F3l:an automated and secure function-level low-overhead labeled encrypted traffic dataset construction method for IM in Android  

作　　者：Keya Xu Guang Cheng 

机构地区：[1]School of Cyber Science and Engineering,Southeast University,Nanjing,China [2]Jiangsu Province Engineering Research Center of Security for Ubiquitous Network,Nanjing,China [3]Purple Mountain Laboratories,Nanjing,China

出　　处：《Cybersecurity》2025年第1期45-60,共16页网络空间安全科学与技术(英文)

基　　金：supported by the General Program of the National Natural Science Foundation of China under Grant No.62172093.

摘　　要：Fine-grained function-level encrypted traffic classification is an essential approach to maintaining network security.Machine learning and deep learning have become mainstream methods to analyze traffic,and labeled dataset construction is the basis.Android occupies a huge share of the mobile operating system market.Instant Messaging(IM)applications are important tools for people communication.But such applications have complex functions which frequently switched,so it is difficult to obtain function-level labels.The existing function-level public datasets in Android are rare and noisy,leading to research stagnation.Most labeled samples are collected with WLAN devices,which cannot exclude the operating system background traffic.At the same time,other datasets need to obtain root permission or use scripts to simulate user behavior.These collecting methods either destroy the security of the mobile device or ignore the real operation features of users with coarse-grained.Previous work(Chen et al.in Appl Sci 12(22):11731,2022)proposed a one-stop automated encrypted traffic labeled sample collection,construction,and correlation system,A3C,running at the application-level in Android.This paper analyzes the display characteristics of IM and proposes a function-level low-overhead labeled encrypted traffic datasets construction method for Android,F3L.The supplementary method to A3C monitors UI controls and layouts of the Android system in the foreground.It selects the feature fields of attributes of them for different in-app functions to build an in-app function label matching library for target applications and in-app functions.The deviation of timestamp between function invocation and label identification completion is calibrated to cut traffic samples and map them to corresponding labels.Experiments show that the method can match the correct label within 3 s after the user operation.

关 键 词：Encrypted traffic Deep learning ANDROID Labeled dataset 

分 类 号：TP309.7[自动化与计算机技术—计算机系统结构]