When a RF beats a CNN and GRU, together—A comparison of deep learning and classical machine learning approaches for encrypted malware traffic classification

Adi Lichy, Ofek Bader, Ran Dubin, Amit Dvir, Chen Hajaj

Research output: Contribution to journalArticlepeer-review

14 Scopus citations

Abstract

Internet traffic classification plays a crucial role in Quality of Experience (QoE), Quality of Services (QoS), intrusion detection, and traffic-trend analyses. While there is no theoretical guarantee that deep learning (DL)-based solutions perform better than classic machine learning (ML)-based ones, DL-based models have become the common default. This paper compares well-known DL-based and ML-based models and shows that in the case of malicious traffic classification, state-of-the-art DL-based solutions do not necessarily outperform the classical ML-based ones. We exemplify this finding using two well-known datasets for a varied set of tasks, such as: malware detection, malware family classification, detection of zero-day attacks, and classification of an iteratively growing dataset. Note that, it is not feasible to evaluate all possible models to make a concrete statement, thus the above finding is not a recommendation to avoid DL-based models, but rather an empirical finding that in some cases, there are more simplistic solutions, that may perform even better.

Original languageEnglish
Article number103000
JournalComputers and Security
Volume124
DOIs
StatePublished - Jan 2023

Keywords

  • Deep learning
  • Encrypted traffic classification
  • Machine learning
  • Malware classification
  • Malware detection

Fingerprint

Dive into the research topics of 'When a RF beats a CNN and GRU, together—A comparison of deep learning and classical machine learning approaches for encrypted malware traffic classification'. Together they form a unique fingerprint.

Cite this