Tokenized Flow-Statistics Encrypted Traffic Analysis: Comparative Evaluation of 1D-CNN, BiLSTM, and Transformer on ISCX VPN-nonVPN 2016 (A1+A2, 60 s)

Abstract

End-to-end encryption is now the default for major Internet applications, reducing the effectiveness of payload-based deep packet inspection for security monitoring and traffic engineering. This paper evaluates payload-agnostic encrypted traffic analysis using only time-based bidirectional flow statistics derived from packet headers. We study the ISCX VPN-nonVPN 2016 dataset (60 s flow timeout) and conduct two supervised tasks: (i) Scenario A1 binary VPN detection and (ii) Scenario A2 14-class VPN-service identification across seven applications captured under VPN and non-VPN conditions. Because the released dataset provides engineered flow feature vectors rather than packet sequences, we introduce a structured tokenization that maps the 23 time-based features into a 6×4 token matrix capturing rate, inter-arrival, and burst/idle dynamics. On this representation we compare a 1D convolutional neural network (1D-CNN), a bidirectional LSTM (BiLSTM), and a Transformer encoder, and we report Accuracy, Macro-F1, ROC-AUC, and PR-AUC under a fixed 70/15/15 split (seed=42) with class-weighted cross-entropy and early stopping. On A1, the best model is an MLP baseline (Macro-F1=0.716), while the 1D-CNN achieves Macro-F1=0.689 with ROC-AUC=0.751. On the more challenging A2 task, the MLP reaches Macro-F1=0.389 and the 1D-CNN reaches Macro-F1=0.346. Feature-group masking ablations show that ACTIVE and FLOWIAT-related timing statistics contribute most to A2 performance, and a token-length study shows monotonic gains up to the full 6-token representation. Finally, cross-domain robustness tests (train on non-VPN flows, test on VPN flows, and vice versa) reveal large performance degradation (Macro-F1≈0.12–0.34), highlighting the need to evaluate encrypted traffic models under realistic tunneling shifts.