Machine learning classification on traffic of secondary encryption

Encrypted traffic classification plays an important role in network management. In this paper, we take as an example of the web browsing application, and propose a machine learning classification scheme, Bali, that can identify the encrypted traffic from various websites. We employ packet length statistics as discriminative features of encrypted traffic. In order to further investigate the differences among encrypted traffic from various websites, we develop a clustering method based on an observation that the first outgoing and incoming packets with specific flags from the same website have similar features. The above two techniques can be incorporated into typical machine learning models (e.g., random forests, SVM, kNN) for traffic classification. Experiment results using real-world datasets demonstrate that the proposed method outperforms the state-of-the-art methods.