Deep Learning For Encrypted Traffic Classification

With the rapid development of the Internet,the types of network traffic have risen rapidly.Therefore,it is imperative to monitor and classify network traffic to improve network services,strengthen network management,and ensure network security.In recent years,as users have gradually begun to pay attention to their privacy,more and more applications have started to use encryption for transmission,which has brought considerable challenges to traditional network traffic detection.Consequently,many encrypted traffic classification models based on deep learning have been proposed in recent years.These models are either based on the traffic's statistical characteristics or based on the raw traffic session.However,the network traffic's statistical features require much time to design for different tasks.If we use the raw traffic session as the model's input directly,it must be uniformized the traffic size first.This will cause the loss of information about the overall structure of the network traffic;for example,we do not know the time from the first packet to the last packet in a session.Besides,there are two other problems in the field of encrypted traffic classification:Firstly,the amount of traffic from different applications often has a big difference in reality,which brings the problem of imbalance of network traffic.Secondly,now the models become more and more complex.Thus people can hardly understand why the models make these decisions.As a result,the cybersecurity staff can hardly get the explanations behind their decisions.We give the following three methods to solve the problems mentioned above:(1)This paper proposes the CENTIME,which can extract comprehensive information based on ResNet and AutoEncoder to identify encrypted traffic.ResNet is used to extract information from uniformized traffic,and AutoEncoder is used to encode statistical features.The statistical features are used to compensate for the information loss caused by traffic uniformization.They only need to be designed once rather than be designed separately for different tasks.Moreover,the pooling layers are removed,and 1D convolution layers are used to help CENTIME make more effective use of raw traffic information.We evaluate the CENTIME on the public dataset "ISCX VPN-nonVPN",and the results demonstrate the CENTIME outperforms the state-of-the-art encrypted traffic classification methods.(2)This paper converts the encrypted traffic classification problem into sequential decision-making problems and uses reinforcement learning to solve it.Simultaneously,the problem of data imbalance is solved by setting different rewards for different samples.Specifically,we give high rewards to the samples from the minority class and give low rewards to the majority samples.The final experiment accuracy can exceed the use of traditional sampling methods.(3)This paper proposes a framework based on SHAP method.This framework can give both local and global explanations to improve the interpretation of any model,like the encrypted traffic classification model.In the experiment,we found that the explanation from our framework matches well with the characteristics of applications,which significantly improves the interpretability of the model.