Drift-oriented Self-evolving Encrypted Traffic Application Classification for Actual Network Environment

TL;DR

This paper introduces a self-evolving encrypted traffic classification method that adapts to application updates and concept drift, significantly improving performance and extending classifier lifespan in real network environments.

Contribution

It proposes a drift detection and self-tuning mechanism based on the Laida criterion, enabling continuous adaptation without labeled samples.

Findings

9% improvement in F1-score on future datasets

Classifier lifespan extended to over eight months

Effective handling of feature concept drift in real networks

Abstract

Encrypted traffic classification technology is a crucial decision-making information source for network management and security protection. It has the advantages of excellent response timeliness, large-scale data bearing, and cross-time-and-space analysis. The existing research on encrypted traffic classification has gradually transitioned from the closed world to the open world, and many classifier optimization and feature engineering schemes have been proposed. However, encrypted traffic classification has yet to be effectively applied to the actual network environment. The main reason is that applications on the Internet are constantly updated, including function adjustment and version change, which brings severe feature concept drift, resulting in rapid failure of the classifier. Hence, the entire model must be retrained only past very fast time, with unacceptable labeled sample constructing and model training cost. To solve this problem, we deeply study the characteristics of Internet application updates, associate them with feature concept drift, and then propose self-evolving encrypted traffic classification. We propose a feature concept drift determination method and a drift-oriented self-evolving fine-tuning method based on the Laida criterion to adapt to all applications that are likely to be updated. In the case of no exact label samples, the classifier evolves through fully fine-tuning continuously, and the time interval between two necessary retraining is greatly extended to be applied to the actual network environment. Experiments show that our approach significantly improves the classification performance of the original classifier on the following stage dataset of the following months (9\% improvement on F1-score) without any hard-to-acquire labeled sample. Under the current experimental environment, the life of the classifier is extended to more than eight months.