Article directory
- Introduction to the paper
-
- Summary
- Problems
- Paper contribution
-
- 1. method
- 2. Experiment and result analysis
Introduction to the paper
Original title: An encrypted traffic classification model based on the raw traffic and spatiotemporal characteristics
Chinese title: Encrypted traffic classification model based on original traffic and spatiotemporal characteristics
Conference: EITCE 2022: 2022 6th International Conference on Electronic Information Technology and Computer Engineering
Publication year: 2022-10-21
Author: Guanglong Zhao
latex citation:
@inproceedings{zhao2022encrypted,
title={An encrypted traffic classification model based on the raw traffic and spatiotemporal characteristics},
author={Zhao, Guanglong and Wang, Zhen and Yang, Ziheng},
booktitle={Proceedings of the 2022 6th International Conference on Electronic Information Technology and Computer Engineering},
pages={1208--1213},
year={2022}
}
Abstract
Deep learning techniques are often used for classification of encrypted traffic and produce effective results. In the current encrypted flow classification process, network flow feature extraction is insufficient, which is a problem worthy of attention. An encrypted traffic classification model based on original network traffic and its spatiotemporal characteristics is proposed. Raw network traffic is divided into sessions, packets in each session are divided into 784-byte slices, and the slice data is then used to describe the traffic. Then the ResNet and GRU models are combined to generate features in parallel from the original network data to generate temporal feature vectors and spatial feature vectors. The combined features are then used to classify the traffic.
Experimental results show that the recognition accuracy of this model on the ISCX-NonVPN-VPN2016 data set reaches 99.36%, which is improved compared with other methods currently used.
Existing problems
In the encrypted flow classification task, using manually extracted features cannot fully utilize the original network traffic information, and the data preprocessing process is complicated.
Thesis contribution
- This paper proposes a spatio-temporal classification model of encrypted traffic based on original network traffic.
The paper’s approach to solving the above problems:
This paper uses raw network traffic as input to the encrypted traffic classification model. Aiming at the problem of insufficient extraction of traffic information, the spatiotemporal characteristics of the original network traffic are extracted based on the ResNet and GRU deep learning algorithms. Then the two types of features are fused, and finally the fused features are put into softmax for traffic classification.
Thesis tasks:
Using RNN for multi-classification of traffic
1. method
This paper uses raw network traffic as input to the encrypted traffic classification model. Aiming at the problem of insufficient extraction of traffic information, the spatiotemporal characteristics of the original network traffic are extracted based on the ResNet and GRU deep learning algorithms. Then the two types of features are fused, and finally the fused features are put into softmax for traffic classification.
The model framework of this article is shown in Figure 1. The model is divided into three parts:
- Data preprocessing module
- Spatiotemporal feature extraction module
- Identification and classification module
-
Data preprocessing module
Using original network traffic information, manual feature extraction of traffic is not required. Directly slice the original network traffic according to certain rules, and use deep learning algorithms to automatically extract feature information from the original network traffic. The data preprocessing process is shown in the figure.
Before inputting network traffic into the encrypted traffic classification model for feature extraction, the original network traffic needs to be preprocessed. It mainly includes three steps: original traffic segmentation, traffic cleaning and traffic slicing.
-
Original traffic split
Divide raw network traffic into sessions by quintuple. This results in the continuous raw network flow being discretized into session units. Split sessions are stored in a new file in pcap.
-
Traffic cleaning
After the above steps, discrete original traffic information can be obtained. Next, the traffic is cleaned, mainly to remove duplicate traffic. Replace the MAC address and IP address information with “0x00”. Because during the data set construction process, the MAC address and IP address of each host in the network environment are fixed. This fixed information will produce bias when training the encrypted traffic classification model, causing the model to classify more by MAC addresses and IP addresses, resulting in overfitting. Using replaced data can make the flow classification model more general
-
Traffic Slicing
Traffic slicing intercepts the protocol layer data information of each packet in the traffic, and then intercepts its first N bytes. If the traffic byte length is less than N, 0x00 is used to pad it. If the traffic bytes are greater than N, the data after the Nth byte of the traffic will be truncated. This article quotes experiments [12] and selects N as 784 bytes. It should be noted that since the valid data is the traffic data behind the pcap file header information, the header information of the pcap file should be deleted before slicing.
-
-
Spatial-temporal feature extraction module
In order to make full use of the original traffic information, ResNet and GRU networks are used for feature extraction.
The ResNet network uses a residual structure, which can increase the network to a certain depth and avoid the problem of gradient explosion. The spatial characteristics of the original traffic can be more fully extracted. The ResNet network in this article uses the resnet18 structure, which has a total of four reslayers, and each reslayer consists of two ResBlock structures. The output is a 256-dimensional spatial feature vector.
GRU is an improvement of LSTM. The structure is relatively simple, with only update doors and reset doors. Compared with the reduction of LSTM model parameters, this method improves the training speed of the model. Because GRU has memory characteristics, it can better handle problems with time characteristics and is suitable for extracting timing characteristics implicit in network traffic. The GRU network used in this article has a total of 64 hidden layers, 1 GRU structure, and the output is a 64-dimensional time feature vector. Construct a new ResNet-GRU parallel fusion model to extract the spatial and temporal characteristics of the original traffic.
-
Identify classification module
Through the ResNet-GRU network, traffic feature information can be extracted in parallel. The spatial characteristics of traffic can be extracted through the ResNet network, and the temporal characteristics of the traffic can be extracted through the GRU network.
The features extracted by ResNet and GRU are fused into the fully connected layer. The fused feature vector contains spatial feature vectors and temporal feature vectors. The fused features output by the fully connected layer are then input into the classifier for identification and classification. All parameters of the entire model are updated through backpropagation. After the fully connected layer, ResNet and GRU networks perform backpropagation respectively. The structure and parameters of the model are shown in Table 1.
2. Experiment and result analysis
-
Experimental environment
The Python environment used in the experiment is Python37, the Pytorch framework is used to develop the program, and the Pytorch version is 1.12.1 + cu113.
- batch_size = 128
- epoch = 150
- lr = 0.001
- Loss function: cross entropy loss
- Optimizer: Adam
-
Dataset
-
Evaluation Metrics
-
Experimental result analysis
