Abstract
With the widespread use of tunnel technology, the volume of encrypted tunnel traffic rises sharply, which brings a new challenge to traditional encrypted traffic identification. A number of real-world application scenarios, including Quality of Service and intrusion detection, have put forward new re-quirements for identifying numerous tunnels, applications, and fine-grained behavior. However, previous studies and datasets on encrypted tunnel traffic identification fail to meet these requirements due to their low dataset coverage and coarse label granularity. These weaknesses further affect the extracted features based on these datasets, making them unable to adequately characterize encrypted tunnel traffic. In this paper, we refine the previous tunnel traffic identification granularity from prevalent application identification to behavior identification, and propose LFETT2021, a large-scale fine-grained encrypted tunnel traffic dataset. Our dataset expands the coverage to two operating system platforms, five tunnels, 23 applications, and 76 behaviors. Furthermore, we propose a set of Time-Packet-Related features to better characterize encrypted tunnel traffic. Our comprehensive experiments on LFETT2021 and Time-Packet-Related features show the best average precision of 85% and recall of 88% in 3 different granularity identification scenarios.