Network traffic has experienced substantial growth in recent years, requiring the implementation of more advanced techniques for effective management. In this context, Traffic Classification (TC) helps in successfully handling the network by identifying what is flowing through it. Nowadays, data-driven approaches—viz., Machine Learning (ML) and Deep Learning (DL)—are widely employed to address this task. However, these approaches struggle to keep pace with the ever-changing nature of traffic due to the introduction of new or updated services/apps and exhibit a decision-making process not interpretable. Furthermore, network traffic can vary significantly by geographic area, requiring a decentralized privacy-preserving approach to update classifiers collaboratively. In this work, we propose a Federated Class Incremental Learning (FCIL) framework that integrates Class Incremental Learning (CIL) and Federated Learning (FL) for network TC while incorporating a comprehensive eXplainable Artificial Intelligence (XAI) methodology, tackling the challenges of updating traffic classifiers, managing the geographic diversity of traffic along with data privacy, and interpreting the decision-making process, respectively. To assess our proposal, we leverage two publicly available encrypted network traffic datasets. Our findings uncover that, in small networks, fewer synchronizations facilitate retaining old knowledge, while larger networks reveal an approach-dependent pattern, yet still exhibiting good retention performance. Moreover, in both small and larger networks, frequent updates enhance the assimilation of new information. Notably, BiC+ is the most effective approach in small networks (i.e., 2 clients) while iCaRL+ performs best in larger networks (i.e., 10 clients), obtaining 82% and 79% F1 on CESNET-TLS22, respectively. Leveraging XAI techniques, we analyze the effect of incorporating a per-client bias correction layer. By integrating sample-based and attribution-based explanations, we provide detailed insights into the decision-making process of FCIL approaches.
Explainable federated class incremental learning for Encrypted Network Traffic classification / Carillo, Raffaele; Cerasuolo, Francesco; Bovenzi, Giampaolo; Ciuonzo, Domenico; Pescape', Antonio. - In: COMPUTER NETWORKS. - ISSN 1389-1286. - 269:(2025). [10.1016/j.comnet.2025.111448]
Explainable federated class incremental learning for Encrypted Network Traffic classification
Carillo, Raffaele;Cerasuolo, Francesco;Bovenzi, Giampaolo;Ciuonzo, Domenico;Pescape', Antonio
2025
Abstract
Network traffic has experienced substantial growth in recent years, requiring the implementation of more advanced techniques for effective management. In this context, Traffic Classification (TC) helps in successfully handling the network by identifying what is flowing through it. Nowadays, data-driven approaches—viz., Machine Learning (ML) and Deep Learning (DL)—are widely employed to address this task. However, these approaches struggle to keep pace with the ever-changing nature of traffic due to the introduction of new or updated services/apps and exhibit a decision-making process not interpretable. Furthermore, network traffic can vary significantly by geographic area, requiring a decentralized privacy-preserving approach to update classifiers collaboratively. In this work, we propose a Federated Class Incremental Learning (FCIL) framework that integrates Class Incremental Learning (CIL) and Federated Learning (FL) for network TC while incorporating a comprehensive eXplainable Artificial Intelligence (XAI) methodology, tackling the challenges of updating traffic classifiers, managing the geographic diversity of traffic along with data privacy, and interpreting the decision-making process, respectively. To assess our proposal, we leverage two publicly available encrypted network traffic datasets. Our findings uncover that, in small networks, fewer synchronizations facilitate retaining old knowledge, while larger networks reveal an approach-dependent pattern, yet still exhibiting good retention performance. Moreover, in both small and larger networks, frequent updates enhance the assimilation of new information. Notably, BiC+ is the most effective approach in small networks (i.e., 2 clients) while iCaRL+ performs best in larger networks (i.e., 10 clients), obtaining 82% and 79% F1 on CESNET-TLS22, respectively. Leveraging XAI techniques, we analyze the effect of incorporating a per-client bias correction layer. By integrating sample-based and attribution-based explanations, we provide detailed insights into the decision-making process of FCIL approaches.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
