Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Revolutionizing Encrypted Traffic Classification with MH-Net: A Multi-View Heterogeneous Graph Model

Haozhen Zhang, Haodong Yue, Xi Xiao, Le Yu, Qing Li, Zhen Ling, Ye Zhang

TL;DR

This work tackles encrypted traffic classification by moving beyond byte-level analysis to multi-view heterogeneous graphs that capture diverse granularities and header-payload correlations. MH-Net builds PMI-based graphs from traffic units of varying bit-lengths, employs a heterogeneous graph neural network to fuse header/payload relations, and uses multi-task learning with contrastive objectives to learn robust traffic representations for both packet- and flow-level tasks. The approach achieves state-of-the-art performance on multiple datasets (CIC-IoT and ISCX variants) and provides insights into how different traffic-unit granularities complement or interfere with each other. The findings have practical implications for more robust, scalable encrypted traffic classification and highlight the value of exploiting cross-granularity correlations in network security analyses.

Abstract

With the growing significance of network security, the classification of encrypted traffic has emerged as an urgent challenge. Traditional byte-based traffic analysis methods are constrained by the rigid granularity of information and fail to fully exploit the diverse correlations between bytes. To address these limitations, this paper introduces MH-Net, a novel approach for classifying network traffic that leverages multi-view heterogeneous traffic graphs to model the intricate relationships between traffic bytes. The essence of MH-Net lies in aggregating varying numbers of traffic bits into multiple types of traffic units, thereby constructing multi-view traffic graphs with diverse information granularities. By accounting for different types of byte correlations, such as header-payload relationships, MH-Net further endows the traffic graph with heterogeneity, significantly enhancing model performance. Notably, we employ contrastive learning in a multi-task manner to strengthen the robustness of the learned traffic unit representations. Experiments conducted on the ISCX and CIC-IoT datasets for both the packet-level and flow-level traffic classification tasks demonstrate that MH-Net achieves the best overall performance compared to dozens of SOTA methods.

Revolutionizing Encrypted Traffic Classification with MH-Net: A Multi-View Heterogeneous Graph Model

TL;DR

This work tackles encrypted traffic classification by moving beyond byte-level analysis to multi-view heterogeneous graphs that capture diverse granularities and header-payload correlations. MH-Net builds PMI-based graphs from traffic units of varying bit-lengths, employs a heterogeneous graph neural network to fuse header/payload relations, and uses multi-task learning with contrastive objectives to learn robust traffic representations for both packet- and flow-level tasks. The approach achieves state-of-the-art performance on multiple datasets (CIC-IoT and ISCX variants) and provides insights into how different traffic-unit granularities complement or interfere with each other. The findings have practical implications for more robust, scalable encrypted traffic classification and highlight the value of exploiting cross-granularity correlations in network security analyses.

Abstract

With the growing significance of network security, the classification of encrypted traffic has emerged as an urgent challenge. Traditional byte-based traffic analysis methods are constrained by the rigid granularity of information and fail to fully exploit the diverse correlations between bytes. To address these limitations, this paper introduces MH-Net, a novel approach for classifying network traffic that leverages multi-view heterogeneous traffic graphs to model the intricate relationships between traffic bytes. The essence of MH-Net lies in aggregating varying numbers of traffic bits into multiple types of traffic units, thereby constructing multi-view traffic graphs with diverse information granularities. By accounting for different types of byte correlations, such as header-payload relationships, MH-Net further endows the traffic graph with heterogeneity, significantly enhancing model performance. Notably, we employ contrastive learning in a multi-task manner to strengthen the robustness of the learned traffic unit representations. Experiments conducted on the ISCX and CIC-IoT datasets for both the packet-level and flow-level traffic classification tasks demonstrate that MH-Net achieves the best overall performance compared to dozens of SOTA methods.
Paper Structure (31 sections, 12 equations, 4 figures, 7 tables)

This paper contains 31 sections, 12 equations, 4 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Methodology
  4. Multi-View Traffic Graph Construction
  5. Traffic Units with Diverse Granularity.
  6. Traffic Graph Construction.
  7. Heterogeneous Traffic Graph Representation Learning
  8. Heterogeneous Traffic Unit Correlations.
  9. Heterogeneous Traffic Graph Encoder.
  10. Multi-Task Training of MH-Net
  11. Traffic Classification Tasks.
  12. Contrastive Learning at Dual Levels.
  13. Overall Training Objective.
  14. Experiments
  15. Experimental Settings
  16. ...and 16 more sections

Figures (4)

  • Figure 1: MH-Net Model Architecture.
  • Figure 2: Sensitivity Analysis w.r.t. $\alpha$ and $\beta$ on the ISCX-VPN Dataset.
  • Figure 3: The Choice of Traffic Units on the ISCX-VPN Dataset.
  • Figure 4: The Combination of Traffic Units on the ISCX-VPN Dataset.