Fast and lean encrypted Internet traffic classification

Sangita Roy, Tal Shapira*, Yuval Shavitt

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

17 Scopus citations


Identifying the type of a network flow or a specific application has many advantages but becomes harder in recent years due to the use of encryption, e.g., by VPN. As a result, there is a recent wave of solutions that harness deep learning for traffic classification. These solutions either require a rather long time (15–60 Seconds) of flow data or rely on handcrafted features for solutions that classify flows faster. In this work, we suggest a novel approach for classification that extracts the most out of the two simple yet defining features of a flow: packet sizes and inter-arrival times. We employ a model that uses the inter-arrival times to parameterize the derivative of the flow hidden-state using a neural network (Neural ODE). We compare our results with a solution that uses the same data without the ODE solver and show the benefit of this approach. Our results can classify flows based on 20 or 30 consecutive packets taken from anywhere in one direction of a flow. This reduces the amount of traffic between the sampling point and the analyzer and does not require matching between two directions of the flow. As a result, our solution can classify traffic with good accuracy within a few seconds, and we show how to combine it with a more accurate (and a slower) classifier to achieve (mostly) fast and accurate classifications.

Original languageEnglish
Pages (from-to)166-173
Number of pages8
JournalComputer Communications
StatePublished - 15 Mar 2022


FundersFunder number
Israeli PMO
Tel Aviv University


    • Deep learning
    • Internet traffic classification
    • ODE


    Dive into the research topics of 'Fast and lean encrypted Internet traffic classification'. Together they form a unique fingerprint.

    Cite this