DACS: A Double-layer Application Classification Scheme for Hybrid Zero-day Traffic

As a fundamental countermeasure for network management and security, traffic classification has attracted public attention for a long time. All the time, the presence of zero-day traffic, network traffic of unknown applications in a classification system, leads to a significant reduction in the practicability and effectiveness of conventional traffic classification methods. This paper innovatively proposes a traffic classification scheme named DACS, which achieves accurate zero-day traffic detection, application traffic classification and high-performance incremental model updating, fitting for open-world and online traffic classification with plenty of zero-day traffic. DACS uses training samples to cross-simulate zero-day flows and combines the idea of distributed training. With a two-layer structure and a special voting mechanism, DACS is able to perform comprehensive traffic classification tasks in hybrid unknown traffic. In addition, DACS provides great convenience for updating the system knowledge and supports efficient incremental updates. The evaluations with real-world traffic verify the core advantages of the proposed scheme. DACS maintains over 95% classification accuracy on a public dataset (NUDT_MobileTraffic), which is better than the compared methods, and it only needs 1/K retraining computational cost to achieve model updates for new applications, where K is the number of sub-classifiers.