On the right choice of data from popular datasets for Internet traffic classification

IF 4.5 3区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computer Communications Pub Date : 2025-01-22 DOI:10.1016/j.comcom.2025.108068

Jacek Krupski, Marcin Iwanowski, Waldemar Graniszewski

{"title":"On the right choice of data from popular datasets for Internet traffic classification","authors":"Jacek Krupski, Marcin Iwanowski, Waldemar Graniszewski","doi":"10.1016/j.comcom.2025.108068","DOIUrl":null,"url":null,"abstract":"<div><div>Machine learning (ML) models used to analyze Internet traffic, similar to models in all other fields of ML, need to be fed by training datasets. Many such sets consist of labeled samples of the collected traffic data from harmful and benign traffic classes captured from the actual traffic. Since the traffic recording tools capture all the transmitted data, they contain much information related to the registration process that is irrelevant to the actual traffic class. Moreover, they are not fully anonymized. Thus, there is a need to preprocess the data before proper modeling, which should always be addressed in related studies, but often, this is not done. In our paper, we focus on the dependence of the efficiency of threat detection ML models by selecting the appropriate data samples from the training sets during preprocessing. We are analyzing three popular datasets: USTC-TFC2016, VPN-nonVPN, and TOR-nonTOR, which are widely used in traffic classification, security, and privacy-enhancing technologies research. We show that some choices of data sample pieces, although maximizing the model’s efficiency, would not result in similar outcomes in the case of traffic data other than the learning set. The reason is that, in these cases, models are biased due to learning incidental correlations that appear in the datasets used for training the model, introduced by auxiliary data related to the network traffic capturing and transmission process. They are present in popular datasets but may never appear in traffic data. Consequently, the models trained on such datasets, without any preprocessing and anonymization, would never reach the accuracy levels of the training data. Our paper introduces five consecutive levels of anonymization of the traffic data and points out that only the highest provide correct learning results. We validate the results by applying decision trees, random forests, and extra tree models. Having found the optimal part of the header data that may safely be used, we focus on the length of the remaining part of the traffic data to find its minimal length, which preserves good detection accuracy.</div></div>","PeriodicalId":55224,"journal":{"name":"Computer Communications","volume":"233 ","pages":"Article 108068"},"PeriodicalIF":4.5000,"publicationDate":"2025-01-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Communications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0140366425000258","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Machine learning (ML) models used to analyze Internet traffic, similar to models in all other fields of ML, need to be fed by training datasets. Many such sets consist of labeled samples of the collected traffic data from harmful and benign traffic classes captured from the actual traffic. Since the traffic recording tools capture all the transmitted data, they contain much information related to the registration process that is irrelevant to the actual traffic class. Moreover, they are not fully anonymized. Thus, there is a need to preprocess the data before proper modeling, which should always be addressed in related studies, but often, this is not done. In our paper, we focus on the dependence of the efficiency of threat detection ML models by selecting the appropriate data samples from the training sets during preprocessing. We are analyzing three popular datasets: USTC-TFC2016, VPN-nonVPN, and TOR-nonTOR, which are widely used in traffic classification, security, and privacy-enhancing technologies research. We show that some choices of data sample pieces, although maximizing the model’s efficiency, would not result in similar outcomes in the case of traffic data other than the learning set. The reason is that, in these cases, models are biased due to learning incidental correlations that appear in the datasets used for training the model, introduced by auxiliary data related to the network traffic capturing and transmission process. They are present in popular datasets but may never appear in traffic data. Consequently, the models trained on such datasets, without any preprocessing and anonymization, would never reach the accuracy levels of the training data. Our paper introduces five consecutive levels of anonymization of the traffic data and points out that only the highest provide correct learning results. We validate the results by applying decision trees, random forests, and extra tree models. Having found the optimal part of the header data that may safely be used, we focus on the length of the remaining part of the traffic data to find its minimal length, which preserves good detection accuracy.

查看原文本刊更多论文

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Communications 工程技术-电信学

CiteScore

14.10

自引率

5.00%

发文量

397

审稿时长

66 days

期刊介绍： Computer and Communications networks are key infrastructures of the information society with high socio-economic value as they contribute to the correct operations of many critical services (from healthcare to finance and transportation). Internet is the core of today''s computer-communication infrastructures. This has transformed the Internet, from a robust network for data transfer between computers, to a global, content-rich, communication and information system where contents are increasingly generated by the users, and distributed according to human social relations. Next-generation network technologies, architectures and protocols are therefore required to overcome the limitations of the legacy Internet and add new capabilities and services. The future Internet should be ubiquitous, secure, resilient, and closer to human communication paradigms. Computer Communications is a peer-reviewed international journal that publishes high-quality scientific articles (both theory and practice) and survey papers covering all aspects of future computer communication networks (on all layers, except the physical layer), with a special attention to the evolution of the Internet architecture, protocols, services, and applications.