{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,19]],"date-time":"2026-05-19T01:08:59Z","timestamp":1779152939262,"version":"3.51.4"},"reference-count":43,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2021,2,18]],"date-time":"2021-02-18T00:00:00Z","timestamp":1613606400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Proc. ACM Meas. Anal. Comput. Syst."],"published-print":{"date-parts":[[2021,2,18]]},"abstract":"<jats:p>Traffic classification is essential in network management for operations ranging from capacity planning, performance monitoring, volumetry, and resource provisioning, to anomaly detection and security. Recently, it has become increasingly challenging with the widespread adoption of encryption in the Internet, e.g., as a de-facto in HTTP\/2 and QUIC protocols. In the current state of encrypted traffic classification using Deep Learning (DL), we identify fundamental issues in the way it is typically approached. For instance, although complex DL models with millions of parameters are being used, these models implement a relatively simple logic based on certain header fields of the TLS handshake, limiting model robustness to future versions of encrypted protocols. Furthermore, encrypted traffic is often treated as any other raw input for DL, while crucial domain-specific considerations exist that are commonly ignored. In this paper, we design a novel feature engineering approach that generalizes well for encrypted web protocols, and develop a neural network architecture based on Stacked Long Short-Term Memory (LSTM) layers and Convolutional Neural Networks (CNN) that works very well with our feature design. We evaluate our approach on a real-world traffic dataset from a major ISP and Mobile Network Operator. We achieve an accuracy of 95% in service classification with less raw traffic and smaller number of parameters, out-performing a state-of-the-art method by nearly 50% fewer false classifications. We show that our DL model generalizes for different classification objectives and encrypted web protocols. We also evaluate our approach on a public QUIC dataset with finer and application-level granularity in labeling, achieving an overall accuracy of 99%.<\/jats:p>","DOI":"10.1145\/3447382","type":"journal-article","created":{"date-parts":[[2021,2,22]],"date-time":"2021-02-22T22:23:33Z","timestamp":1614032613000},"page":"1-26","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":60,"title":["A Look Behind the Curtain: Traffic Classification in an Increasingly Encrypted Web"],"prefix":"10.1145","volume":"5","author":[{"given":"Iman","family":"Akbari","sequence":"first","affiliation":[{"name":"University of Waterloo, Waterloo, ON, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Mohammad A.","family":"Salahuddin","sequence":"additional","affiliation":[{"name":"University of Waterloo, Waterloo, ON, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Leni","family":"Aniva","sequence":"additional","affiliation":[{"name":"University of Waterloo, Waterloo, ON, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Noura","family":"Limam","sequence":"additional","affiliation":[{"name":"University of Waterloo, Waterloo, ON, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Raouf","family":"Boutaba","sequence":"additional","affiliation":[{"name":"University of Waterloo, Waterloo, ON, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Bertrand","family":"Mathieu","sequence":"additional","affiliation":[{"name":"Orange Labs, Lannion, France"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Stephanie","family":"Moteau","sequence":"additional","affiliation":[{"name":"Orange Labs, Lannion, France"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Stephane","family":"Tuffin","sequence":"additional","affiliation":[{"name":"Orange Labs, Lannion, France"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2021,2,22]]},"reference":[{"key":"e_1_2_1_1_1","volume-title":"http:\/\/dsi.ut-capitole.fr\/blacklists\/index_en.php . [Online","author":"Universit\u00e9 Toulouse","year":"2020","unstructured":"Universit\u00e9 Toulouse 1. 2020. Blacklists UT1. http:\/\/dsi.ut-capitole.fr\/blacklists\/index_en.php . [Online; Accessed 01-October-2020]."},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.23919\/TMA.2018.8506558"},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1109\/TNSM.2019.2899085"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1109\/CISDA.2009.5356534"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/3097983.3098163"},{"key":"e_1_2_1_6_1","volume-title":"Accurate TLS Fingerprinting using Destination Context and Knowledge Bases. arXiv preprint arXiv:2009.01939","author":"Anderson Blake","year":"2020","unstructured":"Blake Anderson and David McGrew. 2020. Accurate TLS Fingerprinting using Destination Context and Knowledge Bases. arXiv preprint arXiv:2009.01939 (2020)."},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-017-0306-6"},{"key":"e_1_2_1_8_1","volume-title":"Technical Report","author":"Belshe Mike","unstructured":"Mike Belshe and Roberto Peon. 2012. SPDY Protocol. Technical Report. Network Working Group. 1--51 pages. https:\/\/tools.ietf.org\/pdf\/draft-mbelshe-httpbis-spdy-00.pdf"},{"key":"e_1_2_1_9_1","doi-asserted-by":"crossref","unstructured":"Mike Belshe Roberto Peon and Martin Thomson. 2015. Hypertext Transfer Protocol Version 2 (HTTP\/2). IETF RFC 7540. 1--96 pages.","DOI":"10.17487\/RFC7540"},{"key":"e_1_2_1_10_1","volume-title":"A theory of learning from different domains. Machine learning","author":"Ben-David Shai","year":"2010","unstructured":"Shai Ben-David, John Blitzer, Koby Crammer, Alex Kulesza, Fernando Pereira, and Jennifer Wortman Vaughan. 2010. A theory of learning from different domains. Machine learning , Vol. 79, 1--2 (2010), 151--175."},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/1282427.1282386"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1186\/s13174-018-0087-2"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/TNSM.2019.2933155"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/3366704"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.3010637"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/BigData.2017.8258054"},{"key":"e_1_2_1_17_1","volume-title":"Augmentation scheme for dealing with imbalanced network traffic classification using deep learning. arXiv preprint arXiv:1901.00204","author":"Hasibi Ramin","year":"2019","unstructured":"Ramin Hasibi, Matin Shokri, and Mehdi Dehghan. 2019. Augmentation scheme for dealing with imbalanced network traffic classification using deep learning. arXiv preprint arXiv:1901.00204 (2019)."},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/LCN.2017.57"},{"key":"e_1_2_1_19_1","volume-title":"QUIC: A UDP-Based Secure and Reliable Transport for HTTP\/2. Technical Report","author":"Iyengar Janardhan","year":"2015","unstructured":"Janardhan Iyengar and Ian Swett. 2015. QUIC: A UDP-Based Secure and Reliable Transport for HTTP\/2. Technical Report. Network Working Group. 1--30 pages."},{"key":"e_1_2_1_20_1","volume-title":"QUIC: A UDP-based multiplexed and secure transport. Internet Engineering Task Force, Internet-Draft","author":"Iyengar Jana","year":"2018","unstructured":"Jana Iyengar and Martin Thomson. 2018. QUIC: A UDP-based multiplexed and secure transport. Internet Engineering Task Force, Internet-Draft (2018)."},{"key":"e_1_2_1_21_1","volume-title":"Adam: A method for stochastic optimization. arXiv preprint arXiv:1412.6980","author":"Kingma Diederik P","year":"2014","unstructured":"Diederik P Kingma and Jimmy Ba. 2014. Adam: A method for stochastic optimization. arXiv preprint arXiv:1412.6980 (2014)."},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.5220\/0006105602530262"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/INFOCOM.2019.8737507"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.ins.2020.05.035"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2017.2747560"},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1007\/s00500-019-04030-2"},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/CCNC.2017.8013420"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2962018"},{"key":"e_1_2_1_29_1","volume-title":"How to achieve high classification accuracy with just a few labels: semi-supervised approach using sampled packets. arXiv preprint arXiv:1812.09761","author":"Rezaei Shahbaz","year":"2018","unstructured":"Shahbaz Rezaei and Xin Liu. 2018. How to achieve high classification accuracy with just a few labels: semi-supervised approach using sampled packets. arXiv preprint arXiv:1812.09761 (2018)."},{"key":"e_1_2_1_30_1","volume-title":"Tom Van Goethem, and Wouter Joosen","author":"Rimmer Vera","year":"2017","unstructured":"Vera Rimmer, Davy Preuveneers, Marc Juarez, Tom Van Goethem, and Wouter Joosen. 2017. Automated website fingerprinting through deep learning. arXiv preprint arXiv:1708.06376 (2017)."},{"key":"e_1_2_1_31_1","volume-title":"USENIX Security Symposium (USENIX Security 17)","author":"Schuster Roei","year":"2017","unstructured":"Roei Schuster, Vitaly Shmatikov, and Eran Tromer. 2017. Beauty and the burst: Remote identification of encrypted video streams. In USENIX Security Symposium (USENIX Security 17). 1357--1374."},{"key":"e_1_2_1_32_1","volume-title":"A Natural Language-Inspired Multi-label Video Streaming Traffic Classification Method Based on Deep Neural Networks. arXiv preprint arXiv:1906.02679","author":"Shi Yan","year":"2019","unstructured":"Yan Shi, Dezhi Feng, and Subir Biswas. 2019. A Natural Language-Inspired Multi-label Video Streaming Traffic Classification Method Based on Deep Neural Networks. arXiv preprint arXiv:1906.02679 (2019)."},{"key":"e_1_2_1_33_1","volume-title":"Toward developing a systematic approach to generate benchmark datasets for intrusion detection. computers & security","author":"Shiravi Ali","year":"2012","unstructured":"Ali Shiravi, Hadi Shiravi, Mahbod Tavallaee, and Ali A Ghorbani. 2012. Toward developing a systematic approach to generate benchmark datasets for intrusion detection. computers & security , Vol. 31, 3 (2012), 357--374."},{"key":"e_1_2_1_34_1","unstructured":"Ashish Vaswani Noam Shazeer Niki Parmar Jakob Uszkoreit Llion Jones Aidan N Gomez \u0141ukasz Kaiser and Illia Polosukhin. 2017. Attention is all you need. In Advances in neural information processing systems. 5998--6008."},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1002\/nem.1901"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3155133.3155175"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICC40277.2020.9148946"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2017.2780250"},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISI.2017.8004872"},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/1163593.1163596"},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2019.2901348"},{"key":"e_1_2_1_42_1","volume-title":"2019 b. Identification of Encrypted Traffic Through Attention Mechanism Based Long Short Term Memory","author":"Yao Haipeng","year":"2019","unstructured":"Haipeng Yao, Chong Liu, Peiying Zhang, Sheng Wu, Chunxiao Jiang, and Shui Yu. 2019 b. Identification of Encrypted Traffic Through Attention Mechanism Based Long Short Term Memory. IEEE Transactions on Big Data (2019)."},{"key":"e_1_2_1_43_1","volume-title":"Encrypted traffic classification with a convolutional long short-term memory neural network","author":"Zou Zhuang","unstructured":"Zhuang Zou, Jingguo Ge, Hongbo Zheng, Yulei Wu, Chunjing Han, and Zhongjiang Yao. 2018. Encrypted traffic classification with a convolutional long short-term memory neural network. In IEEE International Conference on High Performance Computing and Communications; IEEE International Conference on Smart City; IEEE International Conference on Data Science and Systems (HPCC\/SmartCity\/DSS). 329--334."}],"container-title":["Proceedings of the ACM on Measurement and Analysis of Computing Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3447382","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3447382","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T20:46:56Z","timestamp":1750193216000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3447382"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,2,18]]},"references-count":43,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2021,2,18]]}},"alternative-id":["10.1145\/3447382"],"URL":"https:\/\/doi.org\/10.1145\/3447382","relation":{},"ISSN":["2476-1249"],"issn-type":[{"value":"2476-1249","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,2,18]]},"assertion":[{"value":"2021-02-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}