Real-Time Encrypted Traffic Classification with Deep Learning

Yıl 2022, Cilt: 26 Sayı: 2, 313 - 332, 30.04.2022

Deniz Tuana Ergönül , Onur Demir

https://doi.org/10.16984/saufenbilder.1026502

Öz

Confidentiality requirements of individuals and companies led to the dominance of encrypted payloads in the overall Internet traffic. Hence, traffic classification on a network became increasingly difficult as it must rely on only the packet headers. Many vital tasks such as differential pricing, providing a safe Internet for children, and eliminating malicious connections require traffic classification, even if the payload contents are encrypted. Encrypted traffic is harder to classify as packet content becomes unreadable. In this work, we aim to provide an insight into traffic classification using encrypted packets in terms of both accuracy and packet processing time. LSTM (Long Short-Term Memory) architecture is a good candidate for this problem as it can handle sequences. Each flow can be modeled as a sequence and patterns of the sequences can provide valuable information. We compare the performance of LSTM with other methods in both real-time and offline experiments. Compared to a machine learning method both online and offline LSTM excelled with precision and recall differences up to 50%. Average accuracy with LSTM was measured as 97.77% offline and 91.7% in real-time. Average packet processing time in real-time was recorded as 0.593 msec which is 5 times faster than a recent work that uses LSTM method.

Anahtar Kelimeler

Deep Learning, Computer Communication Networks, Classification, Neural Networks (Computer)

Kaynakça

• [1] H. Tahaei, F. Afifi, A. Asemi, F. Zaki and N. B. Anuar, “The rise of traffic classification in IoT networks: A survey,” Journal of Network and Computer Applications, vol. 154, 102538, 2020.
• [2] O. Salman, I.H. Elhajj, A. Kayssi et al., “A review on machine learning-based approaches for Internet traffic classification,” Annals of Telecommunications, vol. 75, no. 11, pp. 673-710, 2020.
• [3] Z. J. Al-Araji, S. S. S. Ahmad, M. W. Al-Salihi, H. A. Al-Lamy, M. Ahmed, W. Raad and N. M. Yunos, “Network Traffic Classification for Attack Detection Using Big Data Tools: A Review,” Lecture Notes in Networks and Systems, pp. 355-363, 2019.
• [4] M. AlSabah, K. Bauer and I. Goldberg, “Enhancing Tor's performance using real-time traffic classification,” ACM conference on Computer and communications security, pp. 73-84, 2012.
• [5] IANA. Service Name and Transport Protocol Port Number Registry [Online]. Available: https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml. [Accessed April 27, 2022].
• [6] J. Khalife, A. Hajjar and J. Diaz-Verdejo, “A multilevel taxonomy and requirements for an optimal traffic-classification model,” International Journal of Network Management, vol. 24, no. 2, pp. 101-120, 2014.
• [7] Google. HTTPS encryption on the web [Online]. Available: https://transparencyreport.google.com/https/overview?hl=en. [Accessed April 27, 2022].
• [8] S. Rezaei and X. Liu, “Deep Learning for Encrypted Traffic Classification: An Overview,” IEEE Communications Magazine. vol. 57. no. 5. pp. 76-81, 2019.
• [9] Wireshark [Online]. Available: https://www.wireshark.org. [Accessed April 27, 2022].
• [10] UNB. VPN-nonVPN dataset (ISCXVPN2016) [Online]. Available: https://www.unb.ca/cic/datasets/vpn.html. [Accessed April 27, 2022].
• [11] B. Yamansavascilar, A. Guvensan, A. Yavuz, and E. Karsligil, “Application identification via network traffic classification,” International Conference on Computing, Networking and Communications (ICNC), pp. 843-848, 2017.
• [12] E. Hjelmvik. SPID Statistical Protocol Identification [Online]. Available: https://sourceforge.net/projects/spid. [Accessed April 27, 2022].
• [13] E. Hjelmvik. The SPID Algorithm Statistical Protocol IDentification. 2008.
• [14] E. Hjelmvik and W. John, “Statistical Protocol IDentification with SPID: Preliminary Results,” Swedish National Computer Networking Workshop. vol. 9. pp. 4-5, 2009.
• [15] A. H. Lashkari, G. Draper-Gil, M. S. I. Mamun, and A. A. Ghorbani, “Characterization of Encrypted and VPN Traffic Using Time-Related Features,” In Proceedings of the 2nd international conference on information systems security and privacy (ICISSP), pp. 407-414, Feb. 2016.
• [16] S. Bagui, X. Fang, E. Kalaimannan, S. C. Bagui, and J. Sheehan, “Comparison of machine-learning algorithms for classification of VPN network traffic flow using time-related features,” Journal of Cyber Security Technology. vol. 1. no. 2. pp. 108-126, 2017.
• [17] W. Wang, M. Zhu, J. Wang, X. Zeng, and Z. Yang, “End-to-end encrypted traffic classification with one-dimensional convolution neural network,” IEEE International Conference on Intelligence and Security Informatics (ISI), pp. 43-48, 2017.
• [18] echowei. Deep Learning models for network traffic classification [Online]. Available: https://github.com/echowei/DeepTraffic. [Accessed April 27, 2022].
• [19] yungshenglu. USTC-TK2016 [Online]. Available: https://github.com/yungshenglu/USTC-TK2016. [Accessed April 27, 2022].
• [20] M. Lotfollahi, R. S. H. Zade, M. J. Siavoshani, and M. Saberian, “Deep Packet: A Novel Approach For Encrypted Traffic Classification Using Deep Learning,” Soft Computing, vol. 24. no. 3, pp. 1999-2012, 2020.
• [21] A. Parchekani, S. N. Naghadeh, and V. Shah-Mansouri, “Classification of Traffic Using Neural Networks by Rejecting: a Novel Approach in Classifying VPN Traffic,” Jan. 2020. arXiv preprint arXiv:2001.03665.
• [22] K. Zhou, W. Wang, C. Wu, and T. Hu, “Practical evaluation of encrypted traffic classification based on a combined method of entropy estimation and neural networks,” ETRI Journal, vol. 42, no. 3, pp. 311-323, 2020.
• [23] UNB. Tor-nonTor dataset (ISCXTor2016) [Online]. Available: https://www.unb.ca/cic/datasets/tor.html. [Accessed April 27, 2022].
• [24] M. Lopez-Martin, B. Carro, A. Sanchez-Esguevillas, and J. Lloret, “Network Traffic Classifier With Convolutional and Recurrent Neural Networks for Internet of Things,” IEEE Access, vol. 5, pp. 18042-18050, 2017.
• [25] RedIRIS. Welcome to RedIRIS [Online]. Available: https://www.rediris.es. [Accessed April 27, 2022].
• [26] L. Deri, M. Martinelli, T. Bujlow, and A. Cardigliano, “nDPI: Open-source high-speed deep packet inspection,” International Wireless Communications and Mobile Computing Conference (IWCMC). pp. 617-622, 2014.
• [27] R. Li, X. Xiao, S. Ni, H. Zheng, and S. Xia, “Byte Segment Neural Network for Network Traffic Classification,” IEEE/ACM 26th International Symposium on Quality of Service (IWQoS). pp. 1-10, Jun. 2018.
• [28] X. Yun, Y. Wang, Y. Zhang, and Y. Zhou, “A Semantics-Aware Approach to the Automated Network Protocol Identification,” IEEE/ACM Transactions on Networking. vol. 24. no. 1. pp. 583-595, 2016.
• [29] tcpdump. TCPDUMP/LIBPCAP public repository [Online]. Available: https://www.tcpdump.org. [Accessed April 27, 2022].
• [30] tcpreplay. tcprewrite [Online]. Available: https://tcpreplay.appneta.com/wiki/tcprewrite. [Accessed April 27, 2022].
• [31] Abadi et al. TensorFlow: Large-scale machine learning on heterogeneous systems [Online]. Available: tensorflow.org. 2015. [Accessed April 27, 2022].
• [32] F. Chollet et al. Keras [Online]. Available: https://keras.io. 2015. [Accessed April 27, 2022].
• [33]serizba. CppFlow [Online]. Available: https://github.com/serizba/cppflow. [Accessed April 27, 2022].