Classify Traffic Rather Than Flow: Versatile Multi-Flow Encrypted Traffic Classification With Flow Clustering.

Encrypted Traffic Classification (ETC) can provide necessary information support for network management and security. The state-of-the-art ETC methods take a single flow as the unit and only use sequence features based on in-flow relationships. In an actual network, one-time access to an application will generate multiple flows. Taking a single flow as the classification unit will produce many repeated and potentially erroneous results, which dramatically reduces the classification efficiency and prevents the results from being used for effective network management and security. In this paper, we propose a multi-flow ETC method. Since multiple flows generated by an application cannot be directly bound in a complex multi-application scenario, we first cluster the encrypted traffic to acquire flow bunches through the proposed Time Sequential Hierarchical Clustering with Sliding Windows (TSHC-SW) algorithm. Then, based on the flow bunches, we propose five different multi-flow classification schemas that can realize multi-flow classification effectively with model-independent. Open-world experiments show that our method is versatile in that it can pursue classification accuracy, speed, or sample covering rate, respectively, according to the actual demand and network environment constraints. In flow clustering, we achieve 95% adjusted Rand Index and 98% purity. In the multi-flow classification, we have over 99% F1-score, 79% prediction time saving, and 5% sample covering rate increasing, which is far superior to the state-of-the-art single-flow methods.