一种多特征融合的加密流量快速分类方法

网络流量识别是网络管理和安全服务的基础.随着互联网的不断扩展及其复杂性的增加，传统基于规则的识别方法或流行为特征的方法正在面临着巨大挑战.受自然语言处理（Nature Language Processing， NLP）启发，本文提出了一种多特征融合的加密流量快速分类方法.该方法通过融合数据包和字节序列特征来完成网络流的特征表示，采用双元字节编码将所选特征扩展为双字节序列，增加了字节的上下文语义特征；通过与数据包特征处理相适应的池化方法来最大限度保留数据包的特征信息，从而使所提模型具有更强的抗噪能力和更精确的分类能力.本文方法分别在ISCX-2016和一个包含66个热门应用程序的私有数据集（ETD66）上进行验证，并与其他模型展开比较.结果表明：本文所提方法在ISCX-2016及ETD66上的测试精度和性能都明显优于其他流量分类模型，分别取得了98.2%和98.6%的识别准确率，从而证明了所提方法的特征提取能力和强泛化能力.

A Fast Classification Method for Encrypted Traffic Based on Multi-feature Fusion

Network traffic recognition is the foundation of network management and security services. With the continuous expansion and increasing complexity of the Internet， traditional rule-based recognition methods or based on flow behavior characteristics are facing great challenges. Inspired by natural language processing （NLP）， this paper proposes a fast classification method for encrypted traffic based on multi-feature fusion. The method completes the feature representation of network flows by combining the packet characteristics of data packets and byte sequences， expands the selected features into a double-byte sequence using binary byte encoding， and adds contextual semantic features of the bytes. By using pooling methods that are suitable for packet feature processing， the proposed model can preserve the feature information of packets to the greatest extent possible， thereby enhancing its noise resistance and more accurate classification ability. The method is validated on the Information Security Center of Excellence-2016 （ISCX-2016） and a private dataset containing Encrypted Traffic Datasets for 66 popular applications（ETD66）. The results show that the proposed method has significantly better accuracy and performance than other models in ISCX-2016 and ETD66， achieving accuracy of 98.2% and 98.6%， respectively， and thus proving the strong feature extraction ability and the model generalization ability.