Machine Learning-Based Classification of Encrypted VPN and Non-VPN Traffic with Temporal Features Analysis

Dilawer Khan; Musawer Hamad Khan; Muhammad Bilal; Hameed Ullah Khan; Shafiq Ur Rehman Khan; Alishba Khalid

Authors

Dilawer Khan Department of Computer Science, Namal University, Mianwali, Pakistan
Musawer Hamad Khan Department of Computer Science, Namal University, Mianwali, Pakistan
Muhammad Bilal Department of Computer Science, Namal University, Mianwali, Pakistan
Hameed Ullah Khan Department of Computer Science, Sir Syed CASE Institute of Technology, Islamabad, Pakistan
Shafiq Ur Rehman Khan Department of Computer Science, Namal University, Mianwali, Pakistan
Alishba Khalid Department of Computer Science, Namal University, Mianwali, Pakistan

Keywords:

Cryptography, Feature Extraction, Radio Frequency, Internet, Protocols, Performance Evaluation, Static VAr Compensators, Traffic Classification, Mobile Apps, Android Apps, iOS Apps, Encrypted Traffic, Deep Learning, Automatic Feature Extraction

Abstract

As Virtual Private Network (VPN) usage increases globally for privacy preservation and unrestricted access, distinguishing VPN traffic from regular internet traffic has become both critically important and challenging. Traditional detection methods relying on port-based rules and deep packet inspection are no longer reliable against encrypted communications, prompting the need for smarter, adaptive, machine learning (ML) solutions. This study proposes a comprehensive ML-based framework to classify VPN and non-VPN traffic using a large-scale, balanced dataset of approximately six million packets, covering common application types (Mail, Video Conferencing, SSH, Non-Streaming) and five VPN protocols (L2TP, OpenVPN, PPTP, SSTP, and WireGuard). Five models were evaluated: Logistic Regression, Decision Tree, K-Nearest Neighbors (KNN), Random Forest, and Artificial Neural Networks (ANN). When temporal (i.e., timestamp) features were included, KNN, Random Forest, and ANN achieved perfect classification accuracy of 100%, while Logistic Regression and Decision Tree reached 99%. Upon removal of timestamp features to simulate temporal generalizability, accuracy declined substantially across all models: Logistic Regression dropped to 67%, ANN to 86%, KNN to 90%, and both Decision Tree and Random Forest achieved 92%. False positive rates without timestamps ranged from 0.009% (Logistic Regression) to 31.1% (Decision Tree), and false negative rates ranged from 0% to 39.1%. Critically, source and destination port numbers emerged as the most discriminative features for accurate classification, with VPN traffic concentrated on just 11 of over 1,700 observed ports. These findings demonstrate the significant role of temporal features in VPN traffic classification, quantify the performance degradation caused by their removal (timestamp bias), and establish that ML-based approaches—particularly ensemble methods—can effectively address the challenges of encrypted traffic analysis even in temporally limited training scenarios.

References

G. Cusack, O. Michel, and E. Keller, “Machine learning-based detection of ransomware using SDN,” SDN-NFVSec 2018 - Proc. 2018 ACM Int. Work. Secur. Softw. Defin. Networks Netw. Funct. Virtualization, Co-located with CODASPY 2018, vol. 2018-January, pp. 1–6, Mar. 2018, doi: 10.1145/3180465.3180467.

Rajat Chaudhary, Gagangeet Singh Aujla, Neeraj Kumar, Pushpinder Kaur Chouhan, “A comprehensive survey on software-defined networking for smart communities,” Int. J. Commun. Syst., 2022, doi: https://doi.org/10.1002/dac.5296.

A. Rahman et al., “Impacts of blockchain in software-defined Internet of Things ecosystem with Network Function Virtualization for smart applications: Present perspectives and future directions,” Int. J. Commun. Syst., vol. 38, no. 1, p. e5429, Jan. 2025, doi: 10.1002/dac.5429.

Saida Hafsa Rafique, Amira Abdallah, “Machine learning and deep learning techniques for internet of things network anomaly detection—current research trends,” Sensors, vol. 24, no. 6, p. 1968, 2024, doi: https://doi.org/10.3390/s24061968.

I. Ahmad, T. Kumar, M. Liyanage, J. Okwuibe, M. Ylianttila, and A. Gurtov, “Overview of 5G Security Challenges and Solutions,” IEEE Commun. Stand. Mag., vol. 2, no. 1, pp. 36–43, Mar. 2018, doi: 10.1109/MCOMSTD.2018.1700063.

O. M. S. Hassan and F. Keti, “A Review on the Challenges and Opportunities of Software Defined Networks Toward 5G and 6G,” Eur. J. Appl. Sci. Eng. Technol., vol. 3, no. 2, pp. 55–66, Mar. 2025, doi: 10.59324/EJASET.2025.3(2).05.

Kurniabudi, Benni Purnama, “Network anomaly detection research: A survey,” Indones. J. Electr. Eng. Informatics, vol. 7, no. 1, pp. 36–49, 2019, doi: 10.11591/ijeei.v7i1.773.

Reham T. Elmaghraby, Nada M. Abdel Aziem, “Encrypted network traffic classification based on machine learning,” Ain Shams Eng. J., vol. 15, no. 2, 2024, doi: https://doi.org/10.1016/j.asej.2023.102361.

Xinge Yan, Liukun He, “High-speed encrypted traffic classification by using payload features,” Digit. Commun. Networks, vol. 11, no. 2, pp. 412–423, 2025, doi: https://doi.org/10.1016/j.dcan.2024.02.003.

Ayodeji Olalekan Salau & Melesew Mossie Beyene, “Software defined networking based network traffic classification using machine learning techniques,” Sci. Rep., vol. 14, 2024, [Online]. Available: https://www.nature.com/articles/s41598-024-70983-6

Z. Wang, Y. Yang, and Y. Wang, “A Survey of Encrypted Traffic Classification: Datasets, Representation, Approaches and Future Thinking,” 2024 IEEE/ACIS 24th Int. Conf. Comput. Inf. Sci. ICIS 2024 - Proc., pp. 113–120, 2024, doi: 10.1109/ICIS61260.2024.10778376.

F. Dehghani, N. Movahhedinia, M. R. Khayyambashi, and S. Kianian, “Real-time traffic classification based on statistical and payload content features,” Proc. - 2010 2nd Int. Work. Intell. Syst. Appl. ISA 2010, 2010, doi: 10.1109/IWISA.2010.5473467.

P. Velan, M. Čermák, P. Čeleda, and M. Drašar, “A survey of methods for encrypted traffic classification and analysis,” Int. J. Netw. Manag., vol. 25, no. 5, pp. 355–374, Sep. 2015, doi: 10.1002/nem.1901.

Jia Xing Qu, Guo Yin Zhang, “A Parallel Method of Deep Packet Inspection based on Message-Passing Interface,” Int. J. Secur. its Appl., vol. 9, no. 12, 2025, [Online]. Available: https://www.semanticscholar.org/paper/A-Parallel-Method-of-Deep-Packet-Inspection-based-Qu-Zhang/2f07ab83d1cc345bfb8a869847dfc57aa33282c1

Kevin P. Dyer, Scott E. Coull, “Protocol misidentification made easy with format-transforming encryption,” Proc. ACM Conf. Comput. Commun. Secur., pp. 61–72, 2013, [Online]. Available: https://dl.acm.org/doi/10.1145/2508859.2516657

S. Z. Weishi Sun, Yaning Zhang, Jie Li, Chenxing Sun, “A Deep Learning-Based Encrypted VPN Traffic Classification Method Using Packet Block Image,” Electronics, vol. 12, no. 1, p. 115, 2023, doi: https://doi.org/10.3390/electronics12010115.

M. Shen et al., “Machine Learning-Powered Encrypted Network Traffic Analysis: A Comprehensive Survey,” IEEE Commun. Surv. Tutorials, vol. 25, no. 1, pp. 791–824, 2023, doi: 10.1109/COMST.2022.3208196.

Y. S. Razooqi and A. Pekar, “Vpn traffic analysis: A survey on detection and application identification,” IEEE Access, vol. 13, pp. 132830–132848, 2025, doi: 10.1109/ACCESS.2025.3592152.

M. Dusi, M. Crotti, F. Gringoli, and L. Salgarelli, “Detection of encrypted tunnels across network boundaries,” IEEE Int. Conf. Commun., pp. 1738–1744, 2008, doi: 10.1109/ICC.2008.334.

Mohammad Lotfollahi, Ramin Shirali Hossein Zade, Mahdi Jafari Siavoshani, Mohammdsadegh Saberian, “Deep Packet: A Novel Approach For Encrypted Traffic Classification Using Deep Learning,” arXiv:1709.02656, 2018, [Online]. Available: https://arxiv.org/abs/1709.02656

M. Shen, M. Wei, L. Zhu, and M. Wang, “Classification of Encrypted Traffic with Second-Order Markov Chains and Application Attribute Bigrams,” IEEE Trans. Inf. Forensics Secur., vol. 12, no. 8, pp. 1830–1843, Aug. 2017, doi: 10.1109/TIFS.2017.2692682.

Afeez Ajani Afuwape, Ying Xu, “Performance evaluation of secured network traffic classification using a machine learning approach,” Comput. Stand. Interfaces, vol. 78, p. 103545, 2021, doi: https://doi.org/10.1016/j.csi.2021.103545.

Dimitrios Effrosynidis, Avi Arampatzis, “An evaluation of feature selection methods for environmental data,” Ecol. Inform., vol. 61, p. 101224, 2021, doi: https://doi.org/10.1016/j.ecoinf.2021.101224.

Zhonghang Sui, Hui Shu, “A comprehensive review of tunnel detection on multilayer protocols: From traditional to machine learning approaches,” Appl. Sci., vol. 13, no. 3, p. 1974, 2023, doi: https://doi.org/10.3390/app13031974.

Eva Papadogiannaki, Sotiris Ioannidis, “A survey on encrypted network traffic analysis applications, techniques, and countermeasures,” ACM Comput. Surv., vol. 54, no. 6, pp. 1–35, 2021, [Online]. Available: https://dl.acm.org/doi/10.1145/3457904

Amin Shahraki, Mahmoud Abbasi, “Active Learning for Network Traffic Classification: A Technical Study,” IEEE Trans. Cogn. Commun. Netw., vol. 8, no. 1, pp. 422–439, 2022, doi: 10.1109/TCCN.2021.3119062.

M. A. Sulaiman and J. Labadin, “Feature selection based on mutual information for machine learning prediction of petroleum reservoir properties,” 2015 9th Int. Conf. IT Asia Transform. Big Data into Knowledge, CITA 2015 - Proc., Dec. 2015, doi: 10.1109/CITA.2015.7349827.

Payap Sirinam, Marc Juarez, “Deep Fingerprinting: Undermining Website Fingerprinting Defenses with Deep Learning,” Proc. ACM Conf. Comput. Commun. Secur., 2018, [Online]. Available: https://dl.acm.org/doi/10.1145/3243734.3243768

G. Aceto, D. Ciuonzo, A. Montieri, and A. Pescapé, “Mobile encrypted traffic classification using deep learning: Experimental evaluation, lessons learned, and challenges,” IEEE Trans. Netw. Serv. Manag., vol. 16, no. 2, pp. 445–458, Jun. 2019, doi: 10.1109/TNSM.2019.2899085.