Saved in:
Bibliographic Details
Main Authors: Cui, Susu, Han, Xueying, Han, Dongqi, Wang, Zhiliang, Wang, Weihang, Li, Yun, Jiang, Bo, Liu, Baoxu, Lu, Zhigang
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2408.14122
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866929474505801728
author Cui, Susu
Han, Xueying
Han, Dongqi
Wang, Zhiliang
Wang, Weihang
Li, Yun
Jiang, Bo
Liu, Baoxu
Lu, Zhigang
author_facet Cui, Susu
Han, Xueying
Han, Dongqi
Wang, Zhiliang
Wang, Weihang
Li, Yun
Jiang, Bo
Liu, Baoxu
Lu, Zhigang
contents Encrypted traffic classification plays a critical role in network security and management. Currently, mining deep patterns from side-channel contents and plaintext fields through neural networks is a major solution. However, existing methods have two major limitations: (1) They fail to recognize the critical link between transport layer mechanisms and applications, missing the opportunity to learn internal structure features for accurate traffic classification. (2) They assume network traffic in an unrealistically stable and singular environment, making it difficult to effectively classify real-world traffic under environment shifts. In this paper, we propose FG-SAT, the first end-to-end method for encrypted traffic analysis under environment shifts. We propose a key abstraction, the Flow Graph, to represent flow internal relationship structures and rich node attributes, which enables robust and generalized representation. Additionally, to address the problem of inconsistent data distribution under environment shifts, we introduce a novel feature selection algorithm based on Jensen-Shannon divergence (JSD) to select robust node attributes. Finally, we design a classifier, GraphSAT, which integrates GraphSAGE and GAT to deeply learn Flow Graph features, enabling accurate encrypted traffic identification. FG-SAT exhibits both efficient and robust classification performance under environment shifts and outperforms state-of-the-art methods in encrypted attack detection and application classification.
format Preprint
id arxiv_https___arxiv_org_abs_2408_14122
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle FG-SAT: Efficient Flow Graph for Encrypted Traffic Classification under Environment Shifts
Cui, Susu
Han, Xueying
Han, Dongqi
Wang, Zhiliang
Wang, Weihang
Li, Yun
Jiang, Bo
Liu, Baoxu
Lu, Zhigang
Cryptography and Security
Encrypted traffic classification plays a critical role in network security and management. Currently, mining deep patterns from side-channel contents and plaintext fields through neural networks is a major solution. However, existing methods have two major limitations: (1) They fail to recognize the critical link between transport layer mechanisms and applications, missing the opportunity to learn internal structure features for accurate traffic classification. (2) They assume network traffic in an unrealistically stable and singular environment, making it difficult to effectively classify real-world traffic under environment shifts. In this paper, we propose FG-SAT, the first end-to-end method for encrypted traffic analysis under environment shifts. We propose a key abstraction, the Flow Graph, to represent flow internal relationship structures and rich node attributes, which enables robust and generalized representation. Additionally, to address the problem of inconsistent data distribution under environment shifts, we introduce a novel feature selection algorithm based on Jensen-Shannon divergence (JSD) to select robust node attributes. Finally, we design a classifier, GraphSAT, which integrates GraphSAGE and GAT to deeply learn Flow Graph features, enabling accurate encrypted traffic identification. FG-SAT exhibits both efficient and robust classification performance under environment shifts and outperforms state-of-the-art methods in encrypted attack detection and application classification.
title FG-SAT: Efficient Flow Graph for Encrypted Traffic Classification under Environment Shifts
topic Cryptography and Security
url https://arxiv.org/abs/2408.14122