Encrypted traffic classification method based on Attention-1DCNN-CE

doi:10.11772/j.issn.1001-9081.2024030325

Journal of Computer Applications ›› 2025, Vol. 45 ›› Issue (3): 872-882.DOI: 10.11772/j.issn.1001-9081.2024030325

• Cyber security • Previous Articles Next Articles

Encrypted traffic classification method based on Attention-1DCNN-CE

Haijun GENG¹^,²(), Yun DONG¹, Zhiguo HU³^,⁴, Haotian CHI¹, Jing YANG¹, Xia YIN⁵

^1.School of Automation and Software Engineering，Shanxi University，Taiyuan Shanxi 030031，China
^2.Shanxi Qingzhong Technology Company Limited，Taiyuan Shanxi 030006，China
^3.School of Computer and Information Technology，Shanxi University，Taiyuan Shanxi 030006，China
^4.Key Laboratory of Embedded System and Service Computing，Ministry of Education （Tongji University），Shanghai 201804，China
^5.Department of Computer Science and Technology，Tsinghua University，Beijing 100084，China

Received:2024-03-25 Revised:2024-05-27 Accepted:2024-05-28 Online:2024-07-22 Published:2025-03-10
Contact: Haijun GENG
About author:DONG Yun， born in 1997， M. S. candidate. His research interests include cybersecurity.
HU Zhiguo， born in 1977， Ph. D.， associate professor. His research interests include cybersecurity.
CHI Haotian， born in 1990， Ph. D.， lecturer. His research interests include internet of things security， wireless security， privacy protection.
YANG Jing， born in 1990， Ph. D.， lecturer. Her research interests include fuzzy system， image reconstruction.
YIN Xia， born in 1972， Ph. D.， professor. Her research interests include next generation Internet architecture， protocol test.
Supported by:
National Natural Science Foundation of China(62472267);Fundamental Research Program of Shanxi Province(20210302123444)

基于Attention-1DCNN-CE的加密流量分类方法

耿海军¹^,²(), 董赟¹, 胡治国³^,⁴, 池浩田¹, 杨静¹, 尹霞⁵

^1.山西大学自动化与软件学院，太原 030031
^2.山西清众科技股份有限公司，太原 030006
^3.山西大学计算机与信息技术学院，太原 030006
^4.嵌入式系统与服务计算教育部重点实验室（同济大学），上海 201804
^5.清华大学计算机科学与技术系，北京 100084

通讯作者: 耿海军
作者简介:董赟（1997—），男，山西晋中人，硕士研究生，主要研究方向：网络安全
胡治国（1977—），男，山西太原人，副教授，博士，CCF会员，主要研究方向：网络安全
池浩田（1990—），男，山西太原人，讲师，博士，主要研究方向：物联网安全、无线安全、隐私保护
杨静（1990—），女，山西太原人，讲师，博士，主要研究方向：模糊系统、图像重建
尹霞（1972—），女，北京人，教授，博士，CCF会员，主要研究方向：下一代互联网体系结构、协议测试。
基金资助:
国家自然科学基金资助项目(62472267);山西省应用基础研究计划项目(20210302123444)

Abstract

Abstract:

To address the problems of low multi-classification accuracy， poor generalization， and easy privacy invasion in traditional encrypted traffic identification methods， a multi-classification deep learning model that combines Attention mechanism （Attention） with one-Dimensional Convolutional Neural Network （1DCNN） was proposed， namely Attention-1DCNN-CE. This model consists of three core components： 1） in the dataset preprocessing stage， the spatial relationship among packets in the original data stream was retained， and a cost-sensitive matrix was constructed on the basis of the sample distribution； 2） based on the preliminary extraction of encrypted traffic features， the Attention and 1DCNN models were used to mine deeply and compress the global and local features of the traffic； 3） in response to the challenge of data imbalance， by combining the cost-sensitive matrix with the Cross Entropy （CE） loss function， the sample classification accuracy of minority class was improved significantly， thereby optimizing the overall performance of the model. Experimental results show that on BOT-IOT and TON-IOT datasets， the overall identification accuracy of this model is higher than 97%. Additionally， on public datasets ISCX-VPN and USTC-TFC， this model performs excellently， and achieves performance similar to that of ET-BERT （Encrypted Traffic BERT） without the need for pre-training. Compared to Payload Encoding Representation from Transformer （PERT） on ISCX-VPN dataset， this model improves the F1 score in application type detection by 29.9 percentage points. The above validates the effectiveness of this model， so that this model provides a solution for encrypted traffic identification and malicious traffic detection.

Key words: cybersecurity, encrypted traffic, Attention mechanism (Attention), one-Dimensional Convolutional Neural Network (1DCNN), data imbalance, cost-sensitive matrix

摘要：

针对传统加密流量识别方法存在多分类准确率低、泛化性不强以及易侵犯隐私等问题，提出一种结合注意力机制（Attention）与一维卷积神经网络（1DCNN）的多分类深度学习模型——Attention-1DCNN-CE。该模型包含3个核心部分：1）数据集预处理阶段，保留原始数据流中数据包间的空间关系，并根据样本分布构建成本敏感矩阵；2）在初步提取加密流量特征的基础上，利用Attention和1DCNN模型深入挖掘并压缩流量的全局与局部特征；3）针对数据不平衡这一挑战，通过结合成本敏感矩阵与交叉熵（CE）损失函数，显著提升少数类别样本的分类精度，进而优化模型的整体性能。实验结果表明，在BOT-IOT和TON-IOT数据集上该模型的整体识别准确率高达97%以上；并且该模型在公共数据集ISCX-VPN和USTC-TFC上表现优异，在不需要预训练的前提下，达到了与ET-BERT（Encrypted Traffic BERT）相近的性能；相较于PERT（Payload Encoding Representation from Transformer），该模型在ISCX-VPN数据集的应用类型检测中的F1分数提升了29.9个百分点。以上验证了该模型的有效性，为加密流量识别和恶意流量检测提供了解决方案。

关键词: 网络安全, 加密流量, 注意力机制, 一维卷积神经网络, 数据不平衡, 成本敏感矩阵

CLC Number:

TP393.06

Haijun GENG, Yun DONG, Zhiguo HU, Haotian CHI, Jing YANG, Xia YIN. Encrypted traffic classification method based on Attention-1DCNN-CE[J]. Journal of Computer Applications, 2025, 45(3): 872-882.

耿海军, 董赟, 胡治国, 池浩田, 杨静, 尹霞. 基于Attention-1DCNN-CE的加密流量分类方法[J]. 《计算机应用》唯一官方网站, 2025, 45(3): 872-882.

Figures/Tables 13

Fig. 1 Workflow of Attention-1DCNN-CE model

Fig. 2 Packet truncation and padding

Tab. 1 Penalty coefficient matrix

类别	$C 1$	$C 2$	$C 3$	$C 4$
$C 1$	1	$D i s C 1, C 2$	$D i s C 1, C 3$	$D i s C 1, C 4$
$C 2$	$D i s C 2, C 1$	1	$D i s C 2, C 3$	$D i s C 2, C 4$
$C 3$	$D i s C 3, C 1$	$D i s C 3, C 2$	1	$D i s C 3, C 4$
$C 4$	$D i s C 4, C 1$	$D i s C 4, C 2$	$D i s C 4, C 3$	1

Tab. 1 Penalty coefficient matrix

类别	$C 1$	$C 2$	$C 3$	$C 4$
$C 1$	1	$D i s C 1, C 2$	$D i s C 1, C 3$	$D i s C 1, C 4$
$C 2$	$D i s C 2, C 1$	1	$D i s C 2, C 3$	$D i s C 2, C 4$
$C 3$	$D i s C 3, C 1$	$D i s C 3, C 2$	1	$D i s C 3, C 4$
$C 4$	$D i s C 4, C 1$	$D i s C 4, C 2$	$D i s C 4, C 3$	1

Fig. 3 Structure of global feature extraction module

Fig. 4 Structure of local feature extraction module

Tab. 2 Experimental environment details

类别	名称	详细信息
硬件	CPU	Intel Core i9-12900H
	GPU	NVIDIA GeForce RTX 3060
	RAM	32 GB
软件	工具	Wireshark，SplitCap，Scapy

Fig. 5 Results of ablation experiments on BOT-IOT dataset

Fig. 6 Confusion matrix of Attention-1DCNN-CE on BOT-IOT Data

Fig. 7 F1 scores of different models

Fig. 8 Comparison of multi-classification F1 scores on BOT-IOT and TON-IOT datasets

Fig. 9 Comparison of multi-classification FAR on BOT-IOT and TON-IOT datasets

Fig. 10 Indicator comparison of different models on BOT-IOT and TON-IOT datasets

Tab. 3 Indicator comparison results of different models on common datasets

模型	ISCX-VPN-Service				ISCX-VPN-APP				USTC-TFC
模型	AC	PR	RC	F1分数	AC	PR	RC	F1分数	AC	PR	RC	F1分数
AppScanner^*［38］	71.8	73.4	72.3	72.0	62.7	48.6	52.0	49.4	89.5	89.8	89.7	88.9
CUMUL^*［39］	56.1	58.8	56.8	56.7	53.7	41.3	45.4	42.4	56.8	61.7	57.4	55.1
BIND^*［40］	75.3	75.8	74.9	74.2	67.7	51.5	51.5	49.7	84.6	86.8	83.8	84.0
K-fp^*［41］	64.3	64.9	64.2	64.0	60.7	54.8	54.3	53.0	—	—	—	—
FlowPrint^*［42］	79.6	80.4	78.1	78.2	87.7	67.0	66.5	65.3	81.5	64.3	70.0	65.7
DF^*［43］	71.5	71.9	71.0	71.0	61.2	57.1	47.5	48.0	77.9	78.8	78.2	75.9
FS-Net^*［44］	72.1	75.0	72.4	71.3	66.5	48.2	48.5	47.4	88.5	88.5	89.2	88.4
GraphDApp^*［45］	59.8	60.5	62.2	60.4	63.3	59.0	54.7	55.6	87.9	82.3	82.6	82.3
DeepPacket^*［13］	93.3	93.8	93.1	93.2	97.6	97.9	97.5	97.7	96.4	96.5	96.3	96.4
FastTraffic^［29］	94.5	94.8	94.3	94.4	92.2	93.6	92.8	93.1	96.9	96.6	95.0	95.5
PERT^［46］	93.5	94.0	93.5	93.7	82.3	70.9	71.7	69.9	99.1	99.1	99.1	99.1
ET-BERT^［27］	98.9	98.9	98.9	98.9	99.6	99.4	99.4	99.4	99.2	99.2	99.2	99.2
YaTC^［26］	98.1	—	—	98.0	—	—	—	—	97.9	—	—	96.6
本文模型	99.8	99.8	99.8	99.8	99.8	99.8	99.8	99.8	99.2	99.3	99.2	99.2

References 46

1	ROUGHAN M， SEN S， SPATSCHECK O， et al. Class-of-service mapping for QoS： a statistical signature-based approach to IP traffic classification ［C］// Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement. New York： ACM， 2004： 135-148.
2	REZAEI S， LIU X. Deep learning for encrypted traffic classification： an overview ［J］. IEEE Communications Magazine， 2019， 57（5）： 76-81.
3	Gartner. Predicts 2017： network and gateway security ［EB/OL］. ［2023-12-03］. .
4	Google. Google transparency report： HTTPS encryption on the Web［R/OL］. ［2023-07-01］. .
5	CISCO. Cisco encrypted traffic analytics white paper ［R/OL］. ［2023-11-14］. .
6	DAINOTTI A， PESCAPE A， CLAFFY K C. Issues and future directions in traffic classification ［J］. IEEE Network， 2012， 26（1）： 35-40.
7	KHALIFE J， HAJJAR A， DIAZ-VERDEJO J. A multilevel taxonomy and requirements for an optimal traffic-classification model［J］. International Journal of Network Management， 2014， 24（2）： 101-120.
8	YAMANSAVASCILAR B， GUVENSAN M A， YAVUZ A G， et al. Application identification via network traffic classification ［C］// Proceedings of the 2017 International Conference on Computing， Networking and Communications. Piscataway： IEEE， 2017： 843-848.
9	LA MANTIA G， ROSSI D， FINAMORE A， et al. Stochastic packet inspection for TCP traffic ［C］// Proceedings of the 2010 IEEE International Conference on Communications. Piscataway： IEEE， 2010： 1-6.
10	CHEN H Y， LIN T N. The challenge of only one flow problem for traffic classification in identity obfuscation environments ［J］. IEEE Access， 2021， 9： 84110-84121.
11	NAZARENKO E， VARKENTIN V， POLYAKOVA T. Features of application of machine learning methods for classification of network traffic （features， advantages， disadvantages）［C］// Proceedings of the 2019 International Multi-Conference on Industrial Engineering and Modern Technologies. Piscataway： IEEE， 2019： 1-5.
12	MONTAZERISHATOORI M， DAVIDSON L， KAUR G， et al. Detection of DoH tunnels using time-series classification of encrypted traffic ［C］// Proceedings of the 2020 IEEE International Conference on Dependable， Autonomic and Secure Computing， International Conference on Pervasive Intelligence and Computing， International Conference on Cloud and Big Data Computing， International Conference on Cyber Science and Technology Congress. Piscataway： IEEE， 2020： 63-70.
13	LOTFOLLAHI M， JAFARI SIAVOSHANI M， SHIRALI HOSSEIN ZADE R， et al. Deep Packet： a novel approach for encrypted traffic classification using deep learning ［J］. Soft Computing， 2020， 24（3）： 1999-2012.
14	陈明豪，祝跃飞，芦斌，等. 基于Attention-CNN的加密流量应用类型识别［J］. 计算机科学， 2021， 48（4）：325-332.
	CHEN M H， ZHU Y F， LU B， et al. Classification of application type of encrypted traffic based on Attention-CNN ［J］. Computer Science， 2021， 48（4）：325-332.
15	HAMEED A， VIOLOS J， LEIVADEAS A. A deep learning approach for IoT traffic multi-classification in a smart-city scenario［J］. IEEE Access， 2022， 10： 21193-21210.
16	LAWAL M A， SHAIKH R A， HASSAN S R. Security analysis of network anomalies mitigation schemes in IoT networks ［J］. IEEE Access， 2020， 8： 43355-43374.
17	LI Y， LI J. MultiClassifier： a combination of DPI and ML for application-layer classification in SDN ［C］// Proceedings of the 2nd International Conference on Systems and Informatics. Piscataway： IEEE， 2014： 682-686.
18	CHEN L， LI S， BAI Q， et al. Review of image classification algorithms based on convolutional neural networks ［J］. Remote Sensing， 2021， 13（22）： No.4712.
19	MIN B， ROSS H， SULEM E， et al. Recent advances in natural language processing via large pre-trained language models： a survey ［J］. ACM Computing Surveys， 2024， 56（2）： No.30.
20	ALDARMAKI H， ULLAH A， RAM S， et al. Unsupervised automatic speech recognition： a review ［J］. Speech Communication， 2022， 139： 76-91.
21	CHEN L， LI Y， HUANG C， et al. Milestones in autonomous driving and intelligent vehicles： survey of surveys ［J］. IEEE Transactions on Intelligent Vehicles， 2023， 8（2）： 1046-1056.
22	WANG W， ZHU M， WANG J， et al. End-to-end encrypted traffic classification with one-dimensional convolution neural networks［C］// Proceedings of the 2017 IEEE International Conference on Intelligence and Security Informatics. Piscataway： IEEE， 2017： 43-48.
23	TONG X， TAN X， CHEN L， et al. BFSN： a novel method of encrypted traffic classification based on bidirectional flow sequence network ［C］// Proceedings of the 3rd International Conference on Hot Information-Centric Networking. Piscataway： IEEE， 2020： 160-165.
24	GUO L， WU Q， LIU S， et al. Deep learning-based real-time VPN encrypted traffic identification methods ［J］. Journal of Real-Time Image Processing， 2020， 17： 103-114.
25	LOPEZ-MARTIN M， CARRO B， SANCHEZ-ESGUEVILLAS A， et al. Network traffic classifier with convolutional and recurrent neural networks for Internet of Things ［J］. IEEE Access， 2017， 5： 18042-18050.
26	ZHAO R， ZHAN M， DENG X， et al. Yet another traffic classifier： a masked autoencoder based traffic Transformer with multi-level flow representation ［C］// Proceedings of the 37th AAAI Conference on Artificial Intelligence. Palo Alto： AAAI Press， 2023： 5420-5427.
27	LIN X， XIONG G， GOU G， et al. ET-BERT： a contextualized datagram representation with pre-training Transformers for encrypted traffic classification ［C］// Proceedings of the ACM Web Conference 2022. New York： ACM， 2022： 633-642.
28	SHI Z， LUKTARHAN N， SONG Y， et al. BFCN： a novel classification method of encrypted traffic based on BERT and CNN［J］. Electronics， 2023， 12（3）： No.516.
29	XU Y， CAO J， SONG K， et al. FastTraffic： a lightweight method for encrypted traffic fast classification ［J］. Computer Networks， 2023， 235： No.109965.
30	VU L， BUI C T， NGUYEN Q U. A deep learning based method for handling imbalanced problem in network traffic classification［C］// Proceedings of the 8th International Symposium on Information and Communication Technology. New York： ACM， 2017： 333-339.
31	ZHOU N， WANG Q， ZHOU J. IoT unbalanced traffic classification system based on Focal_Attention_LSTM ［C］// Proceedings of the IEEE 5th Information Technology， Networking， Electronic and Automation Control Conference. Piscataway： IEEE， 2021： 899-903.
32	TELIKANI A， GANDOMI A H， CHOO K K R， et al. A cost-sensitive deep learning-based approach for network traffic classification ［J］. IEEE Transactions on Network and Service Management， 2022， 19（1）： 661-670.
33	KORONIOTIS N， MOUSTAFA N， SITNIKOVA E. A new network forensic framework based on deep learning for Internet of Things networks： a particle deep framework ［J］. Future Generation Computer Systems， 2020， 110： 91-106.
34	BOOIJ T M， CHISCOP I， MEEUWISSEN E， et al. ToN_IoT： the role of heterogeneity and the need for standardization of features and attack types in IoT network intrusion data sets ［J］. IEEE Internet of Things Journal， 2022， 9（1）： 485-496.
35	DRAPER-GIL G， LASHKARI A H， MAMUN M S I， et al. Characterization of encrypted and VPN traffic using time-related features ［C］// Proceedings of the 2nd International Conference on Information Systems Security and Privacy. Setúbal： SciTePress， 2016： 407-414.
36	WANG W， ZHU M， ZENG X， et al. Malware traffic classification using convolutional neural network for representation learning ［C］// Proceedings of the 2017 International Conference on Information Networking. Piscataway： IEEE， 2017： 712-717.
37	ZHU S， XU X， GAO H， et al. CMTSNN： a deep learning model for multiclassification of abnormal and encrypted traffic of Internet of Things ［J］. IEEE Internet of Things Journal， 2023， 10（13）： 11773-11791.
38	TAYLOR V F， SPOLAOR R， CONTI M， et al. Robust smartphone app identification via encrypted network traffic analysis［J］. IEEE Transactions on Information Forensics and Security， 2018， 13（1）： 63-78.
39	PANCHENKO A， LANZE F， ZINNEN A， et al. Website fingerprinting at internet scale ［C］// Proceedings of the 2016 Network and Distributed System Security Symposium. Reston， VA： Internet Society， 2016： 1-15.
40	AL-NAAMI K， CHANDRA S， MUSTAFA A， et al. Adaptive encrypted traffic fingerprinting with bi-directional dependence［C］// Proceedings of the 32nd Annual Conference on Computer Security Applications. New York： ACM， 2016： 177-188.
41	HAYES J， DANEZIS G. k-fingerprinting： A robust scalable website fingerprinting technique ［C］// Proceedings of the 25th USENIX Security Symposium. Berkeley： USENIX， 2016： 1187-1203.
42	VAN EDE T， BORTOLAMEOTTI R， CONTINELLA A， et al. FlowPrint： semi-supervised mobile-app fingerprinting on encrypted network traffic ［C］// Proceedings of the 2020 Network and Distributed System Security Symposium. Reston， VA： Internet Society， 2020： 1-18.
43	SIRINAM P， IMANI M， JUAREZ M， et al. Deep fingerprinting： undermining website fingerprinting defenses with deep learning［C］// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York： ACM， 2018： 1928-1943.
44	LIU C， HE L， XIONG G， et al. FS-Net： a flow sequence network for encrypted traffic classification ［C］// Proceedings of the 2019 IEEE Conference on Computer Communications. Piscataway： IEEE， 2019： 1171-1179.
45	SHEN M， ZHANG J， ZHU L， et al. Accurate decentralized application identification via encrypted traffic analysis using graph neural networks ［J］. IEEE Transactions on Information Forensics and Security， 2021， 16： 2367-2380.
46	HE H Y， YANG Z G， CHEN X N. PERT： payload encoding representation from transformer for encrypted traffic classification［C］// Proceedings of the 2020 ITU Kaleidoscope： Industry-Driven Digital Transformation. Piscataway： IEEE， 2020： 1-8.

[1]	Bin XIAO, Yun GAN, Min WANG, Xingpeng ZHANG, Zhaoxing WANG. Network abnormal traffic detection based on port attention and convolutional block attention module [J]. Journal of Computer Applications, 2024, 44(4): 1027-1034.
[2]	Jian CUI, Kailang MA, Yu SUN, Dou WANG, Junliang ZHOU. Deep explainable method for encrypted traffic classification [J]. Journal of Computer Applications, 2023, 43(4): 1151-1159.
[3]	Jing LIU, Zhihong DONG, Zheyu ZHANG, Zhigang SUN, Haipeng JI. Data sharing method of industrial internet of things based on federal incremental learning [J]. Journal of Computer Applications, 2022, 42(4): 1235-1243.
[4]	GUO Shuai, SU Yang. Encrypted traffic classification method based on data stream [J]. Journal of Computer Applications, 2021, 41(5): 1386-1391.
[5]	LIANG Denggao, ZHOU Anmin, ZHENG Rongfeng, LIU Liang, DING Jianwei. WeChat payment behavior recognition model based on division of large and small burst blocks [J]. Journal of Computer Applications, 2020, 40(7): 1970-1976.
[6]	YANG Hongyu, LI Bochao. Network abnormal behavior detection model based on adversarially learned inference [J]. Journal of Computer Applications, 2019, 39(7): 1967-1972.
[7]	ZHANG Yu, YU Dongjun. Protein-ATP binding site prediction based on 1D-convolutional neural network [J]. Journal of Computer Applications, 2019, 39(11): 3146-3150.
[8]	JIAN Yiheng, YU Xiao. Software defect number prediction method based on data oversampling and ensemble learning [J]. Journal of Computer Applications, 2018, 38(9): 2637-2643.

Encrypted traffic classification method based on Attention-1DCNN-CE

基于Attention-1DCNN-CE的加密流量分类方法

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 13

References 46

Related Articles 8

Recommended Articles

Metrics