Research On Finer-grained Classification For Encrypted Traffic

In order to meet user privacy protection and network security,network traffic needs to be encrypted.It is difficult to identify and process encrypted traffic by the traditional identification technology for non-encrypted traffic.Therefore,effective encrypted traffic identification is an important guarantee for network security and management.For the problems of current encrypted traffic identification,such as low accuracy and poor robustness,how to extract feature information reflecting the inherent regularity of encrypted traffic from high-speed network traffic and realize fine-grained identification of encrypted traffic is the aim of this paper.The research work of this paper is centered on the above issues.The specific work includes the following aspects:(1)The problems of feature selection metrics single and class imbalance exist in feature selection of encrypted traffic identification,leading the model complexity increased and the generalization ability decreased.Therefore,a feature selection method based on selective ensemble strategy for encrypted traffic is proposed,according to the selective ensemble strategy to ensemble part of feature selectors with multiple metrics,and then the combination method of improved sequence forward search and wrapper is used to searche optimal feature subset for the second round.Experimental results show that the proposed algorithm can reduce the complexity of feature subset effectively while ensuring the classification effectiveness,so as to achieve the optimal balance of the classification effectiveness,efficiency and stability.(2)The changes of network flow characteristics and distributions occur over time and network environment changes in encrypted network traffic,resulting in a decline in the applicability and accuracy of the classification model based on machine learning.Therefore,an adaptive classification method for encrypted traffic based on weighted ensemble learning is proposed.Firstly,the change of network traffic is detected based on the information entropy change of the characteristics of the encrypted network flow.Then incremental ensemble learning strategy is used to introduce a new classifier trained on current traffic at the point of network traffic change,and remove the classifier with degraded performance to achieve the purpose of updating the classifier,finally weighted ensemble the classification results.The experimental results show that the method can detect network traffic changes in time and update the classifier effectively,which shows better classification performance and generalization ability.(3)For the limited feature information of SSL/TLS encrypted flow,identification methods based on flow feature show low accuracy and cannot achieve effective fine-grained identification for SSL/TLS encrypted applications.Therefore,a method based on Markov chain and ensemble learning for the SSL/TLS application identification is proposed.In view of the unique characteristics of the SSL/TLS handshake process,the two-dimensional features of the message type information and the message size of the SSL/TLS handshake are used as fingerprint features for the second-order Markov model establishment.At the same time,the HMM emission probability is improved and the HMM model is established based on the size of adjacent message types.Finally,a weighted ensemble strategy is used to obtain a weighted classifier.The experimental results show that the classification accuracy reaches more than 90%,an increase of 11% compared with the-state-of-the-art methods,and it has better classification efficiency and generalization ability.(4)For adaptive bitrate technology,video resolution will be automatically switched according to network conditions,and the segmentation mechanisms of different transmission modes are varied.However,it is difficult to obtain useful traffic features of SSL/TLS encrypted video segment by the existing methods,and thus it is impossible to achieve effective bitrate and resolution identification.Therefore,an SSL/TLS encrypted video content parameter identification method based on video block characteristics is proposed.First,SSL/TLS-encrypted YouTube traffic is identified based on unencrypted content during the SSL/TLS handshake.Then,four characteristics of several packets in front of the video traffic are proposed to identify the HLS,DASH,and HPD transmission modes,and then the bitrate and resolution of the video chunk are identified according to the machine learning model built on the characteristics of the video chunk.The experimental results show that the average accuracy of the transmission mode,bitrate,and resolution can reach 98%,99% and 98%,respectively,which can be effectively used in the QoE evaluation of SSL/TLS encrypted YouTube videos.