High-speed encrypted traffic classification by using payload features

IF 7.5 2区计算机科学 Q1 TELECOMMUNICATIONS

Digital Communications and Networks Pub Date : 2025-04-01 DOI:10.1016/j.dcan.2024.02.003

Xinge Yan , Liukun He , Yifan Xu , Jiuxin Cao , Liangmin Wang , Guyang Xie

{"title":"High-speed encrypted traffic classification by using payload features","authors":"Xinge Yan , Liukun He , Yifan Xu , Jiuxin Cao , Liangmin Wang , Guyang Xie","doi":"10.1016/j.dcan.2024.02.003","DOIUrl":null,"url":null,"abstract":"<div><div>Traffic encryption techniques facilitate cyberattackers to hide their presence and activities. Traffic classification is an important method to prevent network threats. However, due to the tremendous traffic volume and limitations of computing, most existing traffic classification techniques are inapplicable to the high-speed network environment. In this paper, we propose a High-speed Encrypted Traffic Classification (HETC) method containing two stages. First, to efficiently detect whether traffic is encrypted, HETC focuses on randomly sampled short flows and extracts aggregation entropies with chi-square test features to measure the different patterns of the byte composition and distribution between encrypted and unencrypted flows. Second, HETC introduces binary features upon the previous features and performs fine-grained traffic classification by combining these payload features with a Random Forest model. The experimental results show that HETC can achieve a 94% F-measure in detecting encrypted flows and a 85%–93% F-measure in classifying fine-grained flows for a 1-KB flow-length dataset, outperforming the state-of-the-art comparison methods. Meanwhile, HETC does not need to wait for the end of the flow and can extract mass computing features. The average time for HETC to process each flow is only 2 or 16 ms, which is lower than the flow duration in most cases, making it a good candidate for high-speed traffic classification.</div></div>","PeriodicalId":48631,"journal":{"name":"Digital Communications and Networks","volume":"11 2","pages":"Pages 412-423"},"PeriodicalIF":7.5000,"publicationDate":"2025-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Digital Communications and Networks","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2352864824000208","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"TELECOMMUNICATIONS","Score":null,"Total":0}

引用次数: 0

Abstract

Traffic encryption techniques facilitate cyberattackers to hide their presence and activities. Traffic classification is an important method to prevent network threats. However, due to the tremendous traffic volume and limitations of computing, most existing traffic classification techniques are inapplicable to the high-speed network environment. In this paper, we propose a High-speed Encrypted Traffic Classification (HETC) method containing two stages. First, to efficiently detect whether traffic is encrypted, HETC focuses on randomly sampled short flows and extracts aggregation entropies with chi-square test features to measure the different patterns of the byte composition and distribution between encrypted and unencrypted flows. Second, HETC introduces binary features upon the previous features and performs fine-grained traffic classification by combining these payload features with a Random Forest model. The experimental results show that HETC can achieve a 94% F-measure in detecting encrypted flows and a 85%–93% F-measure in classifying fine-grained flows for a 1-KB flow-length dataset, outperforming the state-of-the-art comparison methods. Meanwhile, HETC does not need to wait for the end of the flow and can extract mass computing features. The average time for HETC to process each flow is only 2 or 16 ms, which is lower than the flow duration in most cases, making it a good candidate for high-speed traffic classification.

查看原文本刊更多论文

利用有效载荷特征进行高速加密流量分类

流量加密技术有助于网络攻击者隐藏其存在和活动。流分类是防范网络威胁的重要手段。然而，由于庞大的流量和计算能力的限制，现有的流分类技术大多不适合高速网络环境。本文提出了一种包含两个阶段的高速加密流量分类（HETC）方法。首先，为了有效检测流量是否被加密，HETC关注随机采样的短流，提取具有卡方检验特征的聚合熵，以衡量加密和未加密流之间字节组成和分布的不同模式。其次，HETC在前面的特征基础上引入二进制特征，并通过将这些有效负载特征与随机森林模型相结合来进行细粒度的流量分类。实验结果表明，HETC在检测加密流方面可以达到94%的f-测度，在对1 kb流长度数据集进行细粒度流分类方面可以达到85%-93%的f-测度，优于目前最先进的比较方法。同时，HETC不需要等待流结束，可以提取大量的计算特征。HETC处理每个流的平均时间仅为2或16 ms，在大多数情况下低于流持续时间，使其成为高速流分类的良好候选者。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Digital Communications and Networks Computer Science-Hardware and Architecture

CiteScore

12.80

自引率

5.10%

发文量

915

审稿时长

30 weeks

期刊介绍： Digital Communications and Networks is a prestigious journal that emphasizes on communication systems and networks. We publish only top-notch original articles and authoritative reviews, which undergo rigorous peer-review. We are proud to announce that all our articles are fully Open Access and can be accessed on ScienceDirect. Our journal is recognized and indexed by eminent databases such as the Science Citation Index Expanded (SCIE) and Scopus. In addition to regular articles, we may also consider exceptional conference papers that have been significantly expanded. Furthermore, we periodically release special issues that focus on specific aspects of the field. In conclusion, Digital Communications and Networks is a leading journal that guarantees exceptional quality and accessibility for researchers and scholars in the field of communication systems and networks.