FG-SAT: Efficient Flow Graph for Encrypted Traffic Classification under Environment Shifts

TL;DR

FG-SAT introduces a novel graph-based approach for encrypted traffic classification that effectively handles environment shifts by representing internal flow structures and selecting robust features, outperforming existing methods.

Contribution

The paper presents FG-SAT, the first end-to-end encrypted traffic classification method using Flow Graphs and a JSD-based feature selection to address environment shifts.

Findings

Outperforms state-of-the-art methods in encrypted attack detection.

Achieves robust classification under environment shifts.

Efficiently models flow internal relationships for accurate identification.

Abstract

Encrypted traffic classification plays a critical role in network security and management. Currently, mining deep patterns from side-channel contents and plaintext fields through neural networks is a major solution. However, existing methods have two major limitations: (1) They fail to recognize the critical link between transport layer mechanisms and applications, missing the opportunity to learn internal structure features for accurate traffic classification. (2) They assume network traffic in an unrealistically stable and singular environment, making it difficult to effectively classify real-world traffic under environment shifts. In this paper, we propose FG-SAT, the first end-to-end method for encrypted traffic analysis under environment shifts. We propose a key abstraction, the Flow Graph, to represent flow internal relationship structures and rich node attributes, which enables robust and generalized representation. Additionally, to address the problem of inconsistent data distribution under environment shifts, we introduce a novel feature selection algorithm based on Jensen-Shannon divergence (JSD) to select robust node attributes. Finally, we design a classifier, GraphSAT, which integrates GraphSAGE and GAT to deeply learn Flow Graph features, enabling accurate encrypted traffic identification. FG-SAT exhibits both efficient and robust classification performance under environment shifts and outperforms state-of-the-art methods in encrypted attack detection and application classification.