Robust Network Flow Classification against Malicious Feature Manipulation Yupeng Li Dept. of Electrical and Computer Engineering University of Toronto Toronto, Canada yupeng.li@utoronto.ca Ben Liang Dept. of Electrical and Computer Engineering University of Toronto Toronto, Canada liang@ece.utoronto.ca Ali Tizghadam Technology Strategy and Business Transformation TELUS Communications Toronto, Canada ali.tizghadam@telus.com Abstract—Network flow classification is essential to proper provisioning of Quality of Service (QoS). Conventional machine-learning based flow classification methods assume reliable knowledge of the flow features. However, in practice, malicious flow generators can manipulate the flow features to increase the likelihood of certain learning outcomes, e.g., in terms of the QoS requirement label. Training a classifier that is robust to such feature manipulation is imperative. In this work, we present a study on robust flow classification against malicious feature manipulation. We leverage a detailed system model to capture the relation between the classifier and malicious flow generators and propose a Stackelberg- game based solution framework to train a robust classifier. We conduct extensive experimentation using real-world traces. For flows with manipulated features, the Stackelberg classifier trained by our solution framework significantly outperforms a non-robust classifier that is oblivious to manipulation, achieving accuracy close to that of the non-robust classifier on unmanipulated flows. Furthermore, the Stackelberg classifier on manipulated test flows is no worse than the non-robust classifier on unmanipulated flows. I. I NTRODUCTION Network flow classification is crucial for network re- source management, especially to improve Quality of Ser- vice (QoS) [1]. Classical port-based or payload-based ap- proaches are severely ineffective, especially for encrypted traffic [2]–[4]. A series of recent works have proposed methods that employ machine learning techniques and shown promising results [2]–[10]. These methods typically use only the observable flow features, such as the minimum, mean, maximum, and standard deviation of packet lengths and packet inter-arrival times. A common assumption made in these methods is reli- able knowledge of the flow feature values. However, this assumption may not hold, especially when malicious flow generators exist. Such generators have a vested interest in the classification outcome. They manipulate the features of their flows to game the classifier for the purpose of increas- ing the likelihood of outcomes favorable to themselves. For example, a malicious flow generator can change the packet inter-arrival times and the packet size in a flow in an attempt to disguise itself to evade being blocked [11], or to be prioritized for more network bandwidth so that the This work has been funded by grants from TELUS and the Natural Sciences and Engineering Research Council (NSERC) of Canada. flow is completed faster. Though feature manipulation can incur a cost [12], [13], the overall benefit to a malicious generator may be positive. Such malicious behavior can render conventional statistics-based methods ineffective. Specifically, malicious flow generators may be able to manipulate the flow features to best respond to the classification model committed by the classifier. Therefore, a flow from a malicious generator can be misclassified, e.g., in terms of the QoS requirement level. For example, as explained in Sec. V, our experiments with real-world traces suggest that a classifier that is oblivious to such malicious behavior can have a classification accuracy down to below 40%. Thus, a classifier that is robust to feature manipulation is imperative. To the best of our knowledge, none of the existing flow classification methodologies was designed against malicious feature manipulation. In this work, we study the open problem of robust flow classification. The task is to classify flows into multiple classes corresponding to different QoS levels, aiming to map each flow to its true required QoS level. For simplicity in this initial investi- gation, we consider the linear classification model, which can be executed efficiently and is commonly used for flow classification in practice [14]. Our goal is to obtain a flow classifier that is robust to malicious manipulation. To obtain such a robust flow classifier is challenging. First, the feature manipulation of a malicious flow generator is given as a best response to the classification model. Thus, the presented features might be a function of the classifi- cation model itself, which complicates the design space. Second, the features are manipulated after the classifier commits to a model. Such ex ante model can hardly best respond to any malicious manipulation. Third, no training data with manipulated features are available for training the classifier. In this work, we present a system model to capture traffic flows, classifiers, and feature manipulation. We propose a solution framework based on the Stackelberg game to train a robust network flow classifier (see Fig. 1), which we term the Stackelberg classifier. The framework supposes that the flow features can be manipulated during model training. The classifier, after solving a carefully formulated multi- player Stackelberg game, commits to a classification model