Universal Embedding Function for Traffic Classification via QUIC Domain Recognition Pretraining: A Transfer Learning Success

TL;DR

This paper introduces a transfer learning approach using a pretrained QUIC domain recognition model to improve encrypted traffic classification across multiple datasets, achieving state-of-the-art results.

Contribution

It presents a novel transfer learning framework with a universal embedding model for traffic classification, outperforming existing methods on multiple benchmarks.

Findings

Surpassed SOTA on 9 out of 10 tasks with 6.4% average improvement.

Pretrained model effectively transfers to diverse traffic classification tasks.

Revealed unexpected insights when comparing with raw packet sequence baselines.

Abstract

Encrypted traffic classification (TC) methods must adapt to new protocols and extensions as well as to advancements in other machine learning fields. In this paper, we adopt a transfer learning setup best known from computer vision. We first pretrain an embedding model on a complex task with a large number of classes and then transfer it to seven established TC datasets. The pretraining task is recognition of SNI domains in encrypted QUIC traffic, which in itself is a challenge for network monitoring due to the growing adoption of TLS Encrypted Client Hello. Our training pipeline -- featuring a disjoint class setup, ArcFace loss function, and a modern deep learning architecture -- aims to produce universal embeddings applicable across tasks. A transfer method based on model fine-tuning surpassed SOTA performance on nine of ten downstream TC tasks, with an average improvement of 6.4%. Furthermore, a comparison with a baseline method using raw packet sequences revealed unexpected findings with potential implications for the broader TC field. We released the model architecture, trained weights, and codebase for transfer learning experiments.