Respond to Change with Constancy: Instruction-tuning with LLM for Non-I.I.D. Network Traffic Classification

TL;DR

This paper presents ETooL, a novel instruction-tuning framework using LLMs for robust, adaptable encrypted traffic classification that handles distribution shifts and limited labeled data.

Contribution

Introduction of ETooL, a self-supervised instruction tuning method integrating traffic knowledge into LLMs for improved classification and generalization in network traffic analysis.

Findings

ETooL achieves high F1 scores in both I.I.D. and out-of-distribution traffic classification.

ETooL demonstrates superior robustness and generalization over existing methods.

Constructed NETD dataset to evaluate distributional shift resilience.

Abstract

Encrypted traffic classification is highly challenging in network security due to the need for extracting robust features from content-agnostic traffic data. Existing approaches face critical issues: (i) Distribution drift, caused by reliance on the closedworld assumption, limits adaptability to realworld, shifting patterns; (ii) Dependence on labeled data restricts applicability where such data is scarce or unavailable. Large language models (LLMs) have demonstrated remarkable potential in offering generalizable solutions across a wide range of tasks, achieving notable success in various specialized fields. However, their effectiveness in traffic analysis remains constrained by challenges in adapting to the unique requirements of the traffic domain. In this paper, we introduce a novel traffic representation model named Encrypted Traffic Out-of-Distribution Instruction Tuning with LLM (ETooL), which integrates LLMs with knowledge of traffic structures through a self-supervised instruction tuning paradigm. This framework establishes connections between textual information and traffic interactions. ETooL demonstrates more robust classification performance and superior generalization in both supervised and zero-shot traffic classification tasks. Notably, it achieves significant improvements in F1 scores: APP53 (I.I.D.) to 93.19%(6.62%) and 92.11%(4.19%), APP53 (O.O.D.) to 74.88%(18.17%) and 72.13%(15.15%), and ISCX-Botnet (O.O.D.) to 95.03%(9.16%) and 81.95%(12.08%). Additionally, we construct NETD, a traffic dataset designed to support dynamic distributional shifts, and use it to validate ETooL's effectiveness under varying distributional conditions. Furthermore, we evaluate the efficiency gains achieved through ETooL's instruction tuning approach.