Abstract
In recent years, traffic encryption technology has been widely adopted for user information protection, leading to a substantial increase in encrypted traffic in communication networks. To address issues such as unclear local key features and low classification accuracy in traditional malicious traffic detection and normal application classification, this paper introduces an encrypted traffic classification encoder based on lightweight graph representation. By converting packet byte sequences into graphs to construct byte-level traffic graphs, we propose building a weighted output applied through a weight matrix to facilitate model lightweighting. The lightweight graph representation serves as the network input, and the design mainly includes an embedding layer, a traffic encoder layer based on graph neural networks, and a time information extraction layer, which can separately embed headers and payloads. We propose using GraphSAGE with sampling averaging to encode each byte-level traffic graph into an overall representation vector for each packet. For end-to-end training, an improved Transformer-based model is employed with relative position encoding of time series to generate final classification results for downstream tasks. To evaluate the reliability of the method, the proposed approach is tested on three application classification datasets: WWT, ISCX-2012, and ISCX-Tor, for classifying network encrypted traffic and conducting ablation experiments for comparison. Ultimately, comparison are made with more than 12 baseline models. The results show that the F1 scores reached 0.9938 and 0.9856 on ISCX-2012 and ISCX-Tor, respectively. Through lightweight experiments, it is found that the number of parameters is reduced by 18.2% compared to that of the original model TFE-GNN. Therefore, the results indicate that the proposed improved method can enhance the accuracy of detecting network traffic applications and abnormal behaviors while reducing the model's parameter count. Considering both the model parameters and accuracy dimensions, this paper introduces a lightweight graph representation-based encrypted traffic classification encoder that outperforms various existing models.