Table of Contents
Fetching ...

Bias in the Shadows: Explore Shortcuts in Encrypted Network Traffic Classification

Chuyi Wang, Xiaohui Xie, Tongze Wang, Yong Cui

TL;DR

BiasSeeker addresses shortcut learning in encrypted network traffic classification by offering a model-agnostic, data-driven framework that detects dataset-specific shortcut features directly from raw traffic. Through AMI-based feature ranking, taxonomy-driven categorization (Data-Leakage Identifiers, Relative Artifacts, Task-Agnostic Fields), and category-specific validation, BiasSeeker systematically reduces reliance on spurious cues while preserving informative information. Extensive evaluations across 19 public datasets spanning VPN, malware, and encrypted application tasks demonstrate its ability to uncover hidden biases and improve transferability under distribution shifts. The work emphasizes deliberate, context-aware feature selection as a prerequisite to robust, generalizable NTC models and outlines a path toward semantic, protocol-invariant learning and more realistic benchmarks.

Abstract

Pre-trained models operating directly on raw bytes have achieved promising performance in encrypted network traffic classification (NTC), but often suffer from shortcut learning-relying on spurious correlations that fail to generalize to real-world data. Existing solutions heavily rely on model-specific interpretation techniques, which lack adaptability and generality across different model architectures and deployment scenarios. In this paper, we propose BiasSeeker, the first semi-automated framework that is both model-agnostic and data-driven for detecting dataset-specific shortcut features in encrypted traffic. By performing statistical correlation analysis directly on raw binary traffic, BiasSeeker identifies spurious or environment-entangled features that may compromise generalization, independent of any classifier. To address the diverse nature of shortcut features, we introduce a systematic categorization and apply category-specific validation strategies that reduce bias while preserving meaningful information. We evaluate BiasSeeker on 19 public datasets across three NTC tasks. By emphasizing context-aware feature selection and dataset-specific diagnosis, BiasSeeker offers a novel perspective for understanding and addressing shortcut learning in encrypted network traffic classification, raising awareness that feature selection should be an intentional and scenario-sensitive step prior to model training.

Bias in the Shadows: Explore Shortcuts in Encrypted Network Traffic Classification

TL;DR

BiasSeeker addresses shortcut learning in encrypted network traffic classification by offering a model-agnostic, data-driven framework that detects dataset-specific shortcut features directly from raw traffic. Through AMI-based feature ranking, taxonomy-driven categorization (Data-Leakage Identifiers, Relative Artifacts, Task-Agnostic Fields), and category-specific validation, BiasSeeker systematically reduces reliance on spurious cues while preserving informative information. Extensive evaluations across 19 public datasets spanning VPN, malware, and encrypted application tasks demonstrate its ability to uncover hidden biases and improve transferability under distribution shifts. The work emphasizes deliberate, context-aware feature selection as a prerequisite to robust, generalizable NTC models and outlines a path toward semantic, protocol-invariant learning and more realistic benchmarks.

Abstract

Pre-trained models operating directly on raw bytes have achieved promising performance in encrypted network traffic classification (NTC), but often suffer from shortcut learning-relying on spurious correlations that fail to generalize to real-world data. Existing solutions heavily rely on model-specific interpretation techniques, which lack adaptability and generality across different model architectures and deployment scenarios. In this paper, we propose BiasSeeker, the first semi-automated framework that is both model-agnostic and data-driven for detecting dataset-specific shortcut features in encrypted traffic. By performing statistical correlation analysis directly on raw binary traffic, BiasSeeker identifies spurious or environment-entangled features that may compromise generalization, independent of any classifier. To address the diverse nature of shortcut features, we introduce a systematic categorization and apply category-specific validation strategies that reduce bias while preserving meaningful information. We evaluate BiasSeeker on 19 public datasets across three NTC tasks. By emphasizing context-aware feature selection and dataset-specific diagnosis, BiasSeeker offers a novel perspective for understanding and addressing shortcut learning in encrypted network traffic classification, raising awareness that feature selection should be an intentional and scenario-sensitive step prior to model training.
Paper Structure (44 sections, 4 equations, 4 figures, 3 tables)

This paper contains 44 sections, 4 equations, 4 figures, 3 tables.

Figures (4)

  • Figure 1: Workflow of the Feature Analysis Process
  • Figure 2: Top-k AMI Features in VPN Traffic Datasets
  • Figure 3: (L) Average AMI Scores of Key Features Across Tasks; (R) AMI Comparison of Relative Artifacts Across Tasks.
  • Figure 4: TCP Window Size Distributions Across Different Network Quality Conditions