Non-uniformity is All You Need: Efficient and Timely Encrypted Traffic Classification With ECHO

TL;DR

This work tackles encrypted traffic classification by addressing memory and latency bottlenecks through two core techniques. Hyperparameter Optimization of binnings (HO) generates non-uniform, data- and model-aware bin boundaries to compress flow representations without sacrificing accuracy. Early Classification (EC) introduces a cascade of classifiers with multiple exit times and a confidence threshold, drastically reducing average collection time while maintaining accuracy. The combined approach, ECHO, applies HO to packet-size bins and, in some variants, arrival-time bins, enabling fast, accurate classifications across multiple datasets. The results show meaningful improvements in efficiency and throughput, with practical implications for large-scale network monitoring and security deployments. The work also emphasizes interpretability of the learned bin boundaries and provides reproducibility plans for the community.

Abstract

With 95% of Internet traffic now encrypted, an effective approach to classifying this traffic is crucial for network security and management. This paper introduces ECHO -- a novel optimization process for ML/DL-based encrypted traffic classification. ECHO targets both classification time and memory utilization and incorporates two innovative techniques. The first component, HO (Hyperparameter Optimization of binnings), aims at creating efficient traffic representations. While previous research often uses representations that map packet sizes and packet arrival times to fixed-sized bins, we show that non-uniform binnings are significantly more efficient. These non-uniform binnings are derived by employing a hyperparameter optimization algorithm in the training stage. HO significantly improves accuracy given a required representation size, or, equivalently, achieves comparable accuracy using smaller representations. Then, we introduce EC (Early Classification of traffic), which enables faster classification using a cascade of classifiers adapted for different exit times, where classification is based on the level of confidence. EC reduces the average classification latency by up to 90\%. Remarkably, this method not only maintains classification accuracy but also, in certain cases, improves it. Using three publicly available datasets, we demonstrate that the combined method, Early Classification with Hyperparameter Optimization (ECHO), leads to a significant improvement in classification efficiency.

Figures (13)

• Figure 1: A uniform and a non-uniform binning of the packet size distribution of the same example flow. Vertical dotted black lines mark the boundaries of the 5 selected bins. By using non-uniform representations, we can capture more fine-grained details of the flow.
• Figure 2: The key stages in the classification process. Packets are mapped by their flow (the color), and the flow representations are updated accordingly. After a predefined timeout, the flow representation is passed into a classifier to predict the class of the flow (e.g., the used application). Arrows represent the flow of data between the stages, whereas dotted arrows indicate memory access.
• Figure 3: An illustration of the iterative process of creating the representations for the different time scopes. On the left is an example flow with the arrival times and packet sizes of the first 11 packets. The packet-size boundaries vector is $[0,375,750,1125,1500]$, the arrival time boundaries vector is dependant on the time scope: $[0,\frac{\tau_i}{4},\frac{\tau_i}{2},\frac{3\tau_i}{4},\tau_i]$. $r^{'}_{q}(\tau_i)$ is the updated representation before adding the packets in the next time interval.
• Figure 4: Accuracy as a function of the number of bins, for different binning strategies on the packet size dimension. The time dimension binning is uniform in all experiments.
• Figure 5: Accuracy as a function of the number of bins, comparing HO on the different dimensions, as well as on both dimensions.