2026

1. Quality of Experience Prediction for First Person Shooter Online Gaming: The Case Study of Call of Duty

   2026

   Yehonatan Zion, Eyal Paz, Ran Dubin, Amit Dvir, and Chen Hajaj

   Proceedings of the IEEE Consumer Communications & Networking Conference (CCNC 2026)

   Latency is the most impactful on fairness and Quality of Experience (QoE) in First-Person Shooter (FPS) games. High latency degrades the QoE of players, who may leave the game if unsatisfied with their QoE. Modern FPS games make great efforts to maintain an excellent QoE even under a poor Internet connection with high latency. Those efforts include the wide distribution of game servers and many software optimizations to smooth the effect of lags in the games. This study aims to provide insights into QoE estimation for network-intensive applications by examining one of the most prominent FPS games of the past two decades: Call of Duty. We observed that the game dynamically adjusts its network traffic behavior, including packet size and transmission rate, in response to variations in network quality. However, the ISP does not have this capability since the network traffic is encrypted; observing the game’s network traffic does not expose its nature and most certainly does not expose the game player’s intensity, latency, or QoE. We propose a novel technique for estimating latency and QoE in FPS games from an ISP-level perspective. In our evaluation, the model detected problematic latency in near real-time with 81% accuracy and an 80% F1 on a 10-second window, highlighting a trade-off between responsiveness and predictive performance. The dataset generated for this study is publicly available to support further research.

2025

1. Enhancing Encrypted Internet Traffic Classification Through Advanced Data Augmentation Techniques

   2025

   Yehonatan Zion, Porat Aharon, Ran Dubin, Amit Dvir, and Chen Hajaj

   Proceedings of the IEEE International Conference on Communications

   The increasing popularity of online services has made Internet Traffic Classification a critical field of study. However, the rapid development of internet protocols and encryption limits usable data availability. This paper addresses the challenges of classifying encrypted Internet Traffic, focusing on the scarcity of open-source datasets and limitations of existing ones. We propose two Data Augmentation (DA) techniques to synthetically generate data based on real samples: Average augmentation and MTU augmentation. Both augmentations are aimed to improve the performance of the classifier, each from a different perspective: The Average augmentation aims to increase dataset size by generating new synthetic samples, while the M T U augmentation enhances classifier robustness to varying Maximum Transmission Units (MTUs). Our experiments, conducted on two well-known academic datasets and a commercial dataset, demonstrate the effectiveness of these approaches in improving model performance and mitigating constraints associated with limited and homogeneous datasets. Our findings underscore the potential of data augmentation in addressing the challenges of modern Internet Traffic classification. Specifically, we show that our augmentation techniques significantly enhance encrypted traffic classification models. This improvement can positively impact user Quality of Experience (QoE) by more accurately classifying traffic as video streaming (e.g., YouTube) or chat (e.g., Google Chat). Additionally, it can enhance Quality of Service (QoS) for file downloading activities (e.g., Google Docs).

   DOI
2. PQClass: Classification of Post-Quantum Encryption Applications in Internet Traffic

   2025

   Angelos Marnerides, Chen Hajaj, Revital Marbel, Ran Dubin, and Amit Dvir

   Proceedings of the IEEE International Conference on Communications

   Post-quantum cryptography (PQC) is expected to revolutionize secure communications in next-generation digital ecosystems. Previous and ongoing activities demonstrate that different PQC algorithms significantly impact traffic latency, but they do not yet provide a scheme to assess the existence of the PQC algorithm or its identification when encrypted traffic is analyzed for traffic engineering purposes. Hence, this work is the first to propose a novel PQClass pipeline for classifying encrypted Internet traffic of recently NIST-approved PQC algorithms. Hence, it establishes solid grounds for enabling engineers to optimize their networks and, in parallel, for cybersecurity practitioners to familiarise themselves with PQC algorithmic properties for enhancing or devising security architectures in diverse setups. Our pipeline demonstrates impressive performance on real-world data, achieving 86% accuracy in detecting the presence of a PQC algorithm and 91% and 98% accuracy in identifying the browser and OS, respectively, based on PQC-based traffic.

   DOI
3. ★ A Classification-by-Retrieval Framework for Few-Shot Anomaly Detection to Detect API Injection

   2025

   Udi Aharon, Ran Dubin, Amit Dvir, and Chen Hajaj

   Computers & Security

   Application Programming Interface (API) Injection attacks refer to the unauthorized or malicious use of APIs, which are often exploited to gain access to sensitive data or manipulate online systems for illicit purposes. Identifying actors that deceitfully utilize an API poses a demanding problem. Although there have been notable advancements and contributions in the field of API security, there remains a significant challenge when dealing with attackers who use novel approaches that don’t match the well-known payloads commonly seen in attacks. Also, attackers may exploit standard functionalities unconventionally and with objectives surpassing their intended boundaries. Thus, API security needs to be more sophisticated and dynamic than ever, with advanced computational intelligence methods, such as machine learning models that can quickly identify and respond to abnormal behavior. In response to these challenges, we propose a novel unsupervised few-shot anomaly detection framework composed of two main parts: First, we train a dedicated generic language model for API based on FastText embedding. Next, we use Approximate Nearest Neighbor search in a classification-by-retrieval approach. Our framework allows for training a fast, lightweight classification model using only a few examples of normal API requests. We evaluated the performance of our framework using the CSIC 2010 and ATRDF 2023 datasets. The results demonstrate that our framework improves API attack detection accuracy compared to the state-of-the-art (SOTA) unsupervised anomaly detection baselines.

   Abstract DOI

2024

1. ★ The Art of Time-Bending: Data Augmentation and Early Prediction for Efficient Traffic Classification

   2024

   Chen Hajaj, Porat Aharon, Ran Dubin, and Amit Dvir

   Expert Systems with Applications

   Computational efficiency is an important consideration for deploying machine learning models for time series prediction in an online setting. Machine learning algorithms adjust model parameters automatically based on the data, but often require users to set additional parameters, known as hyperparameters. Hyperparameters can significantly impact prediction accuracy. Traffic measurements, typically collected online by sensors, are serially correlated. Moreover, the data distribution may change gradually. A typical adaptation strategy is periodically re-tuning the model hyperparameters, at the cost of computational burden. In this work, we present an efficient and principled online hyperparameter optimization algorithm for Kernel Ridge regression applied to traffic prediction problems. In tests with real traffic measurement data, our approach requires as little as one-seventh of the computation time of other tuning methods, while achieving better or similar prediction accuracy.

   Abstract DOI
2. CBR–Boosting Adaptive Classification By Retrieval of Encrypted Network Traffic with Out-of-Distribution

   2024

   Amir Lukach, Ran Dubin, Amit Dvir, and Chen Hajaj

   arXiv preprint arXiv:2403.11206

   Encrypted network traffic Classification tackles the problem from different approaches and with different goals. One of the common approaches is using Machine learning or Deep Learning-based solutions on a fixed number of classes, leading to misclassification when an unknown class is given as input. One of the solutions for handling unknown classes is to retrain the model, however, retraining models every time they become obsolete is both resource and time-consuming. Therefore, there is a growing need to allow classification models to detect and adapt to new classes dynamically, without retraining, but instead able to detect new classes using few shots learning [1]. In this paper, we introduce Adaptive Classification By Retrieval CBR, a novel approach for encrypted network traffic classification. Our new approach is based on an ANN-based method, which allows us to effectively identify new and existing classes without retraining the model. The novel approach is simple, yet effective and achieved similar results to RF with up to 5% difference (usually less than that) in the classification tasks while having a slight decrease in the case of new samples (from new classes) without retraining. To summarize, the new method is a real-time classification, which can classify new classes without retraining. Furthermore, our solution can be used as a complementary solution alongside RF or any other machine/deep learning classification method, as an aggregated solution.
3. OSF-EIMTC: An Open-Source Framework for Standardized Encrypted Internet Traffic Classification

   2024

   Ofek Bader, Adi Lichy, Amit Dvir, Ran Dubin, and Chen Hajaj

   Computer Communications

   Internet traffic classification plays a key role in network visibility, Quality of Services (QoS), intrusion detection, Quality of Experience (QoE) and traffic-trend analyses. In order to improve privacy, integrity, confidentiality, and protocol obfuscation, the current traffic is based on encryption protocols, e.g., SSL/TLS. With the increased use of Machine-Learning (ML) and Deep-Learning (DL) models in the literature, comparison between different models and methods has become cumbersome and difficult due to a lack of a standardized framework. In this paper, we propose an open-source framework, named OSF-EIMTC, which can provide the full pipeline of the learning process. From the well-known datasets to extracting new and well-known features, it provides implementations of well-known ML and DL models (from the traffic classification literature) as well as evaluations. Such a framework can facilitate research in traffic classification domains, so that it will be more repeatable, reproducible, easier to execute, and will allow a more accurate comparison of well-known and novel features and models.

   DOI
4. Hidden in Time, Revealed in Frequency: Spectral Features and Multiresolution Analysis for Encrypted Internet Traffic Classification

   2024

   Nathan Dillbary, Roi Yozevitch, Amit Dvir, Ran Dubin, and Chen Hajaj

   2024 IEEE 21st Consumer Communications & Networking Conference (CCNC)

   In recent years, privacy and security concerns have led to the wide adoption of encrypted protocols, making encrypted traffic a major portion of overall communications online. The transition into more secure protocols poses significant challenges for internet service providers to utilize traditional traffic classification techniques in order to guarantee the Quality of Service (QoS), Quality of Experience (QoE), and cyber-security of their customers. In this work, we introduce two methods, namely STFT-TC and DWT-TC, leveraging compact time-series representation coupled with well-known techniques from the field of Digital Signal Processing (DSP): the short-time Fourier transform (STFT) and the discrete wavelet transform (DWT). The STFT-TC method extracts a suite of statistical and spectral features from the magnitude spectrogram, offering a fresh perspective on interpreting and classifying encrypted traffic. The DWT-TC method extracts statistical features from the wavelet coefficients and incorporates unique characteristics that describe the signal’s shape and energy distribution. Evaluating our methods on two public QUIC datasets demonstrated improvements in accuracy of up to 5.7%. Similarly, the F1-scores also showed enhancements, with increments of up to 5.9% for the same datasets.

   DOI
5. Revolutionizing Our Way to Better Classifiers: Leveraging Synthetic Data with Generative Models for Encrypted Network Traffic Classification

   2024

   Yehonatan Zion, Chen Hajaj, Amit Dvir, Gil Ben-Artzi, Shahar Mahpod, and Ran Dubin

   Available at SSRN 4654236

2023

1. When a RF Beats a CNN and GRU, Together—A Comparison of Deep Learning and Classical Machine Learning Approaches for Encrypted Malware Traffic Classification

   2023

   Adi Lichy, Ofek Bader, Ran Dubin, Amit Dvir, and Chen Hajaj

   Computers & Security

   Internet traffic classification is widely used to facilitate network management. It plays a crucial role in Quality of Services (QoS), Quality of Experience (QoE), network visibility, intrusion detection, and traffic trend analyses. While there is no theoretical guarantee that deep learning (DL)-based solutions perform better than classic machine learning (ML)-based ones, DL-based models have become the common default. This paper compares well-known DL-based and ML-based models and shows that in the case of malicious traffic classification, state-of-the-art DL-based solutions do not necessarily outperform the classical ML-based ones. We exemplify this finding using two well-known datasets for a varied set of tasks, such as: malware detection, malware family classification, detection of zero-day attacks, and classification of an iteratively growing dataset. Note that, it is not feasible to evaluate all possible models to make a concrete statement, thus, the above finding is not a recommendation to avoid DL-based models, but rather empirical proof that in some cases, there are more simplistic solutions, that may perform even better.

   DOI

2022

1. SimCSE for Encrypted Traffic Detection and Zero-Day Attack Detection

   2022

   Rotem Bar, and Chen Hajaj

   IEEE Access

   Traffic detection has attracted much attention in recent years, playing an essential role in intrusion detection systems (IDS). This paper proposes a new approach for traffic detection at the packet level, inspired by natural language processing (NLP), using simple contrastive learning of sentence embeddings (SimCSE) as an embedding model. The new approach can learn the features of traffic from raw packet data. Experiments were conducted on two well-known datasets to evaluate our approach. For detecting malicious activity, our model achieved an accuracy of 99.99% on the USTC-TFC2016 dataset, whereas for detecting virtual private network (VPN) activity, our model achieved an accuracy of 99.98% on the ISCXVPN2016 dataset. Furthermore, the resulting model was found to be robust based on zero-day attack detection, which shows the model’s ability to detect attacks that have not been seen before. Experiments show that our approach can effectively detect network traffic and outperforms many other state-of-the-art methods.

   DOI
2. MalDIST: From Encrypted Traffic Classification to Malware Traffic Detection and Classification

   2022

   Ofek Bader, Adi Lichy, Chen Hajaj, Ran Dubin, and Amit Dvir

   2022 IEEE 19th annual consumer communications & networking conference (CCNC)

   The world of malware is shifting towards using encrypted traffic. While encryption improves the privacy of users, it brings challenges in the fields of QoS, QoE, and cybersecurity. Recent state-of-the-art Deep-Learning architectures for encrypted traffic classifications demonstrated superb results in tasks of traffic categorization over encrypted traffic. In this paper, we leverage the feasibility to use such architectures for the tasks of malware detection and classification to gain insights into how well these architectures perform in the domain of malware traffic. Specifically, we present a Deep-Learning model for malware traffic detection and classification (MalDIST), which outperforms both classical ML and DL malware traffic classification models both in terms of detection and classification.

   DOI

2021

1. PCL: Packet Classification with Limited Knowledge

   2021

   Vitalii Demianiuk, Chen Hajaj, and Kirill Kogan

   IEEE INFOCOM 2021-IEEE Conference on Computer Communications

   We introduce a novel representation of packet classifiers allowing to operate on partially available input data varying dynamically. For a given packet classifier, availability of fields or complexity of field computations, and free target specific resources, the proposed infrastructure computes a classifier representation satisfying performance and robustness requirements. We show the feasibility to reconstruct a classification result in this noisy environment, allowing for the improvement of performance and the achievement of additional robustness levels of network infrastructure. Our results are supported by extensive evaluations in various settings where only a partial input is available.

   DOI

2020

1. Encrypted Video Traffic Clustering Demystified

   2020

   Amit Dvir, Angelos K Marnerides, Ran Dubin, Nehor Golan, and Chen Hajaj

   Computers & Security

   Cyber threat intelligence officers and forensics investigators often require the behavioural profiling of groups based on their online video viewing activity. It has been demonstrated that encrypted video traffic can be classified under the assumption of using a known subset of video titles based on temporal video viewing trends of particular groups. Nonetheless, composing such a subset is extremely challenging in real situations. Therefore, this work exhibits a novel profiling scheme for encrypted video traffic with no a priori assumption of a known subset of titles. It introduces a seminal synergy of Natural Language Processing (NLP) and Deep Encoder-based feature embedding algorithms with refined clustering schemes from off-the-shelf solutions, in order to group viewing profiles with unknown video streams. This study is the first to highlight the most computationally effective, accurate combinations of feature embedding and clustering using real datasets, thereby, paving the way to future forensics tools for automated behavioural profiling of malicious actors.

   DOI
2. Robust Machine Learning for Encrypted Traffic Classification

   2020

   Jonathan Muehlstein, Yehonatan Zion, Ofir Pele, Chen Hajaj, Ran Dubin, and Amit Dvir

   CoRR

   Desktops and laptops can be maliciously exploited to violate privacy. In this paper, we consider the daily battle between the passive attacker who is targeting a specific user against a user that may be adversarial opponent. In this scenario, while the attacker tries to choose the best vector attack by surreptitiously monitoring the victims encrypted network traffic in order to identify users parameters such as the Operating System (OS), browser and apps. The user may use tools such as a Virtual Private Network (VPN) or even change protocols parameters to protect his/her privacy. We provide a large dataset of more than 20,000 examples for this task. We run a comprehensive set of experiments, that achieves high (above 85) classification accuracy, robustness and resilience to changes of features as a function of different network conditions at test time. We also show the effect of a small training set on the accuracy.