Fine-grained TLS services classification with reject option

TL;DR

This paper introduces a large, detailed dataset for encrypted traffic classification, demonstrating that neural networks can effectively identify fine-grained services and reject unknown traffic with high accuracy.

Contribution

It provides a new extensive dataset with nearly 200 service labels and 140 million flows, and shows neural networks excel at service classification and rejection tasks.

Findings

Achieved 97.04% classification accuracy.

Detected 91.94% of unknown services.

Dataset surpasses existing public datasets in size and label diversity.

Abstract

The recent success and proliferation of machine learning and deep learning have provided powerful tools, which are also utilized for encrypted traffic analysis, classification, and threat detection in computer networks. These methods, neural networks in particular, are often complex and require a huge corpus of training data. Therefore, this paper focuses on collecting a large up-to-date dataset with almost 200 fine-grained service labels and 140 million network flows extended with packet-level metadata. The number of flows is three orders of magnitude higher than in other existing public labeled datasets of encrypted traffic. The number of service labels, which is important to make the problem hard and realistic, is four times higher than in the public dataset with the most class labels. The published dataset is intended as a benchmark for identifying services in encrypted traffic. Service identification can be further extended with the task of "rejecting" unknown services, i.e., the traffic not seen during the training phase. Neural networks offer superior performance for tackling this more challenging problem. To showcase the dataset's usefulness, we implemented a neural network with a multi-modal architecture, which is the state-of-the-art approach, and achieved 97.04% classification accuracy and detected 91.94% of unknown services with 5% false positive rate.