Tutorial on Flow-Based Network Traffic Classification Using Machine Learning

TL;DR

This tutorial offers a comprehensive, practical guide for building machine learning-based network traffic classification systems that are effective even with encrypted traffic, emphasizing real-world applicability and reproducibility.

Contribution

It provides an end-to-end workflow, including dataset creation, feature engineering, model training, and deployment, with practical guidance and reproducible notebooks for real traffic data.

Findings

Effective classification under encryption demonstrated

Guidelines for feature engineering and model evaluation provided

Reproducible workflows with real traffic data included

Abstract

Modern networks carry increasingly diverse and encrypted traffic types that demand classification techniques beyond traditional port-based and payload-based methods. This tutorial provides a practical, end-to-end guide to building machine-learning-based network traffic flow classification systems. We cover the workflow from flow metering and dataset creation, through ground-truth labeling and feature engineering, to leakage-resistant experimental design, model training and evaluation, explainability, and deployment considerations. The tutorial focuses on supervised flow-based classification that remains effective under encryption and provides actionable guidance on algorithm selection, performance metrics, and realistic partitioning strategies, with emphasis on common real-world measurement artifacts and methodological pitfalls. A companion set of five Jupyter notebooks on GitHub implements the data-to-model workflow on real traffic captures, enabling readers to reproduce key steps. The intended audience includes researchers and practitioners with foundational networking knowledge who aim to design and deploy robust traffic classification systems in operational environments.