When a RF beats a CNN and GRU, together-A comparison of deep learning and classical machine learning approaches for encrypted malware traffic classification

Internet traffic classification plays a crucial role in Quality of Experience (QoE), Quality of Services (QoS), intrusion detection, and traffic-trend analyses. While there is no theoretical guarantee that deep learning (DL)-based solutions perform better than classic machine learning (ML)-based ones, DL-based models have become the common default. This paper compares well-known DL-based and ML-based models and shows that in the case of malicious traffic classification, state-of-the-art DL-based solutions do not necessarily outperform the classical ML-based ones. We exemplify this finding using two well-known datasets for a varied set of tasks, such as: malware detection, malware family classification, detection of zero-day attacks, and classification of an iteratively growing dataset. Note that, it is not feasible to evaluate all possible models to make a concrete statement, thus the above finding is not a recommendation to avoid DL-based models, but rather an empirical finding that in some cases, there are more simplistic solutions, that may perform even better.

Automated summary

Internet traffic classification is important for QoE, QoS, intrusion detection, and traffic-trend analyses. Although there is no guarantee that DL-based solutions outperform ML-based ones, DL-based models have become the common default. This paper compares well-known DL-based and ML-based models and shows that, in the case of malicious traffic classification, state-of-the-art DL-based solutions do not necessarily outperform classical ML-based ones.