Length Matters: Fast Internet Encrypted Traffic Service Classification based on Multi-PDU Lengths

Encryption of network traffic has become an inevitable trend. As an important link to Internet encrypted traffic analysis, encrypted traffic service classification can provide support for the coarse-grained network service traffic management and security supervision. But traditional DPI method cannot be effectively applied in an encrypted traffic environment, and the existing methods based on machine learning have two problems in feature selection. One is the complex feature classification over costing problem, the other is the TLS-1.2 suited method is no longer applicable to TLS-1.3 handshake encryption. To solve these problems, in this paper, we consider the differences among encryption network protocol stacks and propose a method of encrypted traffic service classification combining with capsule neural network in a multi-protocol environment by using multi-PDU lengths as the features, making full use of Markov property between PDU length sequences and being suitable to TLS1.3 environment. The feature makes our method much faster than others in feature extraction. Our control experiments on ISCX VPN-nonVPN dataset show that our method achieves a satisfactory performance (0.9860 Pr, 0.9856 Rc, 0.9855 F1), which is superior to the state-of-the-art methods.