Language of Network: A Generative Pre-trained Model for Encrypted Traffic Comprehension

TL;DR

This paper introduces GBC, a pre-trained generative model for encrypted traffic analysis that improves classification and detection accuracy by leveraging protocol-aware tokenization and extensive unlabeled data.

Contribution

The paper presents a novel pre-trained generative model with protocol-aware tokenization for encrypted traffic, enhancing classification and detection over existing methods.

Findings

GBC achieves a 5% higher F1 score in classification tasks.

GBC effectively generates realistic encrypted traffic data.

Pretraining improves model robustness to attack evolution.

Abstract

The increasing demand for privacy protection and security considerations leads to a significant rise in the proportion of encrypted network traffic. Since traffic content becomes unrecognizable after encryption, accurate analysis is challenging, making it difficult to classify applications and detect attacks. Deep learning is currently the predominant approach for encrypted traffic classification through feature analysis. However, these methods face limitations due to their high dependence on labeled data and difficulties in detecting attack variants. First, their performance is highly sensitive to data quality, where the highcost manual labeling process and dataset imbalance significantly degrade results. Second, the rapid evolution of attack patterns makes it challenging for models to identify new types of attacks. To tackle these challenges, we present GBC, a generative model based on pre-training for encrypted traffic comprehension. Since traditional tokenization methods are primarily designed for natural language, we propose a protocol-aware tokenization approach for encrypted traffic that improves model comprehension of fields specific to network traffic. In addition, GBC employs pretraining to learn general representations from extensive unlabeled traffic data. Through prompt learning, it effectively adapts to various downstream tasks, enabling both high-quality traffic generation and effective detection. Evaluations across multiple datasets demonstrate that GBC achieves superior results in both traffic classification and generation tasks, resulting in a 5% improvement in F1 score compared to state-of-the-art methods for classification tasks.