SharpEye: Identify mKCP Camouflage Traffic through Feature Optimization

As a new self-developed protocol of V2Ray, mKCP disguises users' network access as communication of four network applications by forging application layer headers to evade traffic-based detection. The emergence of mKCP has received widespread attention. Whether mKCP can provide secure network access that protects user privacy is the focus. Traditional methods cannot identify mKCP camouflage traffic, but machine learning (ML)-based traffic identification is considered a promising direction. Unlike the previous network traffic classification, mKCP camouflage traffic identification introduces new challenges. First, existing work has neither published any dataset containing mKCP camouflage traffic nor designed specific traffic features. Second, no researchers have optimized the identification scheme for deployment on network devices. Aiming at the shortcomings, we propose SharpEye, an ML-based mKCP camouflage traffic identification scheme. The novelty of our work lies in three points. Firstly, a complete dataset containing mKCP camouflage traffic is constructed through long-term traffic collection. Secondly, by analyzing the communication patterns of mKCP traffic, a feature set mFS is designed to improve identification accuracy. Finally, a two-stage feature selection method mGBFS is proposed to improve the operation efficiency. The experimental results show that mFS can enhance the performance of classifiers in identifying mKCP camouflage traffic, and mGBFS reduces the running time and overhead while ensuring high accuracy. Therefore, SharpEye achieves accurate and efficient mKCP camouflage traffic identification.