Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Language of Network: A Generative Pre-trained Model for Encrypted Traffic Comprehension

Di Zhao, Bo Jiang, Song Liu, Susu Cui, Meng Shen, Dongqi Han, Xingmao Guan, Zhigang Lu

TL;DR

This work addresses the challenge of analyzing encrypted network traffic, where payloads are inaccessible and labeled data are scarce. It proposes GBC, a Generative Model Based on Pre-training for Encrypted Traffic Comprehension, which combines protocol-aware tokenization with GPT-2-style pre-training to learn robust traffic representations and support both classification and realistic traffic generation. Empirical results show a notable 5% improvement in F1-score for classification over state-of-the-art methods and a 9% improvement in detection when using generated traffic for data augmentation, demonstrating practical benefits for defense in depth and resilience to data imbalance. The approach reduces dependence on large labeled datasets and provides synthetic, protocol-consistent traffic that can be used to train more robust classifiers and evaluate security systems in realistic settings.

Abstract

The increasing demand for privacy protection and security considerations leads to a significant rise in the proportion of encrypted network traffic. Since traffic content becomes unrecognizable after encryption, accurate analysis is challenging, making it difficult to classify applications and detect attacks. Deep learning is currently the predominant approach for encrypted traffic classification through feature analysis. However, these methods face limitations due to their high dependence on labeled data and difficulties in detecting attack variants. First, their performance is highly sensitive to data quality, where the highcost manual labeling process and dataset imbalance significantly degrade results. Second, the rapid evolution of attack patterns makes it challenging for models to identify new types of attacks. To tackle these challenges, we present GBC, a generative model based on pre-training for encrypted traffic comprehension. Since traditional tokenization methods are primarily designed for natural language, we propose a protocol-aware tokenization approach for encrypted traffic that improves model comprehension of fields specific to network traffic. In addition, GBC employs pretraining to learn general representations from extensive unlabeled traffic data. Through prompt learning, it effectively adapts to various downstream tasks, enabling both high-quality traffic generation and effective detection. Evaluations across multiple datasets demonstrate that GBC achieves superior results in both traffic classification and generation tasks, resulting in a 5% improvement in F1 score compared to state-of-the-art methods for classification tasks.

Language of Network: A Generative Pre-trained Model for Encrypted Traffic Comprehension

TL;DR

This work addresses the challenge of analyzing encrypted network traffic, where payloads are inaccessible and labeled data are scarce. It proposes GBC, a Generative Model Based on Pre-training for Encrypted Traffic Comprehension, which combines protocol-aware tokenization with GPT-2-style pre-training to learn robust traffic representations and support both classification and realistic traffic generation. Empirical results show a notable 5% improvement in F1-score for classification over state-of-the-art methods and a 9% improvement in detection when using generated traffic for data augmentation, demonstrating practical benefits for defense in depth and resilience to data imbalance. The approach reduces dependence on large labeled datasets and provides synthetic, protocol-consistent traffic that can be used to train more robust classifiers and evaluate security systems in realistic settings.

Abstract

The increasing demand for privacy protection and security considerations leads to a significant rise in the proportion of encrypted network traffic. Since traffic content becomes unrecognizable after encryption, accurate analysis is challenging, making it difficult to classify applications and detect attacks. Deep learning is currently the predominant approach for encrypted traffic classification through feature analysis. However, these methods face limitations due to their high dependence on labeled data and difficulties in detecting attack variants. First, their performance is highly sensitive to data quality, where the highcost manual labeling process and dataset imbalance significantly degrade results. Second, the rapid evolution of attack patterns makes it challenging for models to identify new types of attacks. To tackle these challenges, we present GBC, a generative model based on pre-training for encrypted traffic comprehension. Since traditional tokenization methods are primarily designed for natural language, we propose a protocol-aware tokenization approach for encrypted traffic that improves model comprehension of fields specific to network traffic. In addition, GBC employs pretraining to learn general representations from extensive unlabeled traffic data. Through prompt learning, it effectively adapts to various downstream tasks, enabling both high-quality traffic generation and effective detection. Evaluations across multiple datasets demonstrate that GBC achieves superior results in both traffic classification and generation tasks, resulting in a 5% improvement in F1 score compared to state-of-the-art methods for classification tasks.

Paper Structure

This paper contains 21 sections, 3 equations, 8 figures, 5 tables.

Table of Contents

  1. Introduction
  2. RELATED WORK
  3. Traffic Classification
  4. Traffic Generation
  5. MODEL DESIGN
  6. Overview
  7. Protocol-aware Tokenization
  8. Pre-training
  9. Task-specific Application
  10. EXPERIMENTS
  11. Settings
  12. Datasets
  13. Baselines
  14. Metrics
  15. Implementation Details
  16. ...and 6 more sections

Figures (8)

  • Figure 1: The framework of GBC. In the preprocessing phase, the model receives network traffic as input, then performs tokenization based on packet structure and network protocol specifications. Following preprocessing, the resulting token sequence serves as input for the next step. The model is pre-trained on large amounts of unlabeled data and fine-tuned for specific tasks using labeled data. When applied to downstream tasks, the model can achieve efficient traffic classification. Additionally, to address issues such as sample imbalance, the model can generate highly realistic traffic for data augmentation, thereby improving performance.
  • Figure 2: Tokenization process. Segment traffic data according to protocol specifications, preserving structural and semantic integrity.
  • Figure 3: KDE analysis between real and generated traffic. We selecte four types of attacks from the CIC IOT dataset 2023 for our experiments, including BrowserHijacking, Backdoor, CommandInjection, and SqlInjection. We compare the distribution differences between original traffic and generated traffic in terms of source port, destination port, and IP packet length.
  • Figure 4: JSD divergence comparison. GBC w/o pt represents the model with the pre-training step removed. We compare the gap in generation capability between this and the complete model.
  • Figure 5: Changes in classification performance under different positive-to-negative sample ratios. From left to right, the proportion of positive samples gradually decreases.
  • ...and 3 more figures