DE-GNN: Dual embedding with graph neural network for fine-grained encrypted traffic classification

Nowadays, most network traffic is encrypted, which protects user privacy but complicates the task of analyzing and classifying encrypted traffic. Identifying the specific categories of encrypted traffic, such as application type or even the specific application, is of great significance for advanced network services and network security management. Many existing methods for encrypted traffic classification rely on machine learning and deep learning techniques, but they exhibit certain shortcomings. A considerable number of these methods rely on statistical features, which may lose their relevance as networks evolve and lead to the loss of important information. Additionally, Convolutional Neural Networks (CNNs) and Recurrent Neural Networks (RNNs) face limitations in extracting features from encrypted traffic, specifically, their inability to learn traffic interaction information within a network flow. To address these challenges, we propose a model called Dual Embedding with Graph Neural Networks (DE-GNN) for fine-grained encrypted traffic classification. Based on the byte-packet-flow structure of network traffic, we present a dual embedding layer that encodes the packet header and payload separately using raw bytes, which allows subsequent processes to run separately and in parallel. Then, we develop the PacketCNN to extract packet-level features from both the header and payload. Afterwards, we construct a network flow as a Traffic Interaction Graphs (TIG) and utilize Graph Neural Networks (GNNs) to extract flow-level features. Finally, an adaptive deep feature fusion process is applied to combine flow-level features from the header and payload, creating a robust representation for classification. Extensive experiments are conducted on two well-known datasets, ISCX-VPN2016 and ISCX-Tor2016, to verify our approach. The experimental results demonstrate that DE-GNN effectively identifies the type of encrypted traffic, outperforming baselines significantly.