TrafficMoE: Heterogeneity-aware Mixture of Experts for Encrypted Traffic Classification

TL;DR

TrafficMoE introduces a heterogeneity-aware mixture of experts framework for encrypted traffic classification, effectively disentangling headers and payloads and dynamically fusing features to improve accuracy.

Contribution

It proposes a novel DFA paradigm with dual-branch MoE, uncertainty filtering, and dynamic feature routing to enhance encrypted traffic analysis.

Findings

Outperforms state-of-the-art methods on six datasets.

Effectively disentangles headers and payloads for better feature extraction.

Demonstrates the importance of heterogeneity-aware modeling in encrypted traffic classification.

Abstract

Encrypted traffic classification is a critical task for network security. While deep learning has advanced this field, the occlusion of payload semantics by encryption severely challenges standard modeling approaches. Most existing frameworks rely on static and homogeneous pipelines that apply uniform parameter sharing and static fusion strategies across all inputs. This one-size-fits-all static design is inherently flawed: by forcing structured headers and randomized payloads into a unified processing pipeline, it inevitably entangles the raw protocol signals with stochastic encryption noise, thereby degrading the fine-grained discriminative features. In this paper, we propose TrafficMoE, a framework that breaks through the bottleneck of static modeling by establishing a Disentangle-Filter-Aggregate (DFA) paradigm. Specifically, to resolve the structural between-components conflict, the architecture disentangles headers and payloads using dual-branch sparse Mixture-of-Experts (MoE), enabling modality-specific modeling. To mitigate the impact of stochastic noise, an uncertainty-aware filtering mechanism is introduced to quantify reliability and selectively suppress high-variance representations. Finally, to overcome the limitations of static fusion, a routing-guided strategy aggregates cross-modality features dynamically, that adaptively weighs contributions based on traffic context. With this DFA paradigm, TrafficMoE maximizes representational efficiency by focusing solely on the most discriminative traffic features. Extensive experiments on six datasets demonstrate TrafficMoE consistently outperforms state-of-the-art methods, validating the necessity of heterogeneity-aware modeling in encrypted traffic analysis. The source code is publicly available at https://github.com/Posuly/TrafficMoE_main.