On the right choice of data from popular datasets for Internet traffic classification

作     者：Krupski, Jacek Iwanowski, Marcin Graniszewski, Waldemar 

作者机构：Warsaw Univ Technol Inst Control & Ind Elect Ul Koszykowa 75 PL-00662 Warsaw Poland 

出 版 物：《COMPUTER COMMUNICATIONS》 (Comput Commun)

年 卷 期：2025年第233卷

核心收录：

学科分类：0810[工学-信息与通信工程] 0808[工学-电气工程] 08[工学] 0812[工学-计算机科学与技术（可授工学、理学学位）] 

基　　金：POB Cybersecurity and Data Analysis of Warsaw University of Technology within the Excellence Initiative: Research University (IDUB) program 

主　　题：Network traffic classification Internet threats detection Traffic data anonymization Machine learning Decision trees 

摘      要：Machine learning (ML) models used to analyze Internet traffic, similar to models in all other fields of ML, need to be fed by training datasets. Many such sets consist of labeled samples of the collected traffic data from harmful and benign traffic classes captured from the actual traffic. Since the traffic recording tools capture all the transmitted data, they contain much information related to the registration process that is irrelevant to the actual traffic class. Moreover, they are not fully anonymized. Thus, there is a need to preprocess the data before proper modeling, which should always be addressed in related studies, but often, this is not done. In our paper, we focus on the dependence of the efficiency of threat detection ML models by selecting the appropriate data samples from the training sets during preprocessing. We are analyzing three popular datasets: USTC-TFC2016, VPN-nonVPN, and TOR-nonTOR, which are widely used in traffic classification, security, and privacy-enhancing technologies research. We show that some choices of data sample pieces, although maximizing the model s efficiency, would not result in similar outcomes in the case of traffic data other than the learning set. The reason is that, in these cases, models are biased due to learning incidental correlations that appear in the datasets used for training the model, introduced by auxiliary data related to the network traffic capturing and transmission process. They are present in popular datasets but may never appear in traffic data. Consequently, the models trained on such datasets, without any preprocessing and anonymization, would never reach the accuracy levels of the training data. Our paper introduces five consecutive levels of anonymization of the traffic data and points out that only the highest provide correct learning results. We validate the results by applying decision trees, random forests, and extra tree models. Having found the optimal part of the header data that may safel