TY - JOUR
T1 - Packet header-based reweight-long short term memory (Rew-LSTM) method for encrypted network traffic classification
AU - Hou, Jiangang
AU - Li, Xin
AU - Xu, Hongji
AU - Wang, Chun
AU - Cui, Lizhen
AU - Liu, Zhi
AU - Hu, Changzhen
N1 - Publisher Copyright:
© The Author(s), under exclusive licence to Springer-Verlag GmbH Austria, part of Springer Nature 2024.
PY - 2024/8
Y1 - 2024/8
N2 - With the development of Internet technology, cyberspace security has become a research hotspot. Network traffic classification is closely related to cyberspace security. In this paper, the problem of classification based on raw traffic data is investigated. This involves the granularity analysis of packets, separating packet headers from payloads, complementing and aligning packet headers, and converting them into structured data, including three representation types: bit, byte, and segmented protocol fields. Based on this, we propose the Rew-LSTM classification model for experiments on publicly available datasets of encrypted traffic, and the results show that excellent results can be obtained when using only the data in packet headers for multiple classification, especially when the data is represented using bit, which outperforms state-of-the-art methods. In addition, we propose a global normalization method, and experimental results show that it outperforms feature-specific normalization methods for both Tor traffic and regular encrypted traffic.
AB - With the development of Internet technology, cyberspace security has become a research hotspot. Network traffic classification is closely related to cyberspace security. In this paper, the problem of classification based on raw traffic data is investigated. This involves the granularity analysis of packets, separating packet headers from payloads, complementing and aligning packet headers, and converting them into structured data, including three representation types: bit, byte, and segmented protocol fields. Based on this, we propose the Rew-LSTM classification model for experiments on publicly available datasets of encrypted traffic, and the results show that excellent results can be obtained when using only the data in packet headers for multiple classification, especially when the data is represented using bit, which outperforms state-of-the-art methods. In addition, we propose a global normalization method, and experimental results show that it outperforms feature-specific normalization methods for both Tor traffic and regular encrypted traffic.
KW - 68T07
KW - Encrypted traffic classification
KW - Global normalization
KW - Packet headers
KW - Structured data
UR - http://www.scopus.com/inward/record.url?scp=85197934355&partnerID=8YFLogxK
U2 - 10.1007/s00607-024-01306-w
DO - 10.1007/s00607-024-01306-w
M3 - Article
AN - SCOPUS:85197934355
SN - 0010-485X
VL - 106
SP - 2875
EP - 2896
JO - Computing (Vienna/New York)
JF - Computing (Vienna/New York)
IS - 8
ER -