KANFlow: A Novel Approach to Encrypted Traffic Identification Using Kolmogorov-Arnold Network

rahnema, ali; akhoodad, zahra

Signal and Data Processing Journal A scientific journal officially licensed by the Commission for Scientific Publications of the (MSRT). Publisher: Research Ceter for Developmen of Technologies

EN FA

Volume 22, Issue 4 (3-2026) JSDP 2026, 22(4): 18-3 | Back to browse issues page

Mendeley

Zotero

RefWorks

rahnema A, akhoodad Z. KANFlow: A Novel Approach to Encrypted Traffic Identification Using Kolmogorov-Arnold Network. JSDP 2026; 22 (4) : 1
URL: http://jsdp.rcisp.ac.ir/article-1-1464-en.html

KANFlow: A Novel Approach to Encrypted Traffic Identification Using Kolmogorov-Arnold Network

Ali Rahnema ^*

, Zahra Akhoodad

Ph.D. student of IT, University of Qom, Qom, Iran

Abstract: (312 Views)

With the growing usage of encryption protocols like VPN, and Tor in digital communication, identification and classification of encrypted traffic has been one of the core issues in network security and traffic management. It is a major contributor to quality of service (QoS) assurance, resource allocation, user identification, and anomaly detection. But the sophistication of encrypted traffic structure and the vagueness of behavioral patterns have drastically decreased the effectiveness of conventional approaches like deep packet inspection (DPI). In spite of the progress, typical deep learning models also encounter great difficulties in dealing with encrypted data; they typically need a huge amount of labeled data and lack the capacity to analyze unbalanced data.
To tackle these difficulties, this study proposes a novel hybrid architecture named seqKAN with enhanced interpretability and high accuracy. seqKAN integrates the temporal modeling capability of sequential networks like LSTM with the distinctive characteristics of Kolmogorov-Arnold networks (KAN), such as examining nonlinear relationships and intrinsic mathematical transparency. The framework also enjoys high flexibility and generalizability with the use of modules like Reproducible Hilbert Space Mapping (RKHS) and Neural Ordinary Differential Equations (ODE). Experiments are performed on benchmark datasets comprising Tor and VPN traffic (ISCXTor2016 and ISCXVPN2016). In this context, by meticulously filtering out the streams and addressing unbalanced data via class weighting, the model's stable performance is guaranteed. Ablation Study demonstrate that the inclusion of the RKHS layer significantly contributes to the improvement of the model's accuracy and robustness, particularly in encrypted settings. Among the models compared, the seqKAN approach delivered the best performance in F1 score and demonstrated clear superiority in the classification of encrypted traffic. In addition, the interpretability of the model was quantitatively and qualitatively demonstrated with standard feature importance analysis techniques (SHAP and LIME) and KAN's inherent visual analysis. seqKAN successfully automatically extracted key features and patterns in the flow packets and clearly explained each decision; this transparency evidently illustrates the model's superiority over typical methods.
Finally, this research shows that the seqKAN architecture provides a comprehensive, efficient, and reliable solution for intelligent traffic analysis in complex network environments by creating a smart balance between accuracy, computational efficiency, and interpretability. The findings of this research highlight the high potential of KAN-based hybrid models as the basis for the next generation of transparent and reliable network security tools

Article number: 1

Keywords: Encrypted Traffic Classification, Kolmogorov-Arnold Network (KAN), Deep Learning, Model Interpretability, Ablation Study

Full-Text [PDF 1156 kb] (144 Downloads)

Type of Study: Research | Subject: Paper
Received: 2025/03/15 | Accepted: 2026/02/8 | Published: 2026/03/20 | ePublished: 2026/03/20

References

1. W. Wang, M. Zhu, J. Wang, X. Zeng, and Z. Yang, "End-To-end encrypted traffic classification with one-dimensional convolution neural networks," in 2017 IEEE International Conference on Intelligence and Security Informatics: Security and Big Data, ISI 2017, Aug. 2017, pp. 43-48. doi: 10.1109/ISI.2017.8004872. [DOI:10.1109/ISI.2017.8004872]

2. S. Zander, T. Nguyen, and G. Armitage, "Automated traffic classification and application identification using machine learning," Proc. - Conf. Local Comput. Networks, LCN, vol. 2005, pp. 250-257, 2005, doi: 10.1109/LCN.2005.35. [DOI:10.1109/LCN.2005.35]

3. B. Yamansavascilar, M. A. Guvensan, A. G. Yavuz, and M. E. Karsligil, "Application identification via network traffic classification," 2017 Int. Conf. Comput. Netw. Commun. ICNC 2017, pp. 843-848, 2017, doi: 10.1109/ICCNC.2017.7876241. [DOI:10.1109/ICCNC.2017.7876241]

4. N. V. Verde, G. Ateniese, E. Gabrielli, L. V. Mancini, and A. Spognardi, "No NAT'd User left Behind: Fingerprinting Users behind NAT from NetFlow Records alone," Feb. 2014, [Online]. Available: http://arxiv.org/abs/1402.1940 [DOI:10.1109/ICDCS.2014.30]

5. M. Conti, L. V. Mancini, R. Spolaor, and N. V. Verde, "Analyzing Android Encrypted Network Traffic to Identify User Actions," IEEE Trans. Inf. Forensics Secur., vol. 11, no. 1, pp. 114-125, Jan. 2016, doi: 10.1109/TIFS.2015.2478741. [DOI:10.1109/TIFS.2015.2478741]

6. M. Lotfollahi, R. S. H. Zade, M. J. Siavoshani, and M. Saberian, "Deep Packet: A Novel Approach For Encrypted Traffic Classification Using Deep Learning," Sep. 2017, [Online]. Available: http://arxiv.org/abs/1709.02656

7. R. Dubin, A. Dvir, O. Pele, and O. Hadar, "I Know What You Saw Last Minute - Encrypted HTTP Adaptive Video Streaming Title Classification," Feb. 2016, doi: 10.1109/TIFS.2017.2730819. [DOI:10.1109/TIFS.2017.2730819]

8. R. Schuster, V. Shmatikov, and E. Tromer, "Beauty and the burst: Remote identification of encrypted video streams," Proc. 26th USENIX Secur. Symp., pp. 1357-1374, 2017.

9. T. Shapira and Y. Shavitt, "FlowPic: A Generic Representation for Encrypted Traffic Classification and Applications Identification," IEEE Trans. Netw. Serv. Manag., vol. 18, no. 2, pp. 1218-1232, Jun. 2021, doi: 10.1109/TNSM.2021.3071441. [DOI:10.1109/TNSM.2021.3071441]

10. Z. Cao, G. Xiong, Y. Zhao, Z. Li, and L. Guo, "A survey on encrypted traffic classification," Commun. Comput. Inf. Sci., vol. 490, pp. 73-81, 2014, doi: 10.1007/978-3-662-45670-5_8. [DOI:10.1007/978-3-662-45670-5_8]

11. S. Roy, T. Shapira, and Y. Shavitt, "Fast and lean encrypted Internet traffic classification," Comput. Commun., vol. 186, pp. 166-173, Mar. 2022, doi: 10.1016/j.comcom.2022.02.003. [DOI:10.1016/j.comcom.2022.02.003]

12. Z. Chen, K. He, J. Li, and Y. Geng, "Seq2Img: A sequence-to-image based approach towards IP traffic classification using convolutional neural networks," Proc. - 2017 IEEE Int. Conf. Big Data, Big Data 2017, vol. 2018-Janua, pp. 1271-1276, 2017, doi: 10.1109/BigData.2017.8258054. [DOI:10.1109/BigData.2017.8258054]

13. X. Lin, G. Xiong, G. Gou, Z. Li, J. Shi, and J. Yu, "ET-BERT : A Contextualized Datagram Representation with Pre-training Transformers for Encrypted Traffic Classification," vol. 1, pp. 633-642, doi: 10.1145/3485447.3512217. [DOI:10.1145/3485447.3512217]

14. Z. Liu, "TransECA-Net : A Transformer-Based Model for Encrypted Traffic Classification," 2025. [DOI:10.3390/app15062977]

15. Koukoulis, I. Syrigos, and T. Korakis, "Self-Supervised Transformer-based Contrastive Learning for Intrusion Detection Systems".

16. T. T. T. Nguyen and G. Armitage, "A Semi-Supervised Learning Framework for Encrypted Traffic Classification Based on Supervised Contrastive Learning and Masked Sequence Prediction Tasks," vol. 10, no. 4, pp. 56-76, 2025, doi: 10.1109/ICAACE65325.2025.11020246. [DOI:10.1109/ICAACE65325.2025.11020246]

17. E. Horowicz, T. Shapira, and Y. Shavitt, "Self-Supervised Traffic Classification : Flow Embedding and Few-Shot Solutions," IEEE Trans. Netw. Serv. Manag., vol. PP, no. September, p. 1, 2024, doi: 10.1109/TNSM.2024.3366848. [DOI:10.1109/TNSM.2024.3366848]

18. T. Shapira and Y. Shavitt, "FlowPic: Encrypted Internet Traffic Classification is as Easy as Image Recognition," in INFOCOM 2019 - IEEE Conference on Computer Communications Workshops, INFOCOM WKSHPS 2019, Apr. 2019, pp. 680-687. doi: 10.1109/INFCOMW.2019.8845315. [DOI:10.1109/INFCOMW.2019.8845315]

19. S. Yu and Y. Won, "A survey of methods for encrypted network traffic fingerprinting," Math. Biosci. Eng., vol. 20, no. 2, pp. 2183-2202, 2023, doi: 10.3934/mbe.2023101. [DOI:10.3934/mbe.2023101]

20. L. D. Manocchio, S. Layeghy, W. W. Lo, G. K. Kulatilleke, M. Sarhan, and M. Portmann, "FlowTransformer : A transformer framework for flow-based network intrusion detection systems," Expert Syst. Appl., vol. 241, no. July 2023, p. 122564, 2024, doi: 10.1016/j.eswa.2023.122564. [DOI:10.1016/j.eswa.2023.122564]

21. C. Sun, B. Chen, Y. Bu, S. Zhang, and D. Zhang, "Lightweight Traffic Classification Model Based on Deep Learning," vol. 2022, no. 2, 2022, doi: 10.1155/2022/3539919. [DOI:10.1155/2022/3539919]

22. G. Draper-Gil, A. H. Lashkari, M. S. I. Mamun, and A. A. Ghorbani, "Characterization of encrypted and VPN traffic using time-related features," in ICISSP 2016 - Proceedings of the 2nd International Conference on Information Systems Security and Privacy, 2016, pp. 407-414. doi: 10.5220/0005740704070414. [DOI:10.5220/0005740704070414]

23. H. Lashkari, G. D. Gil, M. S. I. Mamun, and A. A. Ghorbani, "Characterization of tor traffic using time based features," in ICISSP 2017 - Proceedings of the 3rd International Conference on Information Systems Security and Privacy, 2017, vol. 2017-January, pp. 253-262. doi: 10.5220/0006105602530262. [DOI:10.5220/0006105602530262]

24. Rahimi and B. Recht, "Random Features for Large-Scale Kernel Machines," no. 1, pp. 1-8.

Send email to the article author

Rights and permissions
	This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.