e-FlowPrint: Enhanced FlowPrint for Robust Unknown Traffic Detection Using Uncertainty Measures Inspired by Active Learning

The increasing prevalence of encryption enhances network traffic confidentiality and integrity but complicates network management and security by obscuring traffic flows. This challenge makes detecting cyberattacks and enforcing policies increasingly difficult. Encrypted Traffic Intelligence (ETI), particularly network traffic classification (NTC), offers solutions using machine learning techniques. However, practical implementation remains challenging due to the inherent complexity of network environments, where traffic feature distributions vary because of factors such as network topology and delay. This variability undermines the robustness of classifiers trained on static datasets. Moreover, dynamic environments increase the likelihood of encountering unknown traffic, where inaccurate identification can lead to high false positive rates, unacceptable in critical applications like billing and cybersecurity. To address these challenges, we propose e-FlowPrint, an enhanced FlowPrint-based open-set recognition (OSR) classifier designed for robust unknown traffic detection. Inspired by uncertainty sampling techniques in active learning, we introduce two novel methods: Probability Anomaly Recognition (PAR) and Entropy-Based Uniformity Analysis (EnUniA). PAR utilizes the disparity between the highest and second-highest classification probabilities; a small disparity indicates uncertainty, suggesting that the sample is likely to be unknown. EnUniA calculates entropy values across all classes, where high entropy indicates a uniform distribution of probabilities, further increasing the likelihood of the sample being unknown. We evaluate the proposed model using the ITC-Net-blend-60 dataset across diverse real-world network environments and conduct long-term performance assessments through three-year network condition simulations. Our results demonstrate that e-FlowPrint improves FlowPrint's unknown traffic detection performance by approximately 30%. Additionally, it enhances overall classifier performance by 2% in varying network environments.