Furthermore, our class-aware weighted cross-entropy loss function significantly improves the performance of CAD-Net under class-imbalanced conditions. We comprehensively evaluated the effectiveness of CAD-Net on two public datasets, and the experimental results demonstrate that our model achieved the best performance compared with existing methods on both encrypted traffic service and application classification tasks.

Multi-Task Scenario Encrypted Traffic Classification and Parameter Analysis.

The widespread use of encrypted traffic poses challenges to network management and network security. Traditional machine learning-based methods for encrypted traffic classification no longer meet the demands of management and security. The application of deep learning technology in encrypted traffic classification significantly improves the accuracy of models. This study focuses primarily on encrypted traffic classification in the fields of network analysis and network security. To address the shortcomings of existing deep learning-based encrypted traffic classification methods in terms of computational memory consumption and interpretability, we introduce a Parameter-Efficient Fine-Tuning method for efficiently tuning the parameters of an encrypted traffic classification model. Experimentation is conducted on various classification scenarios, including Tor traffic service classification and malicious traffic classification, using multiple public datasets. Fair comparisons are made with state-of-the-art deep learning model architectures. The results indicate that the proposed method significantly reduces the scale of fine-tuning parameters and computational resource usage while achieving performance comparable to that of the existing best models. Furthermore, we interpret the learning mechanism of encrypted traffic representation in the pre-training model by analyzing the parameters and structure of the model. This comparison validates the hypothesis that the model exhibits hierarchical structure, clear organization, and distinct features.

A DQN-based traffic classification method for mobile application recommendation with continual learning

With the popularity and development of smartphones, many mobile applications of various types have emerged. How to recommend mobile applications that match the user’s preferences and usage habits among the massive applications is a problem that needs to be solved. Traditional mobile application recommendation methods cannot dynamically track user behavior and preference changes in time and cannot timely correct the recommendation model, resulting in poor recommendation effects. The continual update of mobile applications will also invalidate the recommendation model based on traffic classification. To solve these problems, this paper proposes A Deep Q-Network (DQN) based traffic classification method for mobile application recommendation with continual learning, which embeds a DQN-based traffic classification model in the mobile terminal and sets up a reward and punishment mechanism to achieve self-supervised learning. By continuously adjusting and optimizing the model, the effectiveness of the traffic classification model is ensured, and the recommendation model is provided with accurate and reliable user behavior data support. Experiments on the ISCX and private datasets show that the proposed method performs better and can effectively guarantee the accuracy of the classification model.

DE-GNN: Dual embedding with graph neural network for fine-grained encrypted traffic classification

Nowadays, most network traffic is encrypted, which protects user privacy but complicates the task of analyzing and classifying encrypted traffic. Identifying the specific categories of encrypted traffic, such as application type or even the specific application, is of great significance for advanced network services and network security management. Many existing methods for encrypted traffic classification rely on machine learning and deep learning techniques, but they exhibit certain shortcomings. A considerable number of these methods rely on statistical features, which may lose their relevance as networks evolve and lead to the loss of important information. Additionally, Convolutional Neural Networks (CNNs) and Recurrent Neural Networks (RNNs) face limitations in extracting features from encrypted traffic, specifically, their inability to learn traffic interaction information within a network flow.To address these challenges, we propose a model called Dual Embedding with Graph Neural Networks (DE-GNN) for fine-grained encrypted traffic classification. Based on the byte-packet-flow structure of network traffic, we present a dual embedding layer that encodes the packet header and payload separately using raw bytes, which allows subsequent processes to run separately and in parallel. Then, we develop the PacketCNN to extract packet-level features from both the header and payload. Afterwards, we construct a network flow as a Traffic Interaction Graphs (TIG) and utilize Graph Neural Networks (GNNs) to extract flow-level features. Finally, an adaptive deep feature fusion process is applied to combine flow-level features from the header and payload, creating a robust representation for classification. Extensive experiments are conducted on two well-known datasets, ISCX-VPN2016 and ISCX-Tor2016, to verify our approach. The experimental results demonstrate that DE-GNN effectively identifies the type of encrypted traffic, outperforming baselines significantly.

Method for multi-task learning fusion network traffic classification to address small sample labels

In the context of the proliferated evolution of network service types and the expeditious augmentation of network resource deployment, the requisition for copious labeled datasets to facilitate superior performance in traffic classification methods, particularly those hinging on deep learning, is imperative. Nonetheless, the procurement and annotation of such extensive datasets necessitate considerable temporal and human resource investments. In response to this predicament, this work introduces a methodology, termed MTEFU, leveraging a deep learning model-based multi-task learning algorithm, strategically designed to mitigate the reliance on substantial labeled training samples. Multiple classification tasks, encompassing duration, bandwidth size, and business traffic category, are incorporated, with a shared parameter strategy implemented amongst tasks to assure the transference of information across disparate tasks. Employing CNN, SAE, GRU, and LSTM as multi-task learning classification models, training validation and experimental testing were conducted on the QUIC dataset. A comparative analysis with single-task and ensemble learning methods reveals that, in the context of predicting network traffic types, the accuracy derived from the multi-task learning strategy, even with a mere 150 labeled samples, can emulate the 94.67% accuracy achieved through single-task learning with a fully labeled dataset of 6139 samples.

ATVITSC: A Novel Encrypted Traffic Classification Method Based on Deep Learning

ATVITSC: A Novel Encrypted Traffic Classification Method Based on Deep Learning

Combo Packet: An Encryption Traffic Classification Method Based on Contextual Information

Combo Packet: An Encryption Traffic Classification Method Based on Contextual Information

Research on Network Traffic Classification Method Based on Dual-branch Spatial-Temporal Attention

Research on Network Traffic Classification Method Based on Dual-branch Spatial-Temporal Attention

Anomalous traffic identification method for post messages based on gambling website templates

Malicious websites pose significant social risks, necessitating automatic, efficient, and accurate identification methods. This paper proposes a POST traffic classification method based on website templates to identify abnormal traffic from gambling websites. Using Fiddler, POST message data is collected from several gambling sites, extracting features like URLs, cookie parameters, and request body parameters to create a Gambling Website Single POST Message Dataset (GSPD). These features are converted into vector representations withWord2Vec and TF-IDF techniques. Hierarchical clustering identifies template-generated types, achieving unsupervised template recognition. Using clustering results, individual POST messages are labeled and features are extracted using TF-IDF and mutual information methods. The parameters of a Support Vector Machine (SVM) are then optimized with the Particle Swarm Optimization (PSO) algorithm for optimal classification. Experimental results show the model?s excellent performance, with a test set accuracy of 0.9985 and high precision, recall, and F1-scores, effectively identifying gambling and other illegal websites.

HTTPSmell: A Deep Learning Approach on Malicious HTTP Traffic Detection via Data Augmentation and Label Refactoring

Anomaly detection is essential to ensuring system security and reliability. As one of the basic techniques in the cyberattack, the existing malicious traffic classification method has been facing diverse challenges such as insufficient samples, poor denoising ability, and weak generalization of the classification model. In this paper, we propose a novel method for detecting malicious HTTP traffic based on a framework (HTTPSmell; it refers to the sniffing of some network attacks launched by exploiting the HTTP protocol.)), and XSS dataset obtained from GitHub that automatically applies a deep learning model with high generalization ability even under a small training dataset. With HTTPSmell, we are able to achieve positive results from a semisupervised model that leverages the unsupervised data augmentation (UDA) and the keywords library avoidance (KLA)‐based data augmentation method that holds higher learning generalization, higher scenario coverage rate, and better detection efficiency in the smaller training samples. Finally, we demonstrate through comprehensive experiments in the realistic enterprise environment that HTTPSmell can achieve an accuracy of 96.77% for identifying complex and advanced cyberattacks, while only maintaining a constant 60 MB of memory and sustaining up to 27 k/s throughput.

Analyzing Traffic Identification Methods for Resource Management in SDN

The article is devoted to the analysis of traffic classification methods in SDN network. The review of analytical approaches of traffic identification to identify the solutions used in them, as well as assessing their applicability in the SDN network. Types of machine learning are considered and input parameters are analyzed. The methods of intelligent analysis covered in the scientific articles are systematized according to the following criteria: traffic identification parameters, neural network model, identification accuracy. Based on the analysis of the review results, the conclusion is made about the possibility of applying the considered solutions, as well as the need to form a scheme of SDN network with a module of artificial intelligence elements for load balancing.

A Network Traffic Classification Method Based on Dual-Mode Feature Extraction and Hybrid Neural Networks

Network traffic classification is a key foundation of traffic management and network security. With the development of traffic encryption technologies and more attention given to user privacy, traditional rule-based and payload-based traffic classification methods have become less effective. To address this problem, recent studies have introduced deep learning-based methods. However, most of these studies do not consider both the flow-level and packet-level characteristics, which we believe are significant in network traffic classification. To further improve the accuracy of traffic classification, this paper proposed DM-HNN, a hybrid neural network based on dual-mode features. First, we treat the packet length sequence as the flow-level feature and the initial byte of the packet as the packet-level feature. Then, we diverge into two paths to analyze the dual-mode features using neural networks. Finally, we combine the two-path features and output the final classification results. We have performed the experiments on public datasets, the results comparing to single-mode and dual-mode traffic classifiers indicate that DM-HNN can achieve excellent performance and has certain effectiveness.

A Lightweight Malware Traffic Classification Method Based on a Broad Learning Architecture

A Lightweight Malware Traffic Classification Method Based on a Broad Learning Architecture