Network Traffic Classification Method Supporting Unknown Protocol Detection

At present, private protocols are widely used on the Internet. As a result, traditional traffic classification methods including port-based and DPI methods have become restricted. Existing machine learning-based methods depend on feature engineering, which makes feature design difficult. In addition, classification models can only classify data as predefined categories, which restricts the models when they are used to detect unknown protocol traffic. To address the above problems, we propose a two-stage traffic classification method combining a CNN model and a density-based clustering algorithm, which can classify known protocol traffic and detect arbitrary kinds of unknown protocol traffic simultaneously. We conducted sufficient experiments on the Information Security Centre of Excellence (ISCX) VPN-nonVPN and Defense Advanced Research Projects Agency (DARPA) 1998 datasets, and the accuracies on the test sets containing known and unknown protocol traffic achieved 97.03% and 98.50%, respectively, which are superior to other studies.