A Cross-Dimensional Collaborative Framework for Header-Metadata-Driven Encrypted Traffic Identification

WANG Menghan; ZHOU Zhengchun; JI Qingbing

doi:10.11999/JEIT250434

Article Contents

Article Navigation > Journal of Electronics & Information Technology > 2025 >

WANG Menghan, ZHOU Zhengchun, JI Qingbing. A Cross-Dimensional Collaborative Framework for Header-Metadata-Driven Encrypted Traffic Identification[J]. Journal of Electronics & Information Technology. doi: 10.11999/JEIT250434

Citation:

WANG Menghan, ZHOU Zhengchun, JI Qingbing. A Cross-Dimensional Collaborative Framework for Header-Metadata-Driven Encrypted Traffic Identification[J]. Journal of Electronics & Information Technology. doi: 10.11999/JEIT250434

Citation:

PDF( 3920 KB)

A Cross-Dimensional Collaborative Framework for Header-Metadata-Driven Encrypted Traffic Identification

doi: 10.11999/JEIT250434 cstr: 32379.14.JEIT250434

1.
Southwest Jiaotong University, Chengdu 611756, China
2.
National Key Laboratory of Security Communications, Chengdu 611756, China

Funds: Innovation Group Project of Sichuan Provincial Natural Science Foundation (2024NSFTD0015), Stability Program of National Key Laboratory of Security Communication (WD202403)

Available Online: 2025-10-20

Abstract

Abstract

Objective With the widespread application of network communication encryption technologies, identifying encrypted traffic has emerged as a core problem in network security that demands urgent resolution. Traditional identification methods based on payload content are faced with the risk of feature invalidation due to the continuous upgrading of encryption algorithms, and thus detection blind spots are generated in dynamic network environments. Meanwhile, as a crucial carrier for protocol interaction, the value of the header's structured features remains largely unexploited. Furthermore, with the continuous development of encryption protocols, existing encrypted traffic identification methods are also confronted with problems such as insufficient feature interpretability and weak robustness of models against adversarial attacks. This paper proposes a cross-dimensional collaborative identification framework for encrypted traffic, which is driven by header metadata features, to tackle the above problems. It systematically reveals and demonstrates the dominant role of header features in encrypted traffic identification, breaking through the limitations of traditional single-perspective analysis and revolutionizing the conventional reliance on payload data. This identification framework can be used to analyze the performance boundaries of deep models and evaluate the credibility of decisions. Additionally, through the effective screening of features, redundant features can be removed. It can enhance anti-interference capability in encrypted scenarios by effectively pruning redundant features while reducing model complexity, thereby enabling the design of lighter and more robust encrypted traffic identification models. Methods This study conducts an analysis from three dimensions: network traffic feature selection and identification performance, evaluation of the importance of quantifying input features for identification results, and the impact of adversarial perturbations on model robustness. Specifically, through comparing the characteristics, differences, and impacts on the identification performance of an encrypted traffic model based on the One-Dimensional Convolutional Neural Network (1D-CNN) for three forms of traffic packets, the dominant role of header features is verified. Second, with the help of the dual-path explainable algorithms of Layer-wise Relevance Propagation (LRP) and Deep Taylor Decomposition (DTD), the key role of header features in network traffic classification is further verified. Moreover, the contributions of header and payload features to the identification results are quantified from two perspectives: the relevance of backpropagation and the contribution coefficients of the Taylor series expansion, thus improving the feature interpretability. Finally, adversarial attack methods based on Projected Gradient Descent (PGD) perturbation and random perturbation are employed. By injecting carefully constructed adversarial perturbation data into the start and end parts of the payload or adding some randomly generated data to generate adversarial network traffic, which causes the network traffic identification model to make wrong predictions, the impact of adversarial perturbations on the model's decision-making is analyzed, and the stability and anti-interference capabilities of the network traffic identification model under adversarial attacks are evaluated. Results and Discussions Comparative experiments on the ISCXVPN2016 and ISCXTor2016 datasets show that: (1) In terms of recognition performance, the F1 score of the model based solely on header features can be increased by up to 6% compared with that of the model using complete traffic, and by up to 61% compared with that of the model based only on payload features. This verifies that header features of the packets possess irreplaceable significance in the identification of network encrypted traffic. The key information they contain plays a dominant role in enabling the model to accurately identify traffic types. Even without relying on payload features, efficient identification can be achieved merely through headers (Figure 2, Table 4). (2) In the interpretability evaluation, the LRP and DTD methods are effectively used to quantify the core contribution of header features to the classification performance of the model. Their correlation is much higher than that of payload features, and the average proportion of the correlation score is at most 89.8% higher than that of payload features (Figure 3, Figure 4, Table 5). This is highly consistent with the classification performance of 1D CNN and further confirms the significant importance and dominant impact of header features in encrypted traffic identification. (3) In terms of anti-interference robustness, the Header-Payload combination exhibits relatively good robustness under adversarial attacks. Especially in the case of low bandwidth, the model with header features has a significant advantage in the maximum anti-interference performance retention rate under the same bandwidth disturbance compared with the pure payload model, with the maximum gap reaching 98.46%. This confirms the key role of header features in enhancing the model's robustness (Figure 5, Figure 6). Header features can provide more stable recognition performance. Meanwhile, payload information is vulnerable to interference, leading to a sharp decline in recognition performance. In addition, the identification performance, quantification of contribution degree, and anti-attack effectiveness of header features are affected by the characteristics of data types and distributions, resulting in the fact that payload features of some types play a certain auxiliary role. Conclusions This paper addresses the core problems in encrypted traffic identification, where traditional payload-dependent methods, including feature degradation, insufficient interpretability, and weak adversarial robustness. It proposes a cross-dimensional collaborative identification framework driven by header features. Through systematic theoretical analysis and experimental validation from three dimensions, the framework reveals and proves the irreplaceable value of header features in network traffic identification, overcoming the limitations of traditional single-perspective analysis. This identification framework provides a theoretical basis for the efficiency and robustness of encrypted traffic identification. Future research will focus on aspects such as enhancing dynamic adaptability, fusing multi-modal features, implementing lightweight design, and deepening adversarial defense. These efforts will promote the evolution of encrypted traffic identification technology towards greater intelligence and robustness.
- Header metadata features,
- Encrypted traffic identification,
- Interpretability,
- Adversarial perturbation

FullText(HTML)

References(18)

References

[1]	CHOOROD P, WEIR G, and FERNANDO A. Classifying tor traffic encrypted payload using machine learning[J]. IEEE Access, 2024, 12: 19418–19431. doi: 10.1109/ACCESS.2024.3356073.
[2]	SHEN Meng, YE Ke, LIU Xingtong, et al. Machine learning-powered encrypted network traffic analysis: A comprehensive survey[J]. IEEE Communications Surveys & Tutorials, 2023, 25(1): 791–824. doi: 10.1109/COMST.2022.3208196.
[3]	ABBASI M, SHAHRAKI A, and TAHERKORDI A. Deep learning for network traffic monitoring and analysis (NTMA): A survey[J]. Computer Communications, 2021, 170: 19–41. doi: 10.1016/j.comcom.2021.01.021.
[4]	OKONKWO Z, FOO E, LI Qinyi, et al. A CNN based encrypted network traffic classifier[C]. Proceedings of 2022 Australasian Computer Science Week, Brisbane, Australia, 2022: 74–83. doi: 10.1145/3511616.3513101.
[5]	WANG Wei, ZHU Ming, WANG Jinlin, et al. End-to-end encrypted traffic classification with one-dimensional convolution neural networks[C]. Proceedings of 2017 IEEE International Conference on Intelligence and Security Informatics, Beijing, China, 2017: 43–48. doi: 10.1109/ISI.2017.8004872.
[6]	CUI Yuqing and LI Aihua. Research on network encrypted traffic detection technology based on CNN+LSTM[C]. Proceedings of 2024 2nd International Conference on Signal Processing and Intelligent Computing, Guangzhou, China, 2024: 191–195. doi: 10.1109/SPIC62469.2024.10691502.
[7]	HU Feifei, ZHANG Situo, LIN Xuebin, et al. Network traffic classification model based on attention mechanism and spatiotemporal features[J]. EURASIP Journal on Information Security, 2023, 2023(1): 6. doi: 10.1186/s13635-023-00141-4.
[8]	HONG Yueping, LI Qi, YANG Yanqing, et al. Graph based encrypted malicious traffic detection with hybrid analysis of multi-view features[J]. Information Sciences, 2023, 644: 119229. doi: 10.1016/j.ins.2023.119229.
[9]	YU Rongwei, GUO Xiya, ZHANG Peihao, et al. HGNN-ETC: Higher-order graph neural network based on chronological relationships for encrypted traffic classification[J]. Computers, Materials & Continua, 2024, 81(2): 2643–2664. doi: 10.32604/cmc.2024.056165.
[10]	DIAO Zulong, XIE Gaogang, WANG Xin, et al. EC-GCN: A encrypted traffic classification framework based on multi-scale graph convolution networks[J]. Computer Networks, 2023, 224: 109614. doi: 10.1016/j.comnet.2023.109614.
[11]	LIM W, YONG K S C, LAU B T, et al. Future of generative adversarial networks (GAN) for anomaly detection in network security: A review[J]. Computers & Security, 2024, 139: 103733. doi: 10.1016/j.cose.2024.103733.
[12]	HU Guangwu, XIAO Xi, SHEN Meng, et al. TCGNN: Packet-grained network traffic classification via Graph Neural Networks[J]. Engineering Applications of Artificial Intelligence, 2023, 123: 106531. doi: 10.1016/j.engappai.2023.106531.
[13]	JAIN S and WALLACE B C. Attention is not explanation[C]. Proceedings of 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, Minneapolis, USA, 2019: 3543–3556. doi: 10.18653/v1/N19-1357.
[14]	BINDER A, MONTAVON G, LAPUSCHKIN S, et al. Layer-wise relevance propagation for neural networks with local renormalization layers[C]. Proceedings of the 25th International Conference on Artificial Neural Networks and Machine Learning, Barcelona, Spain, 2016: 63–71. doi: 10.1007/978-3-319-44781-0_8.
[15]	KAUFFMANN J, MÜLLER K R, and MONTAVON G. Towards explaining anomalies: A deep Taylor decomposition of one-class models[J]. Pattern Recognition, 2020, 101: 107198. doi: 10.1016/j.patcog.2020.107198.
[16]	MADRY A, MAKELOV A, SCHMIDT L, et al. Towards deep learning models resistant to adversarial attacks[C]. Proceedings of the 6th International Conference on Learning Representations, Vancouver, Canada, 2018.
[17]	DRAPER-GIL G, LASHKARI A H, MAMUN M S I, et al. Characterization of encrypted and VPN traffic using time-related features[C]. Proceedings of the 2nd International Conference on Information Systems Security and Privacy, Rome, Italy, 2016: 407–414. doi: 10.5220/0005740704070414.
[18]	LASHKARI A H, GIL G D, MAMUN M S I, et al. Characterization of tor traffic using time based features[C]. Proceedings of the 3rd International Conference on Information Systems Security and Privacy, Porto, Portugal, 2017: 253–262. doi: 10.5220/0006105602530262.