SwiftSession: A Novel Incremental and Adaptive Approach to Rapid Traffic Classification by Leveraging Local Features

Abstract

Network traffic classification is crucial for effective security management. However, the increasing prevalence of encrypted traffic and the confidentiality of protocol details have made this task more challenging. To address this issue, we propose a progressive, adaptive traffic classification method called SwiftSession, designed to achieve real-time and accurate classification. SwiftSession extracts statistical and sequential features from the first K packets of traffic. Statistical features capture overall characteristics, while sequential features reflect communication patterns. An initial classification is conducted based on the first K packets during the classification process. If the prediction meets the predefined probability threshold, processing stops; otherwise, additional packets are received. This progressive approach dynamically adjusts the required packets, enhancing classification efficiency. Experimental results show that traffic can be effectively classified by using only the initial K packets. Moreover, on most datasets, the classification time is reduced by more than 70%. Unlike existing methods, SwiftSession enhances the classification speed while ensuring classification accuracy.

1. Introduction

Network traffic classification is essential for ensuring effective network management and security. In the current network environment, the increasing use of encryption and the dynamic nature of applications have made traffic classification a more complex task. Traditional port-based classification methods, which rely on static port numbers, are no longer sufficient due to the prevalence of modern applications that use dynamic ports [1]. Deep Packet Inspection (DPI) [2,3], while effective in some scenarios before encryption became widespread, now struggles with encrypted and private protocol traffic.

Methods based on statistical features [4,5] have emerged as an alternative, as they rely on the macroscopic patterns of traffic behaviors and are not affected by the encryption of the data content. However, selecting the optimal set of features is challenging [6]. Deep learning methods also show promise [2], especially in handling encrypted traffic, but their performance varies with datasets and encryption algorithms, limiting their universality and adaptability. Methods relying on sequential features [7] conduct classification by analyzing traffic lengths and event sequences. However, these methods require waiting for the completion of traffic transmission [8], making them unsuitable for real-time applications where the timeliness of rapid classification is crucial.

Existing traffic classification methods require the entire session or multiple packets to begin recognition, limiting their ability to achieve real-time classification. To address this, we propose SwiftSession, an incremental traffic classification method. SwiftSession extracts statistical and sequential features from the initial K packets. These features are selected and processed to capture the essential characteristics of the traffic. The classification process is incremental, continuing until the classification probability surpasses a set threshold or until the packet count reaches a predefined limit. This unique approach allows for a dynamic adjustment of the classification process based on the characteristics of the traffic data, ensuring that the method can adapt to different traffic patterns and scenarios.

The main contributions of this paper are presented as follows:

• We propose a traffic classification method that uses both statistical features and sequential features. This method can classify network traffic from multiple granularities, such as behavior and protocol.
• We put forward a progressive and adaptive traffic classification architecture that strikes an optimal balance between classification accuracy and efficiency. In this architecture, the classifier initially employs the first K packets for the classification task. When the classification probability of the most probable category surpasses a pre-determined threshold, the processing halts. However, if this condition is not met, additional packets are incrementally processed until a confident classification is achieved. Such an adaptive mechanism not only guarantees accurate classification but also curtails the processing time by minimizing the number of packets needed.
• We conducted experimental comparisons of traffic behavior classification on datasets of multiple different task types, including IoT intrusion detection, encrypted traffic behavior classification, and ICS network protocol classification, to verify that our scheme can achieve good classification performance at multiple classification levels.

The remainder of this paper is organized as follows: Section 2 reviews related work on traffic classification. Section 3 provides a detailed description of SwiftSession. Section 4 outlines the experimental design and analyzes the results. Finally, we summarize the contributions and discuss directions for future research.

2. Related Works

Traffic classification techniques can be categorized based on their feature sources as follows:

2.1. Packet Feature-Based Methods

The port-based classification method identifies traffic by protocol ports, like TCP port 80 for HTTP. However, in modern networks, the increasing number of non-standard and dynamic ports makes it hard to classify accurately by port numbers [9]. Deep Packet Inspection (DPI) technology deeply analyzes packet payloads to identify complex protocols and applications [10]. However, it performs poorly when handling encrypted traffic and private protocol traffic [11]. Packet feature-based methods either overlook the sequential characteristics within a traffic flow or extract them through intricate procedures [12]. Moreover, packet-based features are more unstable than flow-based features [13].

2.2. Flow-Statistical-Feature-Based Methods

This method classifies traffic by analyzing statistical features like packet size distribution, or inter-arriving time [14]. This method allows large-scale data analysis. Monitoring large enterprise networks can effectively identify abnormal traffic and optimize resource allocation. AppScanner [15] used a support vector classifier (SVC) and random forest (RF) to classify traffic based on 54 features of mobile traffic [3]. Similarly, this method also performs well in network environments like the Internet of Things (IoT) with known malicious traffic characteristics. Shafiq et al. designed a feature-selection metric framework, selected the statistical features of IoT traffic, and used multiple machine learning algorithms to detect malicious traffic [16]. Jurkiewicz et al. centered around the problem of classifying network traffic elephants flows based on the first packet 5-tuple header field using a tree-based classifier [17] along with other classifiers [18] to improve traffic engineering and QoS applications. However, statistical feature analysis requires a large amount of calculation, making it unsuitable for real-time scenarios. Moreover, it needs complex feature engineering. This makes it difficult for small enterprises or organizations with limited resources to implement, as it requires strong hardware and professional expertise.

Sequence feature-based methods view network traffic as time-series data and achieve traffic classification by analyzing the time patterns and behavioral trends [19]. Early research on sequential features focused on Markov chains. Pan et al. classified SSL/TLS encrypted applications by combining the message type and packet length in the HTTPS handshake stage to build a second-order Markov chain model [20]. Liu et al. transformed the original packet length sequence into the length block sequence and trained the Markov model by combining the message type sequences [9]. Recent research has focused on the representation of sequential features and used machine learning methods for classification. Liu et al. proposed FS-Net, extracts feature from the original flow sequence using a multi-layer encoder–decoder structure and introducing a reconstruction mechanism [21]. Xu et al. proposed an ETC-PS method [7], introducing the traffic path and analyzing sequence features that can effectively classify encrypted traffic without decryption. Koumar et al. proposed NetTiSA [22], which uses time-series analysis inside the IP flow exporter to generate 13 known and novel features in the extended IP flow. These methods rely on a substantial number of packets arriving at the station prior to classification, which hinders their application in real-time scenarios. The method proposed in this paper is based only on a small number of the first few packets (less than 10). We also explored the feasibility of using local features for classification in Appendix A.

2.3. Deep Learning Methods

The development of deep learning has also brought new perspectives to traffic classification [23]. Lin et al. developed the ET-BERT model, using the pre-trained BERT architecture to learn traffic representation from many unlabeled data and then fine-tuning a small amount of labeled data for a specific task to achieve accurate traffic classification [24]. Aceto et al. proposed DISTILLER to achieve multimodal and multitask classification of encrypted traffic by capitalizing on the heterogeneity of traffic data [25]. Zhang et al. applied graph neural networks to traffic classification [26]. Huoh et al. further considered the flow features at the GNN [27], which improved the classification accuracy. However, these works require the use of many data packets and are difficult to apply to tasks that are sensitive to classification time, such as intrusion detection.

Some recent work also focuses on real-time classification [12,28,29,30]. Chen et al. used a 0.1 s sliding window to segment the flow, calculated 8-dimensional features, compressed the data length, and then input it into a deep learning model to achieve the online recognition of LTE traffic [31]. However, these works are all based on the fixed first N data packets, and different parameter values are set for different datasets to achieve better results. This characteristic is not conducive to the extended application of the method. The method proposed in this paper extracts local flow features from an incremental perspective, which has greater flexibility.

3. Method

In this section, we will elaborate on the design and training process of the proposed model. The input of this method consists of online or offline traffic packets captured on routers or probes. After preprocessing, the first K (variable depends on the number of data packets in the buffer) packets in the flow were sequentially placed into the flow feature buffer pool (Section 3.1). Subsequently, the local features of some flows in the current buffer pool were extracted (Section 3.2). Then, a cluster of classifiers was used to output the probability of various traffic classifications (Section 3.3). To ensure the classification speed and accuracy, we also introduced path signatures for incrementally calculating sequence features. The architecture of the proposed model with preprocessing is shown in Figure 1.

3.1. Packet Capture—Session Feature Buffer Pool

To deploy SwiftSession in a real-world environment and achieve the incremental classification of flows, we designed a structure named Session Feature Buffer Pool to temporarily store the features of the arrived data packets of a flow.

As shown in Figure 1, the flow buffer pool contains several cells. $Cel{l}_i$ corresponds to the flow $flo{w}_i$ in the current network environment where data packets have been captured but not yet identified. It stores the features $f_j$ extracted from the $j$ captured data packets of the current flow, including the sequential feature $f_j^t$ and the statistical feature $f_j^s$. Whenever a new data packet of this flow was captured, we calculated the new feature $f_{j+1}$ incrementally, which is the combination of the previously captured data packets and the current one. The descriptions in the following sections illustrate that such calculation is feasible and consumes a relatively low number of computational resources. Then, we adaptively select the corresponding ML model in the classifier cluster to identify the new flow feature and report a classification accuracy $p_{j+1}$. We set a parameter, the probability threshold $\tau$, to control the strictness of the method during deployment. The larger the value of τ, the more inclined the method is to obtain more data packets to ensure a higher recognition accuracy. Conversely, the smaller the value of the τ, the more inclined the method is to adopt a more aggressive reporting strategy for a faster classification speed. In practical applications, the threshold $\tau$ can be adjusted to respond to different scenarios flexibly.

When the classification accuracy $p_{j+1}$ reported by the classifier cluster is less than τ, the method temporarily stores the new feature $f_{j+1}$ in the flow feature buffer pool and waits for the capture of the next data packet belonging to this flow. When the reported accuracy $p_{j+1}$ is greater than or equal to τ, the method releases the memory occupied by this cell and reports the classification of the flow (which can be protocol, application, behavior, etc. Experiments in Section 5 proved that our method can classify traffic at multiple granularities).

Regarding memory release, we set a maximum duration and a maximum number of data packets to clear the memory occupied by invalid flows. In the examples in Section 5, the maximum duration is 300 s, and the maximum number of data packets is 10.

3.2. Features Extraction

3.2.1. Statistical Feature

The standard statistical features of network traffic cover multiple dimensions, such as the inter-arrival time of data packets, flow direction (forward or reverse), TCP flag bits (e.g., the PSH flag), etc. Moore et al. proposed over 240 statistical features in their work [32]. However, many of these features are highly correlated and redundant, and the constructed flow data are relatively large, making it difficult to deploy. The method in this paper manually reduces the feature set by screening out redundant features from the 68-dimensional feature set constructed by CICFlowMeter. Then, the Gini coefficient is used to evaluate the classification contribution of each statistical feature. To further broaden the application scope of the feature set, we calculated the Gini gains of the statistical features for the four different datasets mentioned in Section 4.1.2 under different k values (3–10 and all packets) and retained the features whose Gini gains were all greater than 0.2 in the four datasets. Subsequently, we mixed these datasets and independently calculated the Gini gains of the remaining features. Finally, through manual selection, we picked out the 8-dimensional features that exhibited relatively high Gini gains in all datasets and had low computational difficulty and were relatively independent. The selected features and the finally calculated Gini coefficients are shown in

Table 1. Description of feature names.

Feature Name	Description	Gini Gaine
$pkt\_len\_mean$	Mean packet length.	0.5755
$totlen\_fwd\_pkts$	Total length of forward packets.	0.4429
$active\_max$	Maximum active state.	0.6707
$bwd\_pkt\_len\_min$	Minimum length of backward packets.	0.3237
$bwd\_blk\_rate\_avg$	Average backward block rate.	0.3297
$bwd\_iat\_min$	Minimum backward inter-arrival time.	0.3331
$flow\_byts\_s$	Flow bytes per second.	0.6731
$init\_fwd\_win\_byts$	Initial forward window bytes.	0.3954

.

The Gini calculation process is as follows:

First, for a dataset $D$ with $K$ categories, the Gini impurity is defined as $Gini\left(D\right)=1-\sum _{k=1}^K{p}_k^2$, where $p_k$ is the proportion of category $k$ in the dataset.

Next, for a feature $A$, the dataset is split into subsets according to its value. The Gini gain is defined as $Gain\left(A\right)=Gini\left(D\right)-\sum _i\left({\displaystyle \raisebox{1ex}{$\left|D_i\right|$}\!\left/ \!\raisebox{-1ex}{$D$}\right.}\right)\times Gini\left(D_i\right)$, where $D_i$ is the subset divided based on feature $A$.

Incremental Calculation

All the selected features can be calculated incrementally without storing past data packets. Although the examples provided in this paper do not select them, for features that require the calculation of standard deviation, such as pkt_len_std, the Welford algorithm [33] can be used for incremental calculation without additional space consumption for storing data packets.

Mean Calculation

Suppose we have a sequence of data points $x_1, x_2, \cdots , xₙ$. The traditional way to calculate the mean ${\mathrm{\mu }}_n$ is as follows:

$${\mathrm{\mu }}_n={\displaystyle \frac{1}{n}}{\displaystyle \sum _{i=1}^n}xᵢ$$

Given that the mean of the first $n-1$ data points is ${\mathrm{\mu }}_{n-1}$, when the $n$-h data point $x_n$ is added, the new mean ${\mathrm{\mu }}_n$ can be calculated by the formula:

$${\mathrm{\mu }}_n={\mathrm{\mu }}_{n-1}+{\displaystyle \frac{x_n-{\mathrm{\mu }}_{n-1}}{n}}$$

Variance Calculation

For the calculation of the variance ${\sigma }_n^2$, an incremental idea is also adopted. Given that the variance of the first $n-1$ data points is ${\sigma }_{n-1}^2$ and the mean is ${\mathrm{\mu }}_{n-1}$, when the $n$-th data point $x_n$ is added, the formula for the variance is as follows:

$${\mathrm{\sigma }}_n^2={\displaystyle \frac{n-1}{n}}{\mathrm{\sigma }}_{n-1}^2+{\displaystyle \frac{\left(x_n-{\mathrm{\mu }}_{\mathrm{n}-1}\right)\left(x_n-{\mu }_{\mathrm{n}}\right)}{n}}$$

3.2.2. Sequence Feature

Considering the property that path signatures can be incrementally calculated, the method in this paper introduces path signatures to extract the sequential features of network flows. In practical applications, multiple sequential feature calculation methods, such as Markov chains, can also be applied according to requirements. The sequence feature extraction in this paper process is as follows: After capturing packet $i$, we added the length $L_i$ of this packet to the previous length sequence $S_{i-1}=\left(L_1,L_2,\dots ,L_{i-1}\right)$, generating the updated sequence $S_i=\left(L_1,L_2,\dots ,L_i\right)$. In this sequence, $L_i<0$ indicates that the packet was sent from the client to the server; instead, $L_i>0$ indicates that the packet was sent from the server to the client.

Inspired by the work of Xu et al. [7], we extend the original sequence $S$ to seven dimensions, specifically as follows:

• Packet length sequence $\mathit{S}\mathit{L}$: Consists of the absolute values of each packet length in sequence $S$.
• Cumulative byte sequence$\mathit{C}\mathit{S}$: The prefix sum of the packet length sequence $SL$, that is, $C{S}_i=\sum _1^{i}S{L}_i$.
• Length sequence $\mathit{U}$ from the client to the server: Contains all the positive subsequences in sequence $S$.
• Cumulative length sequence $\mathit{C}\mathit{U}$ from the client to the server: It is the prefix sum of the length sequence $U$, that is, $C{U}_i=\sum _1^i{U}_i$.
• Length sequence $\mathit{P}$ from the server to the client: Contains all the negative subsequences in sequence $S$.
• Cumulative length sequence $\mathit{C}\mathit{P}$ from the server to the client: It is the prefix sum of the length sequence $P$, that is, $C{P}_i=\sum _1^i{P}_i$.

Furthermore, to enhance the distinguishability of the calculated traffic path features, we introduced the time interval sequence IT between packets and the FLAGS field of the TCP protocol within the packet header field to calculate the sequence features. Eventually, after eliminating the redundant SL, we utilized a seven-dimensional sequence to calculate the traffic path features: IT, FLAGS, CS, U, CU, P, and CP.

Table 2. Examples of sequential features.

No.	S	IT	SL	CS	U	P	CU	CP	FLAGS
1	162	0	162	162	162	0	162	0	24
2	−40	0.000108	40	202	0	40	162	40	16
3	338	0.69453	338	540	338	0	500	40	24
4	−40	0.00802	40	580	0	40	500	80	16
5	162	0.201072	162	742	162	0	662	80	24
6	−40	0.000066	40	782	0	40	662	120	16
7	162	4.876225	162	944	162	0	824	120	24
8	−40	0.000801	40	984	0	40	824	160	16
9	476	5.933704	476	1460	476	0	1300	160	24
10	−40	0.000097	40	1500	0	40	1300	200	16

presents an example of the extended sequence of the first ten packets of a VPN chat flow. This dimensional feature path was used to calculate the path signature.

The following is a brief introduction to the path signature method and its incremental calculation method. For the specific details of the path signature, please refer to the paper of [34]:

Path signatures are a feature extraction method that encodes linear and nonlinear interactions [35]. The feature vectors generated by this method have a fixed length independent of the number of data input points or sampling interval. As a mathematical tool, path signatures have significant applications in various fields, including stochastic analysis, machine learning, and differential geometry [2,4,36,37,38]. For a continuous path $X:\left[0, T\right]\to R^d$, the path signature is an infinitely long sequence of the path, with each order’s signature terms composed of the following:

Let $X=X^1,X^2,\cdots ,X^d$ be a d-dimensional path, and $X_t=X_t^1,\cdots ,X_t^d$ represents the value of the path $X$ at time $t\in \left[0,T\right]$.

The $n$-th level part $S{\left(X\right)}_{0,t}^n$, $(n=\mathrm{0,1},2,\cdots )$ is defined as follows:

$$\left\{\begin{array}{c}S{\left(X\right)}_{0,t}^0=1,n=0\\ S{\left(X\right)}_{0,t}^1={\int }_0^{t}d{X}_s^1,{\int }_0^{t}d{X}_s^2,\cdots ,{\int }_0^{t}d{X}_s^d,n=1\\ S{\left(X\right)}_{0,t}^n={\int }_{0<s_1<\cdots <s_n<t}d{X}_{s_1}\otimes \cdots \otimes d{X}_{s_n},n\ge 2\end{array}\right.$$

where $\otimes$ represents the tensor product.

Since the path signature is an infinitely long sequence, the signature terms of the N-th order and prior to it in the sequence are usually taken as representatives. This new sequence is known as the N-th order truncated path signature. In addition, we adopted the method in Paper [35] to achieve the incremental calculation of path signatures.

3.2.3. Feature Fusion

As shown in the structure diagram, to accelerate the calculation speed of the method in this paper, we use the splicing method to fuse the sequence feature $f_j^t$ and the statistical features $f_j^s$ to obtain the final feature. The fusion process is expressed by the following formula:

$$f_j=f_j^s\oplus f_j^t$$

Here, “$\oplus$” is used to denote the concatenation of the preceding vector and the succeeding vector.

As described in the previous two subsections, since both the sequence features and statistical features used to form the fusion features can be incrementally calculated, the fusion features also support incremental calculation. This means that all the features used in the method of this paper can be calculated in real time based on the captured data packets without the need to store the data packets. In addition, in this paper, all features are column normalization. Z-Score Normalization is used to standardize the features to reduce the impact of outliers and adapt to the online traffic identification mode.

3.3. Traffic Classification—Cluster of Classifiers

To flexibly classify features under different numbers of packets, we set up a classifier cluster in SwiftSession to ensure more accurate classification when different numbers of data packets were captured. As shown in the structure Figure 1, the cluster classifier consists of $K$ models trained with the data of different numbers of packets, where the value of $K$ depends on the maximum number of packets.

During the training phase, SwiftSession obtained $K$ different feature sets with $k=1, 2... K$ from the same training set and trained them, respectively, to obtain $K$ classification models. Each model classifies the features of the first $k$ data packets of flow, which means our models can achieve better performance during the classification phase.

During the classification phase, we set up a model selector in the classifier cluster. This simple structure can match the features obtained from the flow feature buffer pool to the corresponding model, selecting the appropriate model for classification, without consuming additional computational performance. For each classifier, the method utilizes an incremental computation method, extracting features from the first $k$ packets upon receiving the $k$-th packet. The system dynamically determines whether to continue packet collection or output classification results based on classifier confidence, optimizing accuracy, and computational resource utilization.

SwiftSession employs a confidence-based decision mechanism for classification. Each classifier outputs a probability distribution vector $\left[p_1,p_2,\dots ,p_{\mathrm{n}}\right]$, where $p_i$ represents the probability of the $i$-th traffic category, with $\sum p_i=1$. When the maximum probability exceeds a predefined threshold, the system terminates packet collection and outputs the classification result; otherwise, it continues collecting packets for further analysis. In a binary-classification environment with two classes, A and B, the probability threshold is set at 0.8. When an unclassified flow has its initial 3rd data packet captured, the classifier outputs a probability distribution of [0.6 (A), 0.4 (B)]. Given that the maximum probability of 0.6 is less than 0.8, the system proceeds to capture the 4th data packet. After processing this packet, the classifier generates a new distribution of [0.9 (A), 0.1 (B)]. Since the classification probability of 0.9 is greater than 0.8, once the maximum probability exceeds the predefined threshold, the system halts the collection of data packets and outputs the classification result as Class A.

4. Experiment

To verify the effectiveness of the proposed SwiftSession method, we designed a series of experiments that included verifying the incremental classification strategy and comparing it with existing methods. All experiments were carried out on a computer with an AMD Ryzen 7 3.20 GHz processor, 32 GB RAM, 64-bit Windows 11, and a 12 GB GeForce GTX 4060. We utilized the Scikit-learn library (version 1.4.1) [39] and the XGBoost library (version 2.1.1). Note that, for each dataset, we used a ratio of 0.6:0.2:0.2 for the training set, validation set, and test set splits and retrained all methods individually on each dataset. After the division, we extracted the features with different values of k, respectively, and conducted training.

4.1. Experimental Set Up

4.1.1. Feature Fusion

This experiment evaluated the proposed method from two aspects: classification accuracy and speed. For traffic classification accuracy, we use accuracy ($ACC$), precision ($PR$), recall ($RC$), and F1-score ($F1$) as metrics. Accuracy assesses the overall correctness of classification results, while precision and recall measure the model’s ability to identify and cover the target category correctly. The F1-score, which combines precision and recall, provides a balanced evaluation of the model’s classification performance. The formulas are as follows:

$$Accuracy={\displaystyle \frac{TP+TN}{TP+TN+FP+FN}}$$

$$\mathit{PR}={\displaystyle \frac{TP}{TP+FP}}$$

$$\mathit{RC}={\displaystyle \frac{TP}{TP+FN}}$$

$$F1={\displaystyle \frac{2 \ast PR \ast RC}{PR+RC}}$$

where $TP, TN, FP, FN$ represent true positives, true negatives, false positives, and false negatives, respectively.

For multi-class classification tasks, all metrics are calculated using the weighted average method. Let $n$ be the number of classes, $w_i$ be the weight of the $i$-th class, $T{P}_i$, $F{P}_i$ and $F{N}_i$ be the number of true positives, false positives, and false negatives of the $i$-th class, respectively.

$$AC{C}_{weighted}={\displaystyle \frac{{\sum }_{i=1}^n{w}_i\times T{P}_i}{{\sum }_{i=1}^n{w}_i\times \left(T{P}_i+F{P}_i+F{N}_i\right)}}$$

$$P{R}_{weighted}={\displaystyle \frac{{\sum }_{i=1}^n{w}_i\times T{P}_i}{{\sum }_{i=1}^n{w}_i\times \left(T{P}_i+F{P}_i\right)}}$$

$$R{C}_{weighted}={\displaystyle \frac{{\sum }_{i=1}^n{w}_i\times T{P}_i}{{\sum }_{i=1}^n{w}_i\times \left(T{P}_i+F{N}_i\right)}}$$

$$F{1}_{weighted}=2\times {\displaystyle \frac{P{R}_{weighted}\times R{C}_{weighted}}{P{R}_{weighted}+R{C}_{weighted}}}$$

In SwiftSession, traffic classification speed is measured by method classification time, which depends on the number of packets received before the result. Assuming $i$ packets are received, the classification time $T$ is as follows:

$$T=T_i=t_{arrived}^i+t_{ef}^i+t_{si}^i+t_{d_i}$$

where $t_{arrived}^i$, $t_{ef}^i$, $t_{si}^i, { t}_{d_i}$ represent time from the first packet’s arrival to the $i$-th packet’s arrival, feature extraction time after the $i$-th packet, inference time for the $i$-th packet, and decision time for the $i$-th classification, respectively (assuming $t_{arrived}^k$ is greater than $t_{arrived}^{k-1}+t_{ef}^k+t_{si}^k+t_{d_k},1<k\le i$).

Since the number of packets varies in different SwiftSession sessions, we introduce the “average arrival time” metric to represent the average time of packet arrival when the final classification is made.

For other methods, the classification time is as follows:

$$T=t_{se}+t_{ef}+t_{si}$$

where $t_{se}, t_{ef}, t_{si}$ represents session duration between the first and the last packet when classification is possible, feature extraction time, and inference time based on features, respectively (In this study, session duration, which is much longer than $t_{ef}+t_{si}$, is used as the traffic classification time for the comparison methods. Different methods use varying numbers of packets: ETC-PS uses 40, while FineWP and FS-Net use 32 session packets. The session duration for comparison is determined accordingly).

4.1.2. Benchmark Test Dataset

To verify the effectiveness of the method proposed in Section 3 and its ability to perform multi-granularity classification well, we selected the following datasets for experiments, which included multi-classification tasks: protocol classification (ICSC Dataset), user behavior classification (ISCX dataset), and intrusion detection (MQTT-IDS). It should be noted that only MQTT-IDS pertains to binary classification. In contrast, the remaining datasets are involved in multi-class classification tasks:

• Self-established industrial control dataset (ICSC Dataset)

The industrial control Internet has high requirements for the time of network protocol classification. In this paper, the dataset established by Zhai et al. in 2020 [40] is used. In addition, following their method, we supplement some traffic data of ICS protocols based on the original dataset. The supplementary data include the benign part of the following sites from 2020 to 2025: Netresec [41], TriStation [42], AWS Cloud [43], NREL [44], ITHACA [45], the Electra power system control traffic dataset [46], IEC datasets [47], and the Modbus dataset from CEST16 [48]. These sources provided updated industrial control network traffic data from 2020 to 2025. The dataset includes both annotated and unannotated traffic data. Tshark was utilized to label the unlabeled traffic data with protocol information.

Table 3. Protocol statistics in ICSC dataset.

Protocol	Packet Number (106)	Session Number	Size
BACnet	5.6	76	67.1 MB
CIP	2.9	137	54.4 MB
Dnp3	4.2	5601	43.9 MB
iec60870	2.1	11,326	219.5 MB
Modbus	2.4	15,693	138.5 MB
MQTT	8.1	1996	127 MB
S7comm	10.5	285	176 MB

provides statistical details of the ICSC dataset.

• MQTT-IoT-IDS-2020 [49]

Intrusion detection is also one of the tasks with high requirements for classification time. MQTT is one of the most used protocols on the Internet of Things. In this paper, a binary classification task is carried out on this dataset. We labeled each flow according to the author’s instructions in the document.

• ISCX Datasets

In addition, to verify that our method can also be applied to encrypted traffic classification, we selected two well-known datasets. Although these two datasets were established in 2016, there has still been a lot of research work conducted on them recently, such as the studies of [7,12,22,24,25,26,27].

ISCX VPN-nonVPN 2016 (Referred to as VPN Dataset) [50]: This dataset, well recognized in the traffic classification research community, comprises 150 PCAP files totaling 28.0 GB. We based text to classify it into 11 categories: Chat, Email, File Transfer, Streaming, VoIP, VPN Chat, VPN Email, VPN File Transfer, VPN Streaming, VPN VoIP, and VPN Torrent.

ISCX Tor-nonTor 2016 (Referred to as Tor Dataset) [51]: This dataset includes 85 PCAP files, totaling 22.8 GB. We based text to classify it into 12 categories: Browsing, Chat, Email, File Transfer, Streaming, Tor Browsing, Tor Chat, Tor Email, Tor File Transfer, Tor Streaming, Tor VoIP, and VoIP.

4.1.3. Data Preprocessing

For all datasets, in our experiments, we removed data packet flows with less than three packets. We considered such sessions too short to play a role in the transmission process, so they were not worthy of consideration. At the same time, we excluded the data packets from the first two handshakes in the TCP three-way handshake. For all datasets, we used the SplitCap tool [52] to split them into the form of files for each session.

4.2. Parameter Optimization

4.2.1. Threshold Search

This section compares the traffic classification accuracy and speed when the incremental strategy is adopted, and the threshold varies from 70% to 95%. The aim is to evaluate the impact of these thresholds on the algorithm’s performance. XGBoost is used as the benchmark classifier, taking the VPN-nonVPN dataset as an example. The analyzed indicators include classification accuracy, precision, recall, F1-score, and classification time. The detailed results are shown in Figure 2.

Overall, it is evident from the experimental results presented in the tables that adjusting the confidence threshold has a significant impact on traffic classification, accuracy, and speed. Both classification accuracy and classification time are positively correlated with the threshold, which is consistent with the inference we provided in Section 3. Taking all factors into comprehensive consideration, it is more appropriate to select a confidence threshold in the range of 0.8 to 0.9. Although a threshold lower than 0.8 may result in a faster speed, it may reduce the accuracy. In contrast, a threshold higher than 0.9 can improve accuracy in some cases, but it is likely to cause excessive data packet processing and an extension of waiting time. Considering both the classification time and classification accuracy, the threshold used in the following examples in this paper is 85%.

In addition, we also list in

Table 4. The average number of packets awaited when classification results are given.

Thresholds	0.70	0.75	0.80	0.85	0.90	0.95
Packet Number	4.4104	4.7152	4.9514	5.3585	5.8727	6.5637

the changes in the average number of data packets when different thresholds are used to obtain the classification results of the method in the VPN dataset. As the threshold increases, an increasing number of flows are classified by classifiers with larger K-values. As can be seen from the experiments in Section 4.4, classifiers with larger K-values have a higher classification accuracy compared to those with lower K-values. Therefore, as the threshold increases, the classification accuracy is correspondingly enhanced.

4.2.2. ML Classifier Selection

SwiftSession assesses various machine learning models to identify the optimal classifier, including Random Forest (RF), Extremely Randomized Trees (ET), C4.5, and XGBoost which are commonly used classifiers in traffic classification.

These models exhibit strong performance in real-time classification tasks. The final selection is based on a thorough operational efficiency evaluation, classification accuracy, and resource consumption. The comprehensive benchmarking of accuracy, speed, and resource utilization informs the choice of the optimal classifier.

Details of the classifier’s hyperparameters and the average size after training on four datasets are shown in

Table 5. Hyperparameters and size of ML classifiers.

Classifiers	Parameters	Size	Result (F1)	Time (s)
C4.5	Criterion = ‘entropy’	243 KB	77.26%	97.71
RF	max_features = None, n_estimators = 100	23 MB	84.47%	94.06
ET	n_estimators = 10	60.4 MB	83.86%	91.98
XGBoost	n_estimators = 100, eval_metric = ‘logloss’, probability = True	2.1 MB	88.45%	91.87

. Hyperparameters not mentioned in the table adopt default values. After comprehensive evaluation, we found that XGBoost achieved relatively good results and performance. We also list the classification results and classification times of each classifier on the VPN dataset in Table 5 for reference. Therefore, the XGBoost model was selected for subsequent comparative experiments.

4.3. Comparison with Existing Methods

This section provides a comprehensive comparison of the classification accuracy and time of SwiftSession against four representative methods across three datasets, assessing the advantages and disadvantages of SwiftSession relative to current mainstream approaches. The selected comparison algorithms are all notable for their classification performance, computational efficiency, and applicability to diverse datasets.

FSNet: An efficient encrypted traffic classifier based on GRU [21], FSNet embeds the raw packet sequences of flows and utilizes a double-layer bidirectional GRU to extract deep features.

ETC-PS: This method classifies encrypted traffic based on path signature features [7]. ETC-PS constructs traffic paths to represent bidirectional client–server interactions, utilizing only packet length information within sessions.

FineWP: A fine-grained webpage fingerprinting method that utilizes only packet-length information from encrypted traffic [53]. This classifier extracts critical features from the uplink-dominant stage, including block and sequence features.

ITCT Transformer: Based on the Tab Transformer architecture [54], it classifies IoT traffic through unique feature processing and attention mechanisms.

The specific experimental results are shown in

Table 6. Comparison experiment results.

Dataset	Method	PR	RC	ACC	F1	Classification Time (s)
VPN-nonVPN	FSNet	75.02%	72.38%	72.38%	73.68%	241.93
	FineWP	59.38%	78.46%	78.46%	67.60%	241.93
	ETC-PS	66.65%	84.69%	84.69%	74.59%	273.83
	SwiftSession (XGBoost)	88.55%	88.36%	88.36%	88.45%	91.87
Tor-nonTor	FSNet	74.57%	72.46%	72.46%	73.50%	162.88
	FineWP	76.58%	68.75%	68.75%	72.45%	162.88
	ETC-PS	88.56%	94.54%	94.54%	91.45%	179.89
	SwiftSession (XGBoost)	98.57%	98.57%	98.57%	98.57%	10.45
ICSC-Dataset	FSNet	84.52%	86.21%	86.21%	85.36%	201.05
	FineWP	87.34%	86.45%	86.45%	86.89%	201.05
	ETC-PS	99.67%	99.35%	99.35%	99.51%	221.25
	SwiftSession (XGBoost)	98.84%	98.84%	98.84%	98.85%	2.59
MQTT-IDS-2020	ITCT Transformer	87.00%	82.00%	82.00%	81.00%	2.14
	SwiftSession (XGBoost)	98.53%	98.52%	98.52%	98.48%	2.67

. In the experiment on the VPN-nonVPN dataset, SwiftSession (XGBoost) demonstrated outstanding performance. It far exceeded other methods in terms of accuracy and recall and had a relatively short classification time, thus showing significant advantages in both efficiency and accuracy. In contrast, FineWP had a relatively low precision rate, indicating a potential for many misjudgments. The performance of FSNet and ETC-PS was at a medium level, and all three of them had relatively long classification times.

For the Tor-nonTor dataset, SwiftSession (XGBoost) still maintained a high standard, with almost perfect indicators in all aspects, and its classification time was significantly shorter. ETC-PS also showed good performance and could effectively identify categories. However, FineWP had a relatively low recall rate, which might lead to missing many true categories, and the overall performance of FSNet was relatively weak.

In the ICSC-Dataset, both ETC-PS and SwiftSession (XGBoost) exhibited extremely high classification accuracy. SwiftSession (XGBoost) had a significant advantage in classification time, as it was much faster than other methods.

In the experiment on the MQTT-IDS-2020 dataset, SwiftSession (XGBoost) was significantly higher than the ITCT Transformer in both accuracy and recall. Although their classification times were similar, SwiftSession (XGBoost) was superior in terms of accuracy.

Based on the experimental results of various datasets, SwiftSession (XGBoost) has the advantages of high accuracy and fast classification on multiple datasets and thus has greater potential in practical applications. ETC-PS has high accuracy in some datasets, but its classification time needs to be optimized. The performance of FSNet and FineWP is relatively unstable, and their classification times are generally long. Although the ITCT Transformer has a short classification time, its accuracy is relatively low. Future research could focus on improving the time efficiency and accuracy of other methods to meet the requirements of more application scenarios.

4.4. Verification of Incremental Classification Strategy

In this experiment, for the four datasets of ICSC, VPN, TOR, and MQTT, by varying the value of K (the number of data packets) and applying the incremental calculation method, we evaluated the performance indicators of the classification strategy, including ACC, PR, RC, F1, as well as the classification time, to verify the relevant theoretical conclusions. The experimental results are shown in Figure 3.

In each dataset, as the value of K increases from 3 to 10, the classification accuracy indicators generally show an upward trend or remain stable at a high level, indicating that an increase in the number of data packets helps to ensure or improve the classification accuracy. When all data packets are used, the accuracy indicators show a slight decline in some datasets, possibly due to the introduction of complex factors resulting from the excessive data volume but remain at a relatively high level overall.

In datasets such as ICSC and MQTT, the incremental method demonstrates slightly reduced performance for high-K-value scenarios compared to fixed-K classifiers. This phenomenon primarily stems from its inherent tendency to make classification decisions at lower K values, as evidenced by Table 4 showing an average consumption of 4–5 data packets per classification—indicating that most determinations occur by the third packet. When the third-packet classifier produces suboptimal results despite showing high confidence probabilities, the incremental approach underperforms relative to classifiers employing larger K values (e.g., 7, 8, 9), though the performance disparity remains marginal at less than 1%. Crucially, this minor limitation does not diminish the incremental method’s significant advantages over fixed-K-value approaches, as it successfully maintains an optimal balance between rapid classification speed (achieving decisions in 3–5 packets) and sustained high accuracy across various operational scenarios.

In addition, on the four datasets, the accuracy indicators obtained by the incremental method are comparable to those at a high K value and are even better in some datasets. The classification time, compared with that at a high K value, is significantly shortened, with the maximum time being no more than 90% of the classification time at a high K value, greatly improving the classification efficiency. The experiments conducted on these four datasets have comprehensively validated the theory concerning the influence of the incremental method on classification performance and time. As the K value increases, more packet information is utilized for classification, resulting in an increase in classification time. The classification accuracy stabilizes when the K value reaches a certain point. In contrast, the incremental method not only ensures a high accuracy rate but also features an extremely rapid classification speed, demonstrating remarkable advantages across different datasets. This provides a solid foundation for the selection of classification strategies and offers an efficient solution for large-scale data classification.

5. Discussion

The experiments assessed the performance of various feature selection methods and classification strategies across the VPN, Tor, and ICSC traffic datasets. Based on the previous results and analyses, the following key conclusions can be drawn:

(1) Balanced Confidence Levels for Practical Applications

Increasing the confidence threshold enhances classification accuracy for VPN traffic, whereas classification accuracy for Tor and ICSC traffic remains stable across confidence levels. Notably, classification time for Tor and ICSC traffic at a 100% confidence level significantly increases, indicating that excessively high thresholds can reduce processing efficiency. It is crucial to balance classification accuracy and processing efficiency in practical applications, adapting the confidence threshold according to specific requirements. For scenarios demanding high classification accuracy, the threshold can be increased, but considerations regarding efficiency must be made. Conversely, in cases where processing efficiency is paramount, high confidence thresholds should be avoided to maintain system responsiveness.

(2) Advantages of the Incremental Strategy

The incremental strategy balances classification accuracy and speed more effectively than the fixed K-value method. This approach optimizes classification performance in response to real-time traffic variations by dynamically adjusting the K value. This method achieves a favorable combination of high classification accuracy and reduced classification time across datasets, particularly in VPN and ICSC datasets, where classification accuracy is nearly at the maximum level of the fixed K-value approach but with significantly less time required. The flexibility of the incremental strategy allows it to adapt to changing traffic conditions, overcoming limitations inherent in fixed K-value methods. Additionally, it reduces redundant computations and enhances processing efficiency, making it particularly beneficial for large-scale traffic data processing.

(3) Performance of SwiftSession in Real-Time Scenarios

SwiftSession demonstrates superior classification accuracy and speed performance compared to existing methods. Future research should investigate the potential of SwiftSession to enhance classification accuracy across different traffic types while preserving its time efficiency, exploring combinations with advanced algorithms for improved performance.

(4) Limitations of the SwiftSession Method

SwiftSession’s performance may be challenging in complex network environments with diverse applications and protocols. While it performs well in the tested datasets, it may need help with traffic that exhibits convoluted patterns or diverges significantly from the training data. For example, networks with numerous custom-built applications may present challenges for the statistical and sequential features utilized by SwiftSession, leading to potential misclassifications. Additionally, as network traffic volume continues to grow exponentially, the scalability of SwiftSession must be further evaluated. Despite the incremental strategy easing computational burdens, the real-time handling of massive traffic data may still need to be improved, particularly during peak influxes. This could impact the method’s real-time performance, which is a crucial advantage. The method and its advantages discussed in this paper are applicable to environments with long flows (More than four packets). It is not capable of classifying small flows effectively.

Future Work

In future research work, the following aspects can be explored:

• Consider performing feature extraction at intervals of every $\mathit{S}$ data packet, and explore the effectiveness and performance of feature extraction under this approach.
• In the machine-learning model part, select a model with a wider recognition ability to reduce the model’s space consumption and improve its operational efficiency.
• Conduct in-depth research and introduce more advanced feature extraction techniques. Meanwhile, explore the technology for automatically selecting statistical features in different environments to enhance the system’s adaptability in complex environments.

6. Conclusions

This paper introduces SwiftSession, a flow recognition method that concurrently extracts sequential and statistical features from original flow sequences to classify traffic flows. SwiftSession incrementally models flow based on the initial K packets, utilizing path signatures to compute sequential features and integrating statistical features from these packets for classification. The combination of statistical and sequential features enables SwiftSession to effectively capture representative information, thereby enhancing classification performance. Additionally, leveraging the initial packets contributes to the method’s efficiency in practical applications. Our validation on real-world network datasets shows that SwiftSession achieves exceptional classification capabilities.