Explainable federated class incremental learning for Encrypted Network Traffic classification

IF 4.6 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Computer Networks Pub Date : 2025-06-19 DOI:10.1016/j.comnet.2025.111448

Raffaele Carillo, Francesco Cerasuolo, Giampaolo Bovenzi, Domenico Ciuonzo, Antonio Pescapè

{"title":"Explainable federated class incremental learning for Encrypted Network Traffic classification","authors":"Raffaele Carillo, Francesco Cerasuolo, Giampaolo Bovenzi, Domenico Ciuonzo, Antonio Pescapè","doi":"10.1016/j.comnet.2025.111448","DOIUrl":null,"url":null,"abstract":"<div><div>Network traffic has experienced substantial growth in recent years, requiring the implementation of more advanced techniques for effective management. In this context, Traffic Classification (TC) helps in successfully handling the network by identifying what is flowing through it. Nowadays, <em>data-driven</em> approaches—viz., Machine Learning (ML) and Deep Learning (DL)—are widely employed to address this task. However, these approaches struggle to keep pace with the ever-changing nature of traffic due to the introduction of new or updated services/apps and exhibit a decision-making process not interpretable. Furthermore, network traffic can vary significantly by geographic area, requiring a decentralized privacy-preserving approach to update classifiers collaboratively. In this work, we propose a Federated Class Incremental Learning (FCIL) framework that integrates Class Incremental Learning (CIL) and Federated Learning (FL) for network TC while incorporating a comprehensive eXplainable Artificial Intelligence (XAI) methodology, tackling the challenges of updating traffic classifiers, managing the geographic diversity of traffic along with data privacy, and interpreting the decision-making process, respectively. To assess our proposal, we leverage two publicly available encrypted network traffic datasets. Our findings uncover that, in small networks, fewer synchronizations facilitate retaining old knowledge, while larger networks reveal an approach-dependent pattern, yet still exhibiting good retention performance. Moreover, in both small and larger networks, <em>frequent updates enhance the assimilation of new information</em>. Notably, <span><math><msup><mrow><mstyle><mi>B</mi><mi>i</mi><mi>C</mi></mstyle></mrow><mrow><mo>+</mo></mrow></msup></math></span> is the most effective approach in small networks (i.e., 2 clients) while <span><math><mstyle><mi>i</mi><mi>C</mi><mi>a</mi><mi>R</mi><mi>L</mi><mtext>+</mtext></mstyle></math></span> performs best in larger networks (i.e., 10 clients), obtaining 82% and 79% F1 on <span><math><mstyle><mi>C</mi><mi>E</mi><mi>S</mi><mi>N</mi><mi>E</mi><mi>T</mi></mstyle></math></span>-<span><math><mstyle><mi>T</mi><mi>L</mi><mi>S</mi><mi>2</mi><mi>2</mi></mstyle></math></span>, respectively. Leveraging XAI techniques, we analyze the effect of incorporating a per-client bias correction layer. By integrating sample-based and attribution-based explanations, we provide detailed insights into the decision-making process of FCIL approaches.</div></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":"269 ","pages":"Article 111448"},"PeriodicalIF":4.6000,"publicationDate":"2025-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Networks","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1389128625004153","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

Network traffic has experienced substantial growth in recent years, requiring the implementation of more advanced techniques for effective management. In this context, Traffic Classification (TC) helps in successfully handling the network by identifying what is flowing through it. Nowadays, data-driven approaches—viz., Machine Learning (ML) and Deep Learning (DL)—are widely employed to address this task. However, these approaches struggle to keep pace with the ever-changing nature of traffic due to the introduction of new or updated services/apps and exhibit a decision-making process not interpretable. Furthermore, network traffic can vary significantly by geographic area, requiring a decentralized privacy-preserving approach to update classifiers collaboratively. In this work, we propose a Federated Class Incremental Learning (FCIL) framework that integrates Class Incremental Learning (CIL) and Federated Learning (FL) for network TC while incorporating a comprehensive eXplainable Artificial Intelligence (XAI) methodology, tackling the challenges of updating traffic classifiers, managing the geographic diversity of traffic along with data privacy, and interpreting the decision-making process, respectively. To assess our proposal, we leverage two publicly available encrypted network traffic datasets. Our findings uncover that, in small networks, fewer synchronizations facilitate retaining old knowledge, while larger networks reveal an approach-dependent pattern, yet still exhibiting good retention performance. Moreover, in both small and larger networks, frequent updates enhance the assimilation of new information. Notably,

{B i C}^{+}

is the most effective approach in small networks (i.e., 2 clients) while

i C a R L +

performs best in larger networks (i.e., 10 clients), obtaining 82% and 79% F1 on

C E S N E T

T L S 22

, respectively. Leveraging XAI techniques, we analyze the effect of incorporating a per-client bias correction layer. By integrating sample-based and attribution-based explanations, we provide detailed insights into the decision-making process of FCIL approaches.

查看原文本刊更多论文

用于加密网络流量分类的可解释联邦类增量学习

近年来，网络流量经历了大幅增长，需要实施更先进的技术来进行有效的管理。在这种情况下，流量分类（TC）通过识别流经网络的内容来帮助成功地处理网络。如今，数据驱动的方法——即机器学习（ML）和深度学习（DL）——被广泛用于解决这一任务。然而，由于引入了新的或更新的服务/应用程序，这些方法很难跟上流量不断变化的本质，并且表现出不可解释的决策过程。此外，网络流量可能因地理区域的不同而有很大差异，这需要一种分散的隐私保护方法来协作更新分类器。在这项工作中，我们提出了一个联邦类增量学习（FCIL）框架，该框架集成了用于网络TC的类增量学习（CIL）和联邦学习（FL），同时结合了一个全面的可解释人工智能（XAI）方法，分别解决了更新流量分类器、管理流量地理多样性和数据隐私以及解释决策过程的挑战。为了评估我们的提议，我们利用了两个公开可用的加密网络流量数据集。我们的研究发现，在小型网络中，较少的同步有助于保留旧知识，而较大的网络显示出方法依赖模式，但仍然表现出良好的保留性能。此外，在小型和大型网络中，频繁的更新加强了对新信息的吸收。值得注意的是，BiC+在小型网络（即2个客户端）中是最有效的方法，而iCaRL+在大型网络（即10个客户端）中表现最佳，在CESNET-TLS22上分别获得82%和79%的F1。利用XAI技术，我们分析了合并每个客户偏差校正层的效果。通过整合基于样本的解释和基于归因的解释，我们对FCIL方法的决策过程提供了详细的见解。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Networks 工程技术-电信学

CiteScore

10.80

自引率

3.60%

发文量

434

审稿时长

8.6 months

期刊介绍： Computer Networks is an international, archival journal providing a publication vehicle for complete coverage of all topics of interest to those involved in the computer communications networking area. The audience includes researchers, managers and operators of networks as well as designers and implementors. The Editorial Board will consider any material for publication that is of interest to those groups.