WFF-EGNN: Encrypted Traffic Classification Based on Weaved Flow Fragment via Ensemble Graph Neural Networks

Traffic analysis plays an essential role in network management and security protection under the premise of fully protecting user privacy. Unfortunately, encryption dramatically reduces the disclosure of traffic information, making encrypted traffic analysis more challenging than plaintext traffic analysis, especially in the environment of new encryption protocols (e.g., TLS-1.3, QUIC). The existing tensor-based methods mainly focus on optimizing packet length sequence features and introducing the latest deep learning model. However, the tensor-based features cannot sufficiently express the structured non-Euclidean Markov properties inside the encrypted traffic. This paper proposes a novel traffic graphical expression model named Weaved Flow Fragment (WFF) to transform a packet sequence into a graph, which better represents the packet sequence’s inner relationship than the tensor. WFF also considers the co-evolution relationship and the cross-direction change relationship in the bidirectional flow, breaking through the limitation that the tensor-like length sequence only considers the adjacent Markov properties. Then, we use the latest graph convolutional networks, gated graph neuron networks, and capsule graph neural networks to implement classification based on WFF, respectively. Further, to give full play to the advantages of different graph neural network classifiers to improve classification effect in large-scale data scenarios, we proposed the ensemble graph neural network architecture with several ensemble mechanisms to reduce the possibility of classification error caused by overfitting and model concerns. Experiments show that our classification effect is much better than the state-of-the-art methods (achieved 99.25% F1-score) in an open-world environment, and the model size is reduced by 99.1%.