Fine-grained TLS services classification with reject option
This provides a benchmark for encrypted traffic analysis, addressing the need for large, realistic datasets in network security, though it is incremental as it builds on existing methods.
The paper tackles the problem of fine-grained service classification in encrypted network traffic by collecting a large dataset with 140 million flows and 200 service labels, and demonstrates its utility by achieving 97.04% classification accuracy and 91.94% detection of unknown services with a 5% false positive rate using a neural network.
The recent success and proliferation of machine learning and deep learning have provided powerful tools, which are also utilized for encrypted traffic analysis, classification, and threat detection in computer networks. These methods, neural networks in particular, are often complex and require a huge corpus of training data. Therefore, this paper focuses on collecting a large up-to-date dataset with almost 200 fine-grained service labels and 140 million network flows extended with packet-level metadata. The number of flows is three orders of magnitude higher than in other existing public labeled datasets of encrypted traffic. The number of service labels, which is important to make the problem hard and realistic, is four times higher than in the public dataset with the most class labels. The published dataset is intended as a benchmark for identifying services in encrypted traffic. Service identification can be further extended with the task of "rejecting" unknown services, i.e., the traffic not seen during the training phase. Neural networks offer superior performance for tackling this more challenging problem. To showcase the dataset's usefulness, we implemented a neural network with a multi-modal architecture, which is the state-of-the-art approach, and achieved 97.04% classification accuracy and detected 91.94% of unknown services with 5% false positive rate.