RT-CBCH: Real-Time VPN Traffic Service Identification Based on Sampled Data in High-Speed Networks

Virtual Private Network (VPN) technology can bypass censorship and access geographically locked services. Some harmful information may be hidden in VPN traffic and circumvent the surveillance systems, bringing a significant challenge to network security. Considering the increasing richness of service types in VPN traffic, identifying traffic service facilitates further targeting harmful VPN traffic. Therefore, VPN traffic service identification is critical in network management. The existing identification methods use complete traffic for analysis. However, massive data analysis in high-speed networks consumes enormous resources, limiting the real-time processing of traffic identification. This paper proposes a real-time VPN traffic service identification method named RT-CBCH. We construct features that are still available after sampling and design a fast traffic processing structure based on Counting Bloom Filter and Chained Hash Table (CBCH). Experimental results validate the real-time capability, stability and accuracy of our method. At the sampling ratio of 1/256, it takes only 23.63 seconds to process the mixed traffic of 900-second traffic generated on a 10 Gbps link and our collected V2Ray traffic, which is increasingly common in VPN traffic. Under different sampling ratios, the identification results remain respectable, with an overall accuracy of about 90% for application service and over 99% for V2Ray proxy service. Furthermore, comparisons with similar work illustrate the high accuracy and low resource consumption of RT-CBCH. Experimental results show that our method can stably implement real-time VPN traffic service identification from sampled data in high-speed networks.