{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,4]],"date-time":"2026-05-04T15:37:36Z","timestamp":1777909056317,"version":"3.51.4"},"reference-count":31,"publisher":"MDPI AG","issue":"5","license":[{"start":{"date-parts":[[2023,5,19]],"date-time":"2023-05-19T00:00:00Z","timestamp":1684454400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100012456","name":"National Social Science Fund of China","doi-asserted-by":"publisher","award":["20&ZD293"],"award-info":[{"award-number":["20&ZD293"]}],"id":[{"id":"10.13039\/501100012456","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Entropy"],"abstract":"<jats:p>Traffic classification is the first step in network anomaly detection and is essential to network security. However, existing malicious traffic classification methods have several limitations; for example, statistical-based methods are vulnerable to hand-designed features, and deep learning-based methods are vulnerable to the balance and adequacy of data sets. In addition, the existing BERT-based malicious traffic classification methods only focus on the global features of traffic and ignore the time-series features of traffic. To address these problems, we propose a BERT-based Time-Series Feature Network (TSFN) model in this paper. The first is a Packet encoder module built by the BERT model, which completes the capture of global features of the traffic using the attention mechanism. The second is a temporal feature extraction module built by the LSTM model, which captures the time-series features of the traffic. Then, the global and time-series features of the malicious traffic are incorporated together as the final feature representation, which can better represent the malicious traffic. The experimental results show that the proposed approach can effectively improve the accuracy of malicious traffic classification on the publicly available USTC-TFC dataset, reaching an F1 value of 99.50%. This shows that the time-series features in malicious traffic can help improve the accuracy of malicious traffic classification.<\/jats:p>","DOI":"10.3390\/e25050821","type":"journal-article","created":{"date-parts":[[2023,5,19]],"date-time":"2023-05-19T10:35:11Z","timestamp":1684492511000},"page":"821","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":20,"title":["TSFN: A Novel Malicious Traffic Classification Method Using BERT and LSTM"],"prefix":"10.3390","volume":"25","author":[{"given":"Zhaolei","family":"Shi","sequence":"first","affiliation":[{"name":"College of Information Science and Engineering, Xinjiang University, Urumqi 830046, China"}]},{"given":"Nurbol","family":"Luktarhan","sequence":"additional","affiliation":[{"name":"College of Information Science and Engineering, Xinjiang University, Urumqi 830046, China"}]},{"given":"Yangyang","family":"Song","sequence":"additional","affiliation":[{"name":"College of Information Science and Engineering, Xinjiang University, Urumqi 830046, China"}]},{"given":"Huixin","family":"Yin","sequence":"additional","affiliation":[{"name":"College of Information Science and Engineering, Xinjiang University, Urumqi 830046, China"}]}],"member":"1968","published-online":{"date-parts":[[2023,5,19]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Zhang, Z., Han, X., Liu, Z., Jiang, X., Sun, M., and Liu, Q. (2019). ERNIE: Enhanced language representation with informative entities. arXiv.","DOI":"10.18653\/v1\/P19-1139"},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Bader, O., Lichy, A., Hajaj, C., Dubin, R., and Dvir, A. (2022, January 8\u201311). MalDIST: From Encrypted Traffic Classification to Malware Traffic Detection and Classification. Proceedings of the 2022 IEEE 19th Annual Consumer Communications & Networking Conference (CCNC), Las Vegas, NV, USA.","DOI":"10.1109\/CCNC49033.2022.9700625"},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Wang, W., Zhu, M., Wang, J., Zeng, X., and Yang, Z. (2017, January 22\u201324). End-to-end encrypted traffic classification with one-dimensional convolution neural networks. Proceedings of the 2017 IEEE International Conference on Intelligence and Security Informatics (ISI), Beijing, China.","DOI":"10.1109\/ISI.2017.8004872"},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Lin, X., Xiong, G., Gou, G., Li, Z., Shi, J., and Yu, J. (2022, January 25\u201329). ET-BERT: A Contextualized Datagram Representation with Pre-training Transformers for Encrypted Traffic Classification. Proceedings of the ACM Web Conference 2022, Lyon, France.","DOI":"10.1145\/3485447.3512217"},{"key":"ref_5","unstructured":"Wang, W., Zhu, M., Zeng, X., Ye, X., and Sheng, Y. (2017, January 11\u201313). Malware traffic classification using convolutional neural network for representation learning. Proceedings of the 2017 IEEE International Conference on Information Networking (ICOIN), Da Nang, Vietnam."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"23","DOI":"10.1109\/MC.2008.138","article-title":"Using string matching for deep packet inspection","volume":"41","author":"Lin","year":"2008","journal-title":"Computer"},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"van Ede, T., Bortolameotti, R., Continella, A., Ren, J., Dubois, D.J., Lindorfer, M., Choffnes, D., van Steen, M., and Peter, A. (2020, January 23\u201326). Flowprint: Semi-supervised mobile-app fingerprinting on encrypted network traffic. Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA.","DOI":"10.14722\/ndss.2020.24412"},{"key":"ref_8","unstructured":"Devlin, J., Chang, M.W., Lee, K., and Toutanova, K. (2018). Bert: Pre-training of deep bidirectional transformers for language understanding. arXiv."},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Shi, Z., Luktarhan, N., Song, Y., and Tian, G. (2023). BFCN: A Novel Classification Method of Encrypted Traffic Based on BERT and CNN. Electronics, 12.","DOI":"10.3390\/electronics12030516"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Qi, Y., Xu, L., Yang, B., Xue, Y., and Li, J. (2009, January 19\u201325). Packet classification algorithms: From theory to practice. Proceedings of the IEEE INFOCOM 2009, Rio de Janeiro, Brazil.","DOI":"10.1109\/INFCOM.2009.5061972"},{"key":"ref_11","unstructured":"Madhukar, A., and Williamson, C. (2006, January 11\u201314). A longitudinal study of P2P traffic classification. Proceedings of the 14th IEEE International Symposium on Modeling, Analysis, and Simulation, Monterey, CA, USA."},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"63","DOI":"10.1109\/TIFS.2017.2737970","article-title":"Robust smartphone app identification via encrypted network traffic analysis","volume":"13","author":"Taylor","year":"2017","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Al-Naami, K., Chandra, S., Mustafa, A., Khan, L., Lin, Z., Hamlen, K., and Thuraisingham, B. (2016, January 5\u20139). Adaptive encrypted traffic fingerprinting with bi-directional dependence. Proceedings of the 32nd Annual Conference on Computer Security Applications, Los Angeles, CA, USA.","DOI":"10.1145\/2991079.2991123"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Sirinam, P., Imani, M., Juarez, M., and Wright, M. (2018, January 15\u201319). Deep fingerprinting: Undermining website fingerprinting defenses with deep learning. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, Toronto, ON, Canada.","DOI":"10.1145\/3243734.3243768"},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Liu, C., He, L., Xiong, G., Cao, Z., and Li, Z. (2019, January 12\u201319). Fs-net: A flow sequence network for encrypted traffic classification. Proceedings of the IEEE INFOCOM 2019-IEEE Conference On Computer Communications, Rabat, Morocco.","DOI":"10.1109\/INFOCOM.2019.8737507"},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"1999","DOI":"10.1007\/s00500-019-04030-2","article-title":"Deep packet: A novel approach for encrypted traffic classification using deep learning","volume":"24","author":"Lotfollahi","year":"2020","journal-title":"Soft Comput."},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"107974","DOI":"10.1016\/j.comnet.2021.107974","article-title":"TSCRNN: A novel classification scheme of encrypted traffic based on flow spatiotemporal features for efficient management of IIoT","volume":"190","author":"Lin","year":"2021","journal-title":"Comput. Netw."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Sinha, J., and Manollas, M. (2020, January 26\u201328). Efficient deep CNN-BiLSTM model for network intrusion detection. Proceedings of the 2020 3rd International Conference on Artificial Intelligence and Pattern Recognition, Online.","DOI":"10.1145\/3430199.3430224"},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Khan, M.A. (2021). HCRNNIDS: Hybrid convolutional recurrent neural network-based network intrusion detection system. Processes, 9.","DOI":"10.3390\/pr9050834"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Shieh, C.S., Nguyen, T.T., and Horng, M.F. (2023). Detection of Unknown DDoS Attack Using Convolutional Neural Networks Featuring Geometrical Metric. Mathematics, 11.","DOI":"10.3390\/math11092145"},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Sengupta, S., Ganguly, N., De, P., and Chakraborty, S. (2019, January 13\u201317). Exploiting diversity in android tls implementations for mobile app traffic classification. Proceedings of the World Wide Web Conference, San Francisco, CA, USA.","DOI":"10.1145\/3308558.3313738"},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"He, H.Y., Yang, Z.G., and Chen, X.N. (2020, January 7\u201311). PERT: Payload encoding representation from transformer for encrypted traffic classification. Proceedings of the 2020 IEEE ITU Kaleidoscope: Industry-Driven Digital Transformation (ITU K), Online.","DOI":"10.23919\/ITUK50268.2020.9303204"},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"6131","DOI":"10.1007\/s11042-021-11771-6","article-title":"A hybrid approach of Weighted Fine-Tuned BERT extraction with deep Siamese Bi\u2013LSTM model for semantic text similarity identification","volume":"81","author":"Viji","year":"2022","journal-title":"Multimed. Tools Appl."},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Tavallaee, M., Bagheri, E., Lu, W., and Ghorbani, A.A. (2009, January 8\u201310). A detailed analysis of the KDD CUP 99 data set. Proceedings of the 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications, Ottawa, ON, Canada.","DOI":"10.1109\/CISDA.2009.5356528"},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"18","DOI":"10.1080\/19393555.2015.1125974","article-title":"The evaluation of Network Anomaly Detection Systems: Statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set","volume":"25","author":"Moustafa","year":"2016","journal-title":"Inf. Secur. J. Glob. Perspect."},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Zhao, Z., Chen, H., Zhang, J., Zhao, X., Liu, T., Lu, W., Chen, X., Deng, H., Ju, Q., and Du, X. (2019). UER: An Open-Source Toolkit for Pre-training Models. arXiv.","DOI":"10.18653\/v1\/D19-3041"},{"key":"ref_27","unstructured":"Kingma, D.P., and Ba, J. (2014). Adam: A method for stochastic optimization. arXiv."},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"58","DOI":"10.1016\/j.knosys.2016.10.031","article-title":"An efficient instance selection algorithm to reconstruct training set for support vector machine","volume":"116","author":"Liu","year":"2017","journal-title":"Knowl.-Based Syst."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Panchenko, A., Lanze, F., Pennekamp, J., Engel, T., Zinnen, A., Henze, M., and Wehrle, K. (2016, January 21\u201324). Website Fingerprinting at Internet Scale. Proceedings of the NDSS, San Diego, CA, USA.","DOI":"10.14722\/ndss.2016.23477"},{"key":"ref_30","unstructured":"Hayes, J., and Danezis, G. (2016, January 10\u201312). k-fingerprinting: A robust scalable website fingerprinting technique. Proceedings of the 25th USENIX Security Symposium (USENIX Security 16), Austin, TX, USA."},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"2367","DOI":"10.1109\/TIFS.2021.3050608","article-title":"Accurate decentralized application identification via encrypted traffic analysis using graph neural networks","volume":"16","author":"Shen","year":"2021","journal-title":"IEEE Trans. Inf. Forensics Secur."}],"container-title":["Entropy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1099-4300\/25\/5\/821\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T19:38:29Z","timestamp":1760125109000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1099-4300\/25\/5\/821"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,5,19]]},"references-count":31,"journal-issue":{"issue":"5","published-online":{"date-parts":[[2023,5]]}},"alternative-id":["e25050821"],"URL":"https:\/\/doi.org\/10.3390\/e25050821","relation":{},"ISSN":["1099-4300"],"issn-type":[{"value":"1099-4300","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,5,19]]}}}