A Cross-Dimensional Collaborative Framework for Header-Metadata-Driven Encrypted Traffic Identification

WANG Menghan; ZHOU Zhengchun; JI Qingbing

doi:10.11999/JEIT250434

Article Contents

Article Navigation > Journal of Electronics & Information Technology > 2025 >

WANG Menghan, ZHOU Zhengchun, JI Qingbing. A Cross-Dimensional Collaborative Framework for Header-Metadata-Driven Encrypted Traffic Identification[J]. Journal of Electronics & Information Technology. doi: 10.11999/JEIT250434

Citation:

WANG Menghan, ZHOU Zhengchun, JI Qingbing. A Cross-Dimensional Collaborative Framework for Header-Metadata-Driven Encrypted Traffic Identification[J]. Journal of Electronics & Information Technology. doi: 10.11999/JEIT250434

Citation:

PDF( 3863 KB)

A Cross-Dimensional Collaborative Framework for Header-Metadata-Driven Encrypted Traffic Identification

doi: 10.11999/JEIT250434 cstr: 32379.14.JEIT250434

1.
Southwest Jiaotong University, Chengdu 611756, China
2.
National Key Laboratory of Security Communications, Chengdu 610041, China

Funds: The Innovation Group Project of Sichuan Provincial Natural Science Foundation (2024NSFTD0015), Stability Program of National Key Laboratory of Security Communication (WD202403)

Received Date: 2025-05-20
Rev Recd Date: 2025-09-25

Available Online: 2025-10-20

Abstract

Abstract

Objective With the widespread adoption of network communication encryption technologies, encrypted traffic identification has become a critical problem in network security. Traditional identification methods based on payload content face the risk of feature invalidation due to the continuous evolution of encryption algorithms, leading to detection blind spots in dynamic network environments. Meanwhile, the structured information embedded in packet headers, an essential carrier for protocol interaction, remains underutilized. Furthermore, as encryption protocols evolve, existing encrypted traffic identification approaches encounter limitations such as poor feature interpretability and weak model robustness against adversarial attacks. To address these challenges, this paper proposes a cross-dimensional collaborative identification framework for encrypted traffic, driven by header metadata features. The framework systematically reveals and demonstrates the dominant role of header features in encrypted traffic identification, overcoming the constraints of single-perspective analyses and reducing dependence on payload data. It further enables the assessment of deep model performance boundaries and decision credibility. Through effective feature screening and pruning, redundant attributes are eliminated, enhancing the framework’s anti-interference capability in encrypted scenarios. This approach reduces model complexity while improving interpretability and robustness, facilitating the design of lighter and more reliable encrypted traffic identification models. Methods This study performs a three-dimensional analysis including (1) network traffic feature selection and identification performance, (2) quantitative evaluation of feature importance in classification, and (3) assessment of model robustness under adversarial perturbations. First, the characteristics, differences, and effects on identification performance are compared among three forms of encrypted traffic packets using a One-Dimensional Convolutional Neural Network (1D-CNN). This comparison verifies the dominant role of header features in encrypted traffic identification. Second, two explainable algorithms, Layer-wise Relevance Propagation (LRP) and Deep Taylor Decomposition (DTD), are employed to further confirm the essential contribution of header features to network traffic classification. The relative importance of header and payload features is quantified from two perspectives: (i) the relevance of backpropagation and (ii) the contribution coefficients derived from Taylor series expansion, thereby enhancing feature interpretability. Finally, adversarial attack experiments are conducted using Projected Gradient Descent (PGD) and random perturbations. By injecting carefully constructed adversarial perturbation data into the initial and terminal parts of the payload, or by adding randomly generated noise to produce adversarial traffic, the study examines the effect of these perturbations on model decision-making. This analysis evaluates the stability and anti-interference capabilities of the encrypted traffic identification model under adversarial conditions. Results and Discussions Comparative experiments conducted on the ISCXVPN2016 and ISCXTor2016 datasets yield three key findings. (1) Recognition performance. The model based solely on header features achieves an F1 score up to 6% higher than that of the model using complete traffic, and up to 61% higher than that of the model using only payload features. These results verify that header features possess irreplaceable significance in encrypted traffic identification. The structural information embedded in headers plays a dominant role in enabling the model to accurately classify traffic types. Even without payload data, high identification accuracy can be achieved using header information alone (Figure 2, Table 4). (2) Interpretability evaluation. The LRP and DTD methods are used to quantify the contribution of header features to model classification. The correlation between header features and classification performance is markedly higher than that of payload features, with the average proportion of the correlation score up to 89.8% greater (Figures 3～4, Table 5). This result is highly consistent with the classification behavior of the One-Dimensional Convolutional Neural Network (1D-CNN), further confirming the critical importance and dominant influence of header features in encrypted traffic identification. (3) Anti-interference robustness. The combined Header–Payload model exhibits strong robustness under adversarial attacks. Particularly under low-bandwidth conditions, the model incorporating header features shows a markedly higher maximum performance retention rate under equivalent bandwidth perturbation than the pure payload model, with the maximum difference reaching 98.46%. This finding confirms the essential role of header features in enhancing model robustness (Figures 5～6). Header-based models maintain stable recognition performance, whereas payload information is more susceptible to interference, leading to sharp performance degradation. In addition, the identification performance, contribution quantification, and anti-attack effectiveness of header features are influenced by data type and distribution characteristics. In certain cases, payload features provide auxiliary support, suggesting a complementary relationship between the two feature domains. Conclusions This study addresses core challenges in encrypted traffic identification, including feature degradation, limited interpretability, and weak adversarial robustness in traditional payload-dependent methods. A cross-dimensional collaborative identification framework driven by header features is proposed. Through systematic theoretical analysis and experimental validation from three perspectives, the framework demonstrates the irreplaceable value of header features in network traffic identification and overcomes the limitations of conventional single-perspective approaches. It provides a theoretical foundation for improving the efficiency, interpretability, and robustness of encrypted traffic identification models. Future work will focus on enhancing dynamic adaptability, integrating multi-modal features, implementing lightweight architectures, and strengthening adversarial defense mechanisms. These directions are expected to advance encrypted traffic identification technology toward higher intelligence, adaptability, and resilience.
- Header metadata features,
- Encrypted traffic identification,
- Interpretability,
- Adversarial perturbation

FullText(HTML)

References(18)

References

[1]	CHOOROD P, WEIR G, and FERNANDO A. Classifying tor traffic encrypted payload using machine learning[J]. IEEE Access, 2024, 12: 19418–19431. doi: 10.1109/ACCESS.2024.3356073.
[2]	SHEN Meng, YE Ke, LIU Xingtong, et al. Machine learning-powered encrypted network traffic analysis: A comprehensive survey[J]. IEEE Communications Surveys & Tutorials, 2023, 25(1): 791–824. doi: 10.1109/COMST.2022.3208196.
[3]	ABBASI M, SHAHRAKI A, and TAHERKORDI A. Deep learning for network traffic monitoring and analysis (NTMA): A survey[J]. Computer Communications, 2021, 170: 19–41. doi: 10.1016/j.comcom.2021.01.021.
[4]	OKONKWO Z, FOO E, LI Qinyi, et al. A CNN based encrypted network traffic classifier[C]. 2022 Australasian Computer Science Week, Brisbane, Australia, 2022: 74–83. doi: 10.1145/3511616.3513101.
[5]	WANG Wei, ZHU Ming, WANG Jinlin, et al. End-to-end encrypted traffic classification with one-dimensional convolution neural networks[C]. 2017 IEEE International Conference on Intelligence and Security Informatics, Beijing, China, 2017: 43–48. doi: 10.1109/ISI.2017.8004872.
[6]	CUI Yuqing and LI Aihua. Research on network encrypted traffic detection technology based on CNN+LSTM[C]. 2024 2nd International Conference on Signal Processing and Intelligent Computing, Guangzhou, China, 2024: 191–195. doi: 10.1109/SPIC62469.2024.10691502.
[7]	HU Feifei, ZHANG Situo, LIN Xuebin, et al. Network traffic classification model based on attention mechanism and spatiotemporal features[J]. EURASIP Journal on Information Security, 2023, 2023(1): 6. doi: 10.1186/s13635-023-00141-4.
[8]	HONG Yueping, LI Qi, YANG Yanqing, et al. Graph based encrypted malicious traffic detection with hybrid analysis of multi-view features[J]. Information Sciences, 2023, 644: 119229. doi: 10.1016/j.ins.2023.119229.
[9]	YU Rongwei, GUO Xiya, ZHANG Peihao, et al. HGNN-ETC: Higher-order graph neural network based on chronological relationships for encrypted traffic classification[J]. Computers, Materials & Continua, 2024, 81(2): 2643–2664. doi: 10.32604/cmc.2024.056165.
[10]	DIAO Zulong, XIE Gaogang, WANG Xin, et al. EC-GCN: A encrypted traffic classification framework based on multi-scale graph convolution networks[J]. Computer Networks, 2023, 224: 109614. doi: 10.1016/j.comnet.2023.109614.
[11]	LIM W, YONG K S C, LAU B T, et al. Future of generative adversarial networks (GAN) for anomaly detection in network security: A review[J]. Computers & Security, 2024, 139: 103733. doi: 10.1016/j.cose.2024.103733.
[12]	DING Hongwei, SUN YU, HUANG Nana, et al. TMG-GAN: Generative Adversarial Networks-Based Imbalanced Learning for Network Intrusion Detection[J]. IEEE Transactions on Information Forensics and Security, 2023, 19: 1156–1167. doi: 10.1109/TIFS.2023.3331240.
[13]	JAIN S and WALLACE B C. Attention is not explanation[C]. 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, Minneapolis, USA, 2019: 3543–3556. doi: 10.18653/v1/N19-1357.
[14]	BINDER A, MONTAVON G, LAPUSCHKIN S, et al. Layer-wise relevance propagation for neural networks with local renormalization layers[C]. The 25th International Conference on Artificial Neural Networks and Machine Learning, Barcelona, Spain, 2016: 63–71. doi: 10.1007/978-3-319-44781-0_8.
[15]	KAUFFMANN J, MÜLLER K R, and MONTAVON G. Towards explaining anomalies: A deep Taylor decomposition of one-class models[J]. Pattern Recognition, 2020, 101: 107198. doi: 10.1016/j.patcog.2020.107198.
[16]	MADRY A, MAKELOV A, SCHMIDT L, et al. Towards deep learning models resistant to adversarial attacks[C]. The 6th International Conference on Learning Representations, Vancouver, Canada, 2018.
[17]	DRAPER-GIL G, LASHKARI A H, MAMUN M S I, et al. Characterization of encrypted and VPN traffic using time-related features[C]. The 2nd International Conference on Information Systems Security and Privacy, Rome, Italy, 2016: 407–414. doi: 10.5220/0005740704070414.
[18]	LASHKARI A H, GIL G D, MAMUN M S I, et al. Characterization of tor traffic using time based features[C]. The 3rd International Conference on Information Systems Security and Privacy, Porto, Portugal, 2017: 253–262. doi: 10.5220/0006105602530262.