Article directory
Introduction to the paper
Original title : FS-Net: A Flow Sequence Network For Encrypted Traffic Classification
Chinese title : FS-Net: A Flow Sequence Network for Encrypted Traffic Classification
Publication conference : IEEE INFOCOM
Year of publication : 2019
Author : Chang Liu
latex citation :
@inproceedings{liu2019fs,
title={Fs-net: A flow sequence network for encrypted traffic classification},
author={Liu, Chang and He, Longtao and Xiong, Gang and Cao, Zigang and Li, Zhen},
booktitle={IEEE INFOCOM 2019-IEEE Conference On Computer Communications},
pages={1171--1179},
year={2019},
organization={IEEE}
}
Summary
With people paying more attention to user privacy and communication security, encrypted traffic has increased dramatically, which has brought huge challenges to traditional rule-based traffic classification methods. Combining machine learning algorithms with artificially designed features has become a mainstream approach to solving this problem. However, these functions rely heavily on professional experience, which requires a lot of manpower. These methods divide the encrypted traffic classification problem into segmented sub-problems and cannot guarantee an optimal solution. This paper applies the recurrent neural network to the encrypted traffic classification problem and proposes the Flow Sequence network (FS-Net). FS-Net is an end-to-end classification model that learns representative features from raw streams and then classifies them in a unified framework. In addition, we adopt a multi-layer encoder-decoder structure, which can deeply mine the latent sequence features of the stream, and introduce a reconstruction mechanism to improve the effectiveness of the features. Our comprehensive experiments on real-world datasets of 18 applications show that FS-Net achieves excellent performance (99.14% TPR, 0.05% FPR and 0.9906 FTF), outperforming current state-of-the-art methods.
Problems
Combining machine learning algorithms with manually extracted raw traffic statistical features has become a mainstream method for encrypted traffic classification. Obviously, this method decomposes the encrypted traffic classification problem into two sub-problems, and the results of each sub-problem will directly affect the final classification performance. Another approach is to design an end-to-end model, which combines feature engineering and model training into a unified model.
Paper contribution
- An end-to-end FS-Net model is proposed for encrypted traffic classification. FS-Net consists of an encoder, decoder, classifier and reconstruction layer, and recognizes flows through feature learning and classification of original flow sequences.
- Utilize reconstruction mechanism to promote feature learning. By keeping the reconstructed sequence and the original flow sequence as similar as possible, the generated features can contain more discriminative information.
- FS-Net achieves excellent encrypted traffic classification results on real network traffic data and outperforms several state-of-the-art methods.
The paper’s approach to solving the above problems:
In this paper, we use an end-to-end Flow Sequence Network (FS-Net) model for encrypted flow classification. This end-to-end model can learn features directly from the raw input, and the learned features are guided by real labels, thereby improving performance. Therefore, it saves manpower in designing and verifying functions.
Thesis tasks:
Encrypted traffic multi-classification
1. Problem statement
Suppose there are N samples and C applications in total.
- No.pp _Sequence representation of p samples:xp = [ L 1 ( p ) , L 2 ( p ) , … , L np ( p ) ] x_p = [L_1^{(p)} ,L_2^{(p)} , … , L_{n_p}^{(p)}]xp=[L1(p),L2(p),…,Lnp(p)] , wherenp n_pnpis xp x_pxpThe length of L i ( p ) L_i^{(p)}Li(p)is the time step iipacket value of i
- x p x_p xpApplication tags : A p A_pAp, 1 ≤ A p ≤ c 1≤Ap≤c 1≤Ap≤c
- Goal : The goal is to build an end-to-end model ψ ( xp ) ψ(xp)ψ ( x p ) to predict a label that happens to be the true labelA p A_pApThe label A p ^ \hat{A_p}Ap^
2. FS-net
-
embedding layer
Given a stream sequence of n elements, x = [ L 1 , L 2 , … , L n ] x = [L_1, L_2, …, L_n]x=[L1,L2,…,Ln] , each elementL i , i ∈ [ 1 , n ] L_i, i∈[1,n]Li,i∈[1,n ] needs to be converted into addd- dimensional vectorEL i E_{L_i}ELi. Finally, the embedding sequence [e 1, e 2, ⋅ ⋅ ⋅, en] [e_1, e_2,···,e_n] is obtained[e1,e2,⋅⋅⋅,en] , in whichei = EL i e_i = E_{L_i}ei=ELi。
-
coding layer
The encoder layer takes the embedding vector of the stream as input and generates compressed features. The encoder layer consists of stacked bidirectional GRU (bi-GRU).
-
decoding layer
The decoder layer uses another stacked dual GRU network similar to the encoder layer. Drawing on the architecture of the autoencoder, the feature vector ze z_e based on the encoderzeAt each time step ttt is input into the decoder
-
reconstruction layer
The decoder sequence D is input to the reconstruction layer to generate a probability distribution over the element set e, where a softmax classifier is used to generate the distribution
-
dense layer
The output sequences of the encoder and decoder are combined, feature enhancement is performed, and finally compression is performed, as follows:
ze z_ezeis the encoder output, zd z_dzdoutput for the decoder
-
classification layer
The compressed feature vector zc z_czcSent to another softmax classifier similar to the reconstruction layer to obtain distribution qq on different applicationsq . Take the application with the highest probability as the prediction labelAAA。
-
Loss
The final loss is the weighted sum of classification loss and reconstruction loss.
3. Experiment
Comparative experiment:
FS-net ablation experiment:
-
The role of the reconstruction layer : The reconstruction mechanism can enhance feature representation and recognition capabilities by restoring the input sequence. To verify this, we design a variant of the model that abandons the decoder layer, reconstruction layer and reconstruction loss in Figure 2, i.e. only passes the encoder-based feature vector z to the dense layer for classification. This variant is called FS-ND.
-
The role of message type sequences : Message type sequences are used as inputs to traditional message type-based Markov methods (i.e. FoSM, SOCRT and SOB). For the convenience of comparison, this article tests FS-Net and FS-ND in combination with message type sequences, and the corresponding methods are recorded as FS-Net-s and FS-ND-s.
-
The role of dense layer : FS-Net-SL, FS-ND-SL.
FS-net sensitivity analysis:
-
Hidden state dimension:
-
Parameter α:
Summarize
data set
- Mampf: Encrypted traffic classiffication based on multi-attribute markov probability fingerprints
Readable citations
Datasets and models
- Mampf: Encrypted traffic classiffication based on multi-attribute markov probability fingerprints