Procedures, Criteria, and Machine Learning Techniques for Network Traffic Classification: A Survey

Traffic classification is considered an important research area due to the increasing demand in network users. It not only effectively improve the network service identifications and security issues of the traffic network, but also provide robust accuracy and efficiency in different Internet application behaviors and patterns. Several traffic classification techniques have been proposed and applied successfully in recent years. However, the existing literature lack of comprehensive survey which could provide an overview and analysis towards the recent developments in network traffic classification. To this end, this survey presents a comprehensive investigation on traffic classification techniques by carefully reviewing existing methods from a new perspective. We comprehensively discuss the procedures and datasets for traffic classification. Additionally, traffic criteria are proposed, which could be beneficial to assess the effectiveness of the developed classification algorithm. Then, the traffic classification techniques are discussed in detail. Then, we thoroughly discussed the machine learning (ML) methods for traffic classification. For researcher’s convenience, we present the traffic obfuscation techniques, which could be helpful for designing a better classifier. Finally, key findings and open research challenges for network traffic classification are identified along with recommendations for future research directions. In sum, this survey fills the gap of existing surveys and summarizes the latest research developments in traffic classification.

longer time to detect various kind of flows [8]. As Roughan et al. presented a signal based method for the IP traffic classification. They used various techniques such as nearest neighboring technique, linear discriminate analysis and quadratic discriminate analysis to map the applications and determine the quality of services (QoS) of traffic classes [9]. Datir et al. provided the essential parameters for obtaining sustainable smart cities, which are flowing throughout the network. They discussed various hybrid traffic classification approaches which are used in the intrusion detection system. These hybrid classifiers maybe in the form of any classifiers as Naive Bayes, SVM, K-means clustering, etc. [10], and indicated that various applications uses random type of port numbers in order to prevent them from the network attack or other malicious activity [11]. Ren et al. presented an elman neural network based on learning rate framework. They aimed to solve prediction issue at discrete time sequence [12].
For application based patterns without using packet load inspections, several network traffic classification works have been presented. It enhances the integration of different objects such as nodes and sensors, which are required to engage IoT network traffic which is different from other networks [13]. Similarly, Finsterbusch et al. revealed that the network traffic classification becomes the famous topic of the Internet at all stages [14]. Several new traffic classification schemes have been presented for addressing different characteristics and features such as packet arrival time and packet length, etc. [15].
Traffic classification receives significant attention from the research community. Several surveys have been conducted to address and review existing challenges, solutions and applications of traffic classification and identification. Different reviews focuses on different classification methods such as Nguyen and Armitage [3] presented a survey on traffic classification using ML-based technique. They discussed the various ML methods and IP traffic classifications and reviewed different ML methods from 2004 to 2007. It also reviewed and discussed the requirements for various MLbased classifiers. Chapaneri and Shah [16] reviewed various intrusion detection based ML techniques up to 2018. They also discussed the issues related to traditional and network intrusion datasets and outlined the open research challenges and future research directions of ML-based intrusion detection systems. Similarly, García-Teodoro et al. [17] mainly reviewed most popular anomaly intrusion detection techniques. They also outlined main research challenges and procedures for deploying the intrusion detection system. Callado et al. [18] reviewed the main techniques and issues of IP traffic and analyzed the traffic in terms of packet and flowbased categories and then outline their advantages. It also discussed the sampling and matching mechanism of signature and outlined the open research challenges of traffic analysis and application detection. Bhatia and Rai [19] launched a survey on peer-to-peer (P2P) traffic, in which they discussed the different strategies to determine P2P traffic. They also presented the analysis of traffic network measurement and monitoring.
Moreover, Buczak and Guven [20] summarized the research works related to the cyber security of ML and data mining (DM) techniques up to 2016 and outlined the open research challenges for deploying ML and DM techniques for cyber security applications. Dainotti et al. [21] reviewed the recent works on the traffic classification. They also discussed the various challenges that were faced by the researchers over ten years and recommended some strategies to overcome these challenges and improve the performance of the traffic classification method. Alsheikh et al. [22] presented a survey on the ML based technique for wireless network. Firstly, they presented a literature review on the ML-based techniques in wireless and other networks. Then, they addressed the merits and demerits of each algorithm and outlined the open research challenges for employing ML based techniques in wireless networks. Shafiq et al. [2] summarized the recent traffic classification methods for sustainable smart cities. They also outlined the open research challenges and proposed recommendations for traffic classification by considering the dataset features. Velan et al. [23] mainly reviewed existing techniques for traffic classification and analyzed the encryption protocols through the Internet. They also discussed a payload approach and feature based classification technique based on reviewing taxonomy. Gomes et al. [24] reviewed the peer-to-peer mechanism of traffic classification and detection techniques. They also discussed the detailed network analysis of traffic monitoring schemes. Pacheco et al. [25] summarized the steps to obtain the traffic classification using ML schemes. They also discussed the open research challenges and future research directions and summarized the research aim to improve the QoS and the operator network. Tahaei et al. [26] presented a survey on the traffic classification in the IoT network. They discussed the deployment of IoT traffic classification in real-world applications and the open research challenges in this domain.
The traffic classification and identification play significant roles to develop a better sustainable smart cities by deploying a better network management system and improving network security of the whole network. [27]. In this paper, we carry out a comprehensive review of published papers that provides various solutions for traffic classifications. The purpose of this survey is to elucidate the roadmap for those who want to do research in the traffic classification area. This survey not only discusses ML methods for traffic classification but it also discusses the traffic classification procedures and performance criteria. In particular, this survey focuses on the traffic classification techniques and the ML methods for Internet traffic classification. We classify classification techniques into four categories such as port based classification, payload based classification, statistical based classification, and behavior based classification. We discuss the datasets for traffic classification of network-based anomaly detection in detail. These datasets could be used to evaluate the efficiency of the developed algorithms before applying them in real applications. We present the traffic classification criteria to evaluate the effectiveness of existing classification algorithms. For researcher's convenience, we present the traffic obfuscation techniques which could help them to design and develop a robust classifier, and to protect the user privacy. In the end, we outline key findings, open research challenges, and recommendations for future research directions on traffic classification. By comparing with previous surveys, we summarize the contribution of this paper as follows:  We discuss the comprehensive literature review on the recent state-of-the-art of traffic classification methods. This literature provides useful information to the researchers and practitioners who intend to apply traffic classification in the application context.
 We comprehensively discuss the process of traffic classification, which consists of traffic datasets, features selection and extraction, and the decision and validation process. The datasets for Internet traffic classification are presented. These datasets could be helpful to assess the effectiveness of developed algorithms before applying them practically.
 We present the traffic classification criteria which can be used to assess the effectiveness of classification algorithms. It consists of effectiveness and performance criteria's. The existing traffic classification techniques are also discussed in detail.
 We comprehensively discuss the ML methods for traffic classification. We summarize the traffic classification methods and its features and applications for the convenience of other researchers and practitioners.
 We thoroughly discuss the traffic obfuscation techniques, which could be helpful for designing a better classifier.
 We discuss the key findings and various open challenges and identify issues for future research directions. These challenges reveal some useful insights that help researchers to tackle issues when employing traffic classification algorithms.
The rest of this survey is organized as follows. Section 2 discusses the procedures for traffic classification, which consists datasets for traffic classification, and extraction and selection features. Section 3 presents the criteria for traffic classification. Section 4 introduces various traffic classification techniques. Section 5 presents the ML techniques for traffic classifications. Section 6 presents traffic classification obfuscation techniques. Section 7 presents the key findings, limitations, and recommendations for employing traffic classification. Finally, Section 8 concludes the study.

II. PROCEDURES FOR TRAFFIC CLASSIFICATION
This section discusses the traffic classification process as illustrated in Figure 1. Traditional traffic network could be used as an input to establish a dataset for feature selection processing. Next, the feature extraction and selection plays a key role for traffic classification due to its effectiveness on the performance of the traffic classification. Third, the decision process (DP) could identify the class of traffic classification using the ML techniques. Finally, the validation process (VP) is used to verify the results of traffic classification by determine the accuracy of classification.

A. DATASETS FOR TRAFFIC CLASSIFICATION
Datasets play a crucial role to assess the effectiveness and reliability of a developed algorithm. For instance, the effectiveness of Vehicular-ad-hoc-Network (VANET) and intrusion detection system (IDS) could be assessed by detecting attacks inside and outside of the network. Therefore, it requires complete datasets that consists of normal and abnormal behaviors. As the behavior and patterns of the network changes rapidly, a reliable dataset could provide an efficient mechanism to detect the traffic classification model in a real scenario.
Various numbers of datasets are available to test and evaluate different algorithms in the cybersecurity research domain. In Reference [28], Bhuyan et al. discussed various datasets for cybersecurity research which are further categorized into three parts: real datasets, benchmark, and synthetic datasets. Synthetic datasets could be generated to address specific scenario and conditions [29]. It is also used in developing and testing various algorithms in a real-time environment.
In large traffic networks, a benchmark datasets are generated based on algorithm simulation. The simulation of different attack situations in the traffic network could be performed while the benchmark dataset is developed. The real-life datasets are usually formed by collecting traffics within specific time period. It consists of normal (nonincident) and abnormal (incident) features. Figure 2 discusses the various datasets for traffic classification in the IoT and other networks. These datasets are used to evaluate the performance of their algorithms. The technical details of the dataset are discussed below and are shown in Table 1.

1) NETFLOW DATA
The NetFlow dataset could be collected through the network switch or router as tracing the entry and exit of traffic flow can be easier at the network switch. Shafiq et al. [2] reported that Cisco NetFlow is considered as a unilateral packet sequence that has various features such as input port, output port, IP protocols and IP type, etc. The NetFlow data have two versions: compressed and processed version of the packet network. The architecture of NetFlow consists of various components such as collector, console, and exporter.

2) UNIBS TRAFFIC DATA
UNIBS is one of the most common datasets of traffic classification. It is developed by Prof. Gringoli and his team [29]. They collected traces using edge router at campus of the University of Berscia for three days. Then, they collected the data traffic using Tcpdump using malfunctioning router which is linked with the uplink of 100 Mps [30].

3) ISCX UNB DATASET
The ISCX dataset is developed using the concept of intrusion description and abstract details for various applications, protocols, and entities in the low-class network [26]. McHugh [31] collected data by using two different profiles such as α and β profiles. These profiles were used to form a new dataset in packet and bidirectional formats. α profile represents the abnormal or malicious behavior and β represents normal behavior performed by the network node. The dataset comprises of various network attacks, such as Botnet, DDoS, eavesdropping, Internet attack, etc.

4) PACKET DATASET
The applications are commonly used by researchers to generate network packet. Traces can capture packets that are transmitted and received using Libpcap and WinPCap at the physical interface [20]. In Reference [32], Jacobson et al revealed that the most reliable applications to generate packet are commonly used in windows and tcpdum. An Ethernet frame named as Ethernet header (i.e., MAC) at physical layer of hundreds of payload bytes. In Reference [20], Buczak and Guven revealed that the internet protocol of the payload could trace the packet using pcap interface.

5) UNSW-NB15 DATASET
The UNSW-NB15 dataset is developed by the Cyber Range Lab in Australia using IXIA PerfectStorm tool [26]. It consists of 100-GB raw data collected from the traffic network using tcpdump tool. More than 2.5 million raw data are segmented into different pcap files to analyze data record. The dataset with normal and abnormal (attacks or malicious) instances consists of training and testing parts, more than 175,000 and 82,000 records are found in the training and testing dataset, respectively [33], [34]. The UNSW-NB15 consists of various types of network attacks such as DoS, Worms, Generic, etc. along with features groups [34].

6) KDD99 DATASET
The KDDCup99 dataset was developed by the DARPA985-IDS in 1999 [35], [36]. The KDDCup 99 training dataset consists of over 4.9 million instances, in which normal and abnormal (attacks) are highlighted in 41 features. Also, it consists of 24 kinds of different types of attacks such as DoS, user to root, remote to local [37]. The testing dataset consists of more than 0.3 million samples. This dataset have been significantly applied to detect malicious behavior of traffic classification in the IoT network [38]. Reference [20], investigated whether the KDD could be used to extract useful information to obtain previous information. However, the This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and content may change prior to final publication. In Reference [39], Awid presented the NSLKDD dataset to overcome the imbalance issue of the KDD dataset. The author vanished the duplicate records of each instances, and resampled selected instances to highlight non-linear distributed issues. Reference [40] discussed that the KDD shows the entire process for obtaining information by input traffic data. They indicated that DM identified the particular part in the KDD process and data obtained from models. Tavallaee et al. [41] introduced the NSLKDD dataset to overcome various issues highlighted by Reference [33].

7) NBIOT DATASET
This dataset provides a botnet dataset for traffic classification in the IoT network. It comprises of over 7.06 million instances obtained from the real traffic dataset. It contains malicious instances which are divided into ten attacks and are executed by two botnets: Bashlite and Mirai botnet [26], [42]. The bashlite dataset consists of flooding, TCP/UDP, junk, etc. The mirai attacks consist of scan, syn, udp plain, and udp flooding [26]. Wireshark was used to record the traffic data using the traffic routers connected over the Wi-Fi network [43].

8) UTSC DATASET
The UTSC dataset is developed using two parts. One consists of various malware traffic from real-world traffic network instances from 2011 to 2015 by CTU researchers [44]. In UTSC dataset, the malware traffic dataset consists of various types such as Htbot, Miuref, Shifu, etc. The second dataset consists of ten different types of normal traffic obtained from simulating traffic network using IXIABPS [26]. The total size of the UTSC dataset is over 3.7 GB in pcap file. It consists of total 0.75 million records, at which malware data consist of over 0.4 million.

9) AUCKLAND DATASET
The Auckland II traffic dataset is commonly used for identifying traffic classification due to its accuracy. Auckland traffic data is obtained from GPS traces using DAG2 at the University of Auckland [45]. It consists of 85 traffic trace files which are collected from November 1999 to July 2000 [2].
To trace Auckland II dataset, a group of researchers from University of Auckland used the DAG3.2E card of 100 Mbps. They aim to identify and trace traffic at the router which is placed at border of University firewall. Nevertheless, the port numbers could identify the application type traces [2]. Peng et al. [46] used Auckland dataset to demonstrate the performance of their traffic classification model. Firstly, they gathered 8 types of applications obtain from traffic traces of Auckland dataset. Second, Peng et al. performed filtering on the traffic flow using different non-zeros packets to obtain traffic classification.

10) AWID DATASET
An Aegan Wi-Fi Intrusion dataset (AWID) comprises of traces data from the dedicated network 802.11 using a SOHO network in the Physic Research Lab [47]. This dataset consists of normal and abnormal instances, and some instances records were used for training and testing of dataset. The size of AWID dataset is around 935 MB that contain total of 1.795 million instances, in which over 1.63 million instances are normal traffic and over 0.16 million instances are abnormal traffic [26]. Reference [47] collected a dataset by running for one hour with attacks that last for only 15 minutes. Moreover, the number of attack instances in the training and testing dataset is about 162385 and 44858, respectively. The types of attack in AWID consists of impersonate, injection, and flooding.

11) CICIDS 2017
The CICIDS2017 dataset consists of the results of traffic network analysis using traffic label flows which are based on source and destination ports, Internet protocols, and time stamp. It also consists of various updated attacks, which are similar to real-world data (PCAPs) [48]. The Canadian Institute for Cybersecurity captured the data for about 5 days, from July 3, 2017, to July 7, 2017. They implemented various kinds of attacks such as DDoS, Web Attacks, Botnet, etc. in the data [48]. The CICIDS2017 dataset contains significant numbers of features and traffic, which could be used to detect anomalies [49].

B. EXTRACTION AND SELECTION OF FEATURES IN TRAFFIC CLASSIFICATION
The extraction and selection of features (ESF) plays a significant role in network traffic classification and identification. Without them, it is very difficult to identify and classify various classes in the traffic network. The selected features are directly related to the effectiveness of the traffic classification algorithms. Also, the number of extracted features could also affect the performance of traffic classification in terms of speed of classification and identification. Therefore, it is necessary to understand the concept of the ESF which could reduce the dimension of data and to develop the relationship between different features. The ESF method can be further classified into different types, such as filtering, wrapping, and embedding [50].
Recently, a few studies have adopted various learningbased techniques to improve the performance of traffic identification [2]. These methods could accurately identify traffic using different datasets in various traffic networks. However, researchers and practitioners could face imbalance traffic issues for classifying traffic in network identification. An imbalance class of traffic classification remains a critical issue in traffic identification. To overcome this problem, researchers from Electronics and Communication Technology background proposed various solutions in which the ESF plays a major role for identifying the traffic identification. Wasikowski and Chen [51] developed the various methods for traffic classification and then analyzed and compared with different metrics in terms of imbalance class issue. They also introduced various features such as signal noise and feature assessment in order to manage imbalance class of traffic classification. Similarly, Lim et al. [52] examined the features and selection for class distributions of traffic identification. Also, Peng et al. [46] investigated different features, which were used to evaluate traffic classification at the initial stage. They examined that the early features of traffic classification could obtain a large amount of packets at beginning stage of obtaining traffic identification. Moore et al. [53] introduced attribute selection algorithm for traffic classification. Moore et al. extracted different types of 248 statistical features based on traffic flow, and evaluated them in terms of network packet size and statistical features. These features could lead to obtain a better traffic classification results. Bernaille et al. [54] discussed the issues of the feature selections and considered packet size as a feature. They extracted various attributes from the packets and applied various models such as HMM and GMM to identify the traffic network [55].
Note that, one of the most important tasks in traffic classification is feature extraction by using the trace analysis. Recently, learning-based methods have been used to obtain the feature selection in traffic classifications. In this regard, Ding et al. [56] discussed the procedures for extracting features such as linear and non-linear features in detail. Also, Bennasar et al. [57] presented various non-linear techniques for extracting a better features for traffic classification. These techniques could provide a better features selection as compared to other methods. Zhang et al. [58] investigated the issues of the feature selection for traffic classifications. They developed a feature algorithm using a weighted symmetrical uncertainty (WSU) method and then select the stable features to identify the best feature using the WSU technique. Similarly, Chen et al. [59] revealed that the feature extraction could be used to obtain accurate network traffic classifications based on the time and location of features.

C. DECISION PROCESS (DP)
The DP plays an important role for obtaining the traffic classification. It relies on the extracting and selecting feature of traffic classification by employing ML algorithms or pattern matching technique. The ML algorithms are widely used for obtaining traffic classification and details of these algorithm can be found in Section 6. While the pattern matching (PM) is depend on the number of designated packets. The string matching algorithm could be used to compare with the string library in order to classify and identify traffic. However, the PM requires a larger computational time when processing the complex library and services.

D. VALIDATION PROCESS (VP)
The VP tests the outcomes of the previous traffic classification in order to determine the accuracy of traffic classification algorithms. To accomplish this task, first, we compare the values which are obtained from the original data with the experimental results. As a result, we can obtain the accuracy of the traffic classification method. Obtaining the collection of various categories within the original dataset remains a challenging issue. The ground truth collection method is widely used for labelling the traffic using the port collection and DPI tool. However, these methods could provide unreliable information and consume a large computational timing to process traffic labels. To overcome these issues, a new collection method based on heuristic analysis has been developed [60]. Employing these approaches could be beneficial in terms of the reliability of collecting data, but they are vulnerable to the larger traffic loads.

III. TRAFFIC CLASSIFICATION CRITERIA
This section discusses the various eligibility criteria's for obtaining a traffic classification and how to determine its effectiveness. Traffic classification criteria can be accomplished based on the classification effectiveness and classification performance as illustrated in Figure 3.

1) INFORMATION GRANULARITY
Information granularity (IG) plays a key role in determining the effectiveness of classification criteria's. The information obtained from granularity is depend on the type of granularity. The granularity could provide a better classification and the information obtained from the granularity is more reliable, accurate, and also provides enhanced data access. The traffic can be classified with different requirements as per the distinct criteria.

2) ONLINE CLASSIFICATION
An online classification (OC) could be used to assess the traffic classification algorithms in terms of real-time evaluation. The traffic network can update on the regular interval which enables the traffic classification methods to classify and identify the traffic online. Since the classification of the traffic network is online, therefore, it plays a key role for improving the network performance and detecting the malicious traffic nodes and activities. This can be accomplished by identifying the traffic class and category in a short period of time.

3) DETERMINE UNKNOWN APPLICATIONS
The traffic classification algorithms are commonly used to classify and identify label traffic within the training dataset, and to detect various new applications within data. Detecting new applications can be further divided into various types known categories. When the traffic network environment is constantly changed and updated then the likelihood of appearing unknown traffic flow is higher. Therefore, it is essential to accurately identify and classify the unknown traffic which could lead to identify malicious traffic node and enhance the overall performance of the network.

4) ROBUSTNESS
The aim of traffic classification algorithms is to obtain a stable and reliable performance in a rapidly changing traffic network. It can provide a better classification accuracy by overcoming the various network issues such as packet delay, traffic loss, etc. Therefore, determine the robustness criteria plays an important role prior to designing and implementing the classification algorithms. Note that, the robustness of traffic classification can evaluate in terms of determining the universal features and whether the designed classification algorithm can provide a reliable performance in different traffic network.

B. TRAFFIC CLASSIFICATION PERFORMANCE
There are various criteria's which could be used to assess the effectiveness of the traffic classification methods. Researchers could use different performance metrics such as such as false positive, false negative, accuracy, etc., to measure the performance. This survey focuses on the identifying the accuracy criteria's for obtaining traffic classification methods.

1) TRAFFIC CLASS ACCURACY
The class accuracy (CA) directly related to traffic classification accuracy in terms of individual class. For instance, when the algorithm divides the network traffic into various categories such as HTTP, SMTP, etc., then the accuracy of these methods determine separately, which makes it more efficient to determine which traffic class is sensitive to the classification technique. The CA could be beneficial to identify merits and demerits of the classification algorithm.

2) BYTE ACCURACY
The byte accuracy indicates the number of bytes are correctly classify into the training dataset. It plays an important role when the dataset are imbalanced because the bytes are generated by the mice flows in the Internet. If the generated bytes by the smaller numbers of traffic flows which could be useful for a large portion of the dataset [61].

3) OVERALL ACCURACY
The overall accuracy is used to determine the number of instances which are accurately classified in the samples of training dataset.

4) FLOW ACCURACY
The flow accuracy employs in algorithms to identify and classify traffic flow such as correlation-based methods.

IV. TRAFFIC CLASSIFICATION TECHNIQUE
Traffic identification and network classification provide significant improvements to enhance the QoS and network security, and network traffic management. Exacting traffic identification can enhance network environment, network monitoring and network security. Network traffic operators and service providers can control the network performance, maintain and manage network resources. Also, service providers can find network growth and manage available network resources for applying on specific applications [2]. Figure 4 shows the various traffic classification techniques. The encrypted traffic classification is crucial for network security and is widely used to ensure data and network security. It also provides various technical support to improve QoS [62]. However, encryption techniques can make the detection of abnormal traffic even more difficult [63]. The significant increase in encrypted network traffic could limit the effectiveness of traffic classification techniques because the packet inspection techniques are unable to obtain the network information from the network traffic. For instance, most of the Internet traffic is associated with P2P applications, but the classification of the P2P traffic remains a complex task [26].
Hurley et al. [64] proposed the application growth of traffic day. The P2P applications consumes a large amount of bandwidth due to the bidirectional traffic flows. Moreover, different other application such as HTTP, FTP, etc. can consume large amount of bandwidth in the network. ISP also facing many challenges to provide efficient services to their customers. Such challenges are broadband quality, customer services, upstream bandwidth, etc. Mohammadi et al. [65] proposed a hybrid scheme to classify P2P traffic in IP network using genetic algorithms and neural networks. They showed that the P2P applications occupy 60% of the total available bandwidth. However, it's difficult for ISPs to achieve QoS and implement the network security and intrusion detection system for every traffic within the network. In particular, traditional traffic classification discussed the classification problems and identification of various applications to ensure network security from different perspectives. Generally, the IP based traffic classification consists of various inspection packets of TCP or UDP ports numbers, which indicates that these packets are either a port-based or a payload classification. Schulze and Mochalski [66] launched a survey on network traffic management worldwide. The P2P application can produce a more network traffic as compared with the other network applications such as online streaming, online gaming, messaging services, etc. The authors revealed that the web traffic gain significant attention due to access of social networking websites and file sharing policy. The process of the traffic classification techniques are highlighted in Figure 5.

A. PORT BASED TRAFFIC CLASSIFICATION
Port-based classification (PBC) is one of the commonly used technique for traffic classification associated with port number to applications [26], [67]. PBC examines the packet header and matching its inspection with TCP and UDP port number for register an application on the Internet. TCP and UDP generate the multiple flow connection using port numbers between public IP endpoints. The classification is to use wellreputed web traffic associated with TCP port 80. As this technique only checks the packet headers, it is fast when applying a light complexity calculation.
The port based technique plays a very important role to classify and identify network application in a huge traffic network. Nevertheless, it requires dynamic port number such as Napster, P2P, etc. [11]. The real video streamer port was developed for data transfer. However, Moore and Papagiannaki [68] revealed that the real video port does not get over 70% of port-based traffic identification and may not be able to provide a better classification accuracy.
Application developers become more intelligent to protect their applications from detecting system [26]. The latest advancement in the network technology provides access to usage of nonstandard applications. It allocates dynamic port number that deteriorate the performance of classification and makes its less productive for different applications. In such cases, the classifier causes numerous amount of false negative results. Also, some of the applications hide themselves behind well-reputed ports such as illegal applications use HTTP traffic over TCP port 80. As a result, the applications may be untraceable, which results in false positive rates of classifiers [26].

B. PAYLOAD BASED TRAFFIC CLASSIFICATION
Payload based traffic classification is also known as deep packet inspection (DPI). The packet and characteristics of network applications are analyzed signature features and applications of network traffic [2]. The DPI is especially designed for P2P applications of traffic classification used as dynamic numbers. Several methods have been proposed that studied an analyzing signature traffic, which can reduce 5% false-positive and false-negative for P2P traffic [11], [69]. Moore and Papagiannaki [68] proposed a hybrid method that utilized payload and port based methods to identify various network applications. Firstly, they used the classification number to determine the network flow. Then, they examined whether network flow contains signature or not. The proposed method classify 69% of internet traffic, and it obtained 79% of classification accuracy. This technique is not reliable for traffic classification due to its equipment cost for checking payload patterns. The intrusion detection systems are commonly used for payload classification for identifying malicious activity. The false-positive and false-negative results can be minimized by applying the payload classification to approximately 5% [69]. Liu et al. [70] proposed a method for mobile traffic classification using the extended labeled data (ELD). First, different traffic identification tasks were performed by SeverTag, payload distribution inspection and Random Forest. Then, ELD was used to identify mobile traffic using the encrypted payload. Yang et al. [71] proposed a payload based classification model that uses the concepts of handshake packets to classify encrypted traffic. They used the Bayesian neural network based classifier to process handshake packets as inputs. Then, they used them to classify encrypted traffic. The authors claimed that the proposed model outperforms other traditional payload based classifiers.
Still, the payload based classification techniques have several demerits. It is difficult to examine encrypted packet contents at payload based classification technique. The packet evaluation with encrypted contents becomes very complex using payload based classification and most of traffic remains unable to classify [72]. Finsterbush et al. [14] launched a survey on payload based traffic classification techniques. The author discussed the performance of various DPI open-sources solutions such as OpenDPI, Hippie, and Libprotoident. The OpenDPI and Hippie are able to classify different protocols such as HTTP, SIP, and Oscar with 100% accuracy due to unencrypted traffic. Moore and Zuev [73] revealed that the payload based traffic classification is unable to accurately recognize traffic type and conditions due to variation in payload signatures.
In the payload classification, network privacy and regulations remain a critical issue. Nevertheless, the packets contents in the payload approach is examined thoroughly using a payload-based technique, which results in violation of regulations and privacy policies. Also, the payload technique is very complex and computationally expensive. The payload classification has several advantages over the port-based method, but it is still unable to perform better performance on high speed networks.

C. STATISTICAL BASED TRAFFIC CLASSIFICATION
The statistical-based classification is also known as the rational-based classification technique. This technique applies flow level measurement to identify the statistical features of traffic [74]. The packet arrival time, packet lengths, and traffic flow idle time are examples of statistical traffic [74]. They are useful for network classification and identification for differentiating application types in the network. In the statistical technique, the classifier uses ML and DM techniques to deal with various traffic patterns obtained from large datasets, causing a higher computational cost. The statistical classification relies on the flow information, and its effectiveness depends on the features extracted from the flow [26]. The statistical classification can overcome the limitations of payload techniques since they do not rely on network packets inspection contents. Therefore, it allows efficient classification of encrypted traffic [72]. The accuracy of statistical based classification can be improved by identifying the best features from feature extraction and selection techniques and trying to train and classify datasets using various ML methods. Several methods related to encrypted traffic classification have been proposed in recent years. Alshammari et al. [75] presented a method for the identification of VoIP encrypted traffic using the ML method. First, they applied different ML methods such as C5.0, AdaBoost, and Genetic programming to generate signatures for identifying encrypted traffic. The results show that the proposed method could significantly improve the performance of VoIP encrypted traffic. Muliukha et al. [76] proposed a method for classifying encrypted traffic using the ML technique. They classified the traffic generated from technical virtual connections and VPN traffic. In VPN traffic, they considered IP address, total number of packets, port to classify the traffic. They tested the classification of these technologies using the random forest algorithm. Obaidy et al. [77] proposed an encrypted traffic classification model based on ML methods for identifying social media applications such as Skype, WhatsApp, etc. First, they collected the data using Wireshark from end-user machines to generate the traffic for social media applications. Then, they used the feature selection based on the Wireshark tool to select 14 bidirectional traffic for obtaining better classification accuracy.

D. BEHAVIORAL BASED TRAFFIC CLASSIFICATION
Behavioral traffic classification is generally considered to analyze traffic pattern such as traffic volume, traffic shape, pick load, etc. [26]. Al khater and Overill [72] revealed the type of application running on the host. In the past, a few research works used experimental information, in which the numbers of distinct ports and protocols of transport layers were used to analyze the pattern of network traffic [11], [78]. Jin et al. [79]    This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and content may change prior to final publication. This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and content may change prior to final publication.  This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and content may change prior to final publication.

V. MACHINE-LEARNING METHODS FOR TRAFFIC CLASSIFICATION
Different ML methods could be used for intrusion traffic classification and identification. Methods for identifying traffic classifications using ML-based methods are illustrated in Figure 6. Table 2 shows the summary of traffic classification methods and their features and applications.

A. BAYESIAN NETWORK
Bayesian network is used to highlight the variables along with their relationships as Probabilistic Graphical Model (GM) [128]. The network design consists of continuous or discrete variable nodes, and the edges of the network demonstrates the connection between these nodes [2]. Buczak and Guven [20] showed the small network nodes relies on the big node, in which each node stay at their random variable position and then conditional probability form. Maeda [129] proposed a ML-based technique for traffic classification. It achieves a robust performance and accuracy without using application information. Auld et al. used traffic feature that are derived from packet content in order to obtain a better classifications. They demonstrated that the accuracy for traffic classification is better than Naive Bayes technique, and it could classify traffic flow about 99% and 95% of accuracy in testing and testing dataset, respectively. Gao et al. [85] introduced an intrusion detection system using ML method. Gao et al. employed the DARPA 1999 dataset using TCP/IP packets and define a set of attributes in their proposed method. They used a different threshold value to obtain a better classification accuracy.

B. NAIVE BAYES
Naive Bayes are the robust classification technique used as a ML-based classifier [130]. As it relies on Bayes Network theorem, it is not very difficult to develop large dataset for traffic classifications. And, the Naive Bayes is reliable and efficient technique for solving complex traffic identification and classifications. Naive Bayes approach has various classifiers which could be used to use attributes in precise network class. Reference [131] studied various traffic classification technique such as ML classifiers. Several MLbased technique have been used to obtain a better traffic classifications. The results obtained from simulation shows that the Naive Bayes could obtain a better traffic classification and identifications in any traffic network [2].
Shafiq et al. [86] discussed the number of packets that are used at early stage for identifying and classifying traffic classifications. Firstly, they used the different type of packet size for extract the information. Then, they perform the mutual analysis to recognize the common connection among the data packets. Secondly, they used various ML-based technique with crossover identification method. Then, they performed various test to test and identify the packets that could be used for obtaining traffic identification and classification at early This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2022.3181135 stage. They used two different dataset at early stage of network classification and compare them to obtain a better performance of the proposed system. Moore and Zuev [87] presented supervised ML-based Naive Bayes technique to categorize and classify Internet traffic classification in terms using various applications. They used the traffic flow dataset which are manually classified to obtain a better evaluation. There are 248 full features were applied to train the classifier. Secondly, the selected traffic are used for Internet applications that are formed into various groups for obtaining traffic classifications.

C. DECISION TREE
The decision tree technique is a category of supervised MLbased algorithms. It could accept input and output variables in the form of continuous and categorical types. The decision tree consists of many leaves that has several branches, at which you can represent traffic classifications. There are two ways to build the decision tree such as C4.5 [132] and ID3 [133] MLbased classifiers. These tree algorithms were designed on the decision tree using the training dataset by applying the entropy concept.
The decision tree consists of two types such continuous variable and categorical variable [2]. These terminologies are connected to decision trees in terms of root node, splitting, terminal node, and decision node, etc. The decision tree technique is used to determine the relationship among variables and form new variables, which could identify and classify the target variable efficiently. The decision tree requires less amount of traffic dataset, and it can apply in numerical and categorical variables [2].
Park et al. [88] presented a feature selection approach that relies on a Genetic algorithm for obtaining traffic classification. The authors tested and demonstrated the efficiency of the proposed method using three different classifiers such as Decision Tree J48, the Naive Bayes classifier with Kernel Estimation (NBKE), and the Reduce Error Pruning Tree classifier. The numerical results obtained from simulation reveals that the classification results of decision trees are more reliable and accurate than the NBKE technique. William et al. [89] studied the performance of the various ML-based traffic classification method such as C4.5 Decision Tree, Bayesian Network, etc. They calculate the computational speed of each algorithm by the processing of classification number per second, and the amount of time required to develop the classification model. William et al. tested the model using public NLANR traces and selected the classification features using a correlation-based feature selection model. The result shows that the performance of the Decision Tree algorithm was the best among other techniques. It obtains maximum accuracy of about 5.4700K classification per second by using any feature set.
Shafiq et al. [134] introduced a feature selection based method named as weighted mutual information (WMI) technique. Secondly, they introduced a feature selection methodology to select the best features which provide better accuracy. They demonstrated the effectiveness of the proposed method using five different ML-based classifiers. The simulation result shows that the presented method can select the select best features. Also, the Decision Tree C4.5 obtains a better accuracy among other ML-based techniques and produces the best classification results.

D. ARTIFICAL NEURAL NETWORK
An artificial neural network (ANN) technique is one of the most prominent ML-based techniques and considered a very reliable technique for conventional regression and statistical data modeling [135], in which the relationship between input and output data are model by ANN tools [2]. The main advantage of ANN technique is the robust processing on a large scale parallel implementation that significantly contributes and fulfill the need of research in ML-based technique [136]. The ANN gains significant attention from the researcher from Computer and Network Technology background due to its ability to process artificial neuron that are able to perform various computational process on the applied inputs. When a support vector machine (SVM) method was developed at that time the ANN model gains so much popularity among other ML-based techniques. However, both ANN and SVM techniques take a large amount of time to process applied inputs.
Sun et al. [137] designed a model for determining exact collection of sample of traffic named as DHTCP. They demonstrated that their developed model is able to collect traffic sample on host user based on applied information. Sun et al. used probabilistic neural network based on DHTCP dataset for traffic classification. Finally, they employed different statistical features model to identify traffic. Zhou et al. [90] studied feed-forward neural network in order to obtain an efficient Internet traffic classifications model. They separated the payload and port-based identification techniques to assess various network activity such as QoS, security and privacy. They revealed that the fast correlation for obtaining feature selection could obtain a better performance than the neural network technique [2]. They scale dataset from 0%-100% in order to obtain an accurate classification results.
Cui et al. [91] developed a ML-based anomaly detection (MLAD) technique. Firstly, they used the load forecast obtained from neural network that are used to reconstruct benchmark and scaling data using k-means clustering method. Secondly, Cui et al. estimated the cyberattack using Naive Bayes algorithm based on statistical features of data and cumulative distribution function (CDF). The results shows that the proposed method could detect cyberattacks with higher accuracy but some network attacks were not effectively detected and obtained an accuracy of about 76%. Bivens et al. [92] investigate intrusion detection system using neural network. They demonstrated that the neural network could detect efficient malicious node activity within the network.

E. K-MEANS CLUSTERING
K-means clustering technique is one of the popular unsupervised ML-based algorithm. It can identify unlabeled data in different clusters. In order to implement K-means clustering, it requires two important parameters to process: the dataset and the number of clusters. When the cluster quantity is K, then the K-means clustering algorithm is used to overcome clustering issue into three folds: to initialize the K cluster, use of distance function at each network node closet to center node, and assign a new centroid by considering a current node and halt the classifier [104].
Some researchers uses K-means clustering as a classifier in order to obtain normal and malicious behavior of node within the traffic network while other uses K-means clustering algorithm to separate outliers and generates robust dataset for ML-based algorithm [2]. Erman et al. [8] employed a K-means clustering algorithm for network traffic classification. Firstly, they clustered the flows from 64K unlabeled flows. Then, a fixed amount of flow are labeled in each formed cluster. The results show that the presented method obtain about 94% of accuracy in labeled flows. Mishra et al. [93] investigated and analyzed ML-based methods in detail. These methods were used to determine the issues of ML-based techniques when detecting intrusion activity of the user node. Mishra et al. classify and maps attacks corresponding to each attack. Also, they discussed the various tools and future directions for detection of attacks using ML methods.
Erman et al. [94] introduced a method for identifying and differentiate among web and P2P traffic network. They utilize the clustering ML-based technique with the comprehensive demonstration of K-means clustering algorithm. Also, they evaluated the performance in terms of unidirectional trace packet. Kant and Mahajan [95] proposed outlier detection technique using the combination of K-mean algorithm and PSO algorithm. They demonstrate the performance of the proposed method using time-series dataset. The result shows that the presented method could obtain a better outlier detection. Also, they demonstrated that the can be used in different applications such as traffic classification and detection, medical, etc. Jian and Pamula [96] introduced twostep anomaly detection technique based on clustering algorithm. Firstly, they altered the K-means classifiers and then used them for obtaining data pattern. Secondly, they designed a max heap that depends on number of cluster. The numerical results shows that the proposed method obtained a better classification and identification. However, they used the simulated and iris datasets that are commonly used to identify malicious behavior of the node.

F. DEEP REINFORECEMENT LEARNING
The deep reinforcement learning (DRL) algorithm has capability to solve complex problems in different applications such as Physics, Computer Science, and Engineering. It could be used without requiring an input to solve the mathematical model. The DRL uses the combination of deep learning and reinforcement learning in order to provide robust results of various ML-based algorithms. The DRL overcomes the longterm learning problems, and obtains a robust results in different playing games due to its ability to perform variety of tasks [138]. However, the DRL has some demerits such as a low convergence rate and inability to solve complex dataset [2]. Gauci et al. [97] discussed the utilization of reinforcement learning method by Facebook such as push notifications and using fastest video uploading and downloading using smart prefetching. Kalashnikov et al. [98] studied a vision-based learning technique which trains a neural network Q-function by utilizing over 1.2M parameters to perform multiple tasks.

G. SUPPORT VECTOR MACHINE
The support vector machine (SVM) is one of the robust MLbased techniques. It can identify and classify Internet traffic, and classification of large amount of traffic data [139]. It is used for regression and classification, which relies on the separation of hyperplane. For instances, the SVM technique is reliable and efficient when the number of sample instances are lower and the number of features are higher [2]. Buczak and Guven [20] discussed the two different classes that are not separable with slack variables which are added and then determined the cost for the data samples. Buczak and Guven also discussed the quadratic optimization in terms of practical running time.
Yang et al. [100] introduced a P2P network classification technique using SVM. They designed a classifier that is used for P2P traffic classification based on network traffic. Also, they considered other network traffic such as P2P, PPLive, Skype, MSN, etc. Yang et al. demonstrated that labeling traffic samples and define network attributes in order to select and classify traffic [2]. Wanger et al. [99] proposed an evaluation technique for NetFlow records. They applied the temporal technique to the ML method. Wanger et al. obtained a realworld data using Internet services and Flame tools, and other services such as pop spams, scans, etc. The simulation shows that the proposed SVM method obtained a better performance on various kinds of attacks that are reported with an accuracy of about 94%.
Traffic classification plays a significant role for detecting malicious nodes, managing security and privacy issues of network, and network traffic management. It is necessary to discuss every aspect of network traffic classifications and provide solutions to overcome the classification issues using ML-based technique.

H. FUZZY LOGIC
Fuzzy logic is a problem-solving methodology and able to deal with different kinds of numerical data and linguistic knowledge. It controls the complex system without requiring prior knowledge of its mathematical model. Fuzzy logic differentiates from other traditional logic techniques that do not require true or false, on or off, etc. In fuzzy logic, a statement can assume any real number between 0 and 1that represents the degree of truth. Fuzzy logic was introduced by Prof Lotfi A. Zadeh of the University of California at Berkeley.
Fuzzy logic could infer the features and properties of the neural network. Neuro-fuzzy is one of the robust techniques for detecting the malicious activity of network nodes. Gyanchandani et al. [101] discussed various rules which are four folds: (i) Fuzzy logic can combine the input using other sources; (ii) Measures used by IDS have some fuzzy features, (iii) More alert features of IDS are fuzzy, and (iv) Fuzzy logic rules could be modified based on security applications. Mishra et al. [93] investigated that the fuzzy logic approach is unable to detect major attacks. Although, the fuzzy logic could obtain better performance when applying with other ML-based classifiers. The fuzzy logic mainly is used to correlate with the intrusion detection system. Raja and Ramaiah [103] proposed the fuzzy logic-based model for detecting intrusion into the cloud. They applied the knowledge obtained from fuzzy sets to detect intrusions. They tested the performance of the proposed model on different datasets.
Mirzakhanov [102] proposed a case study of fuzzy logic framework in terms of ML and DM techniques. They studied fuzzy logic and compared the quality and quantity difference between them, then, the fuzzy logic methods could perform better than non-fuzzy methods. Then, they presented an association rule mining (ARM) technique, which is cluster based technique that provides fusion of clustering. The experimental results obtained through various real-time datasets provides effective results. Also, Reference [93] discussed some demerits of fuzzy logic, in which the fuzzy logic system requires robust tuning and simulation test before implementing practically. Then, they highlighted the challenges when designing and developing a model using fuzzy logic as compared to other ML-based solutions.

I. GAME THEORY BASED REINFORCEMENT LEARNING
The game theory based reinforcement technique is considered as the mathematical model which relies on decision making and strategic rational. The game theory consists of various components such as payoffs, players, strategies [140]. Also, it requires the number of players and strategy to process operation. In the game theory technique, the decision and strategy makers use the payoff or utility functions to identify the best strategies.
There are various types of game theory algorithms such as cooperative and non-cooperative game theory techniques. In the cooperative game theory technique, most of the players cooperate together and form various associations. This technique is based on decision making and to cooperate and form strategies together. Although, in the non-cooperative game theory, the players could compete with each other to form their own strategy [104]. The players did not communicate and know the strategy with each other. However, the sets obtained from the players reveal that the ending of the play using specific strategies. Therefore, reinforcement learning is mainly used to decide and select optimum strategies.

J. DEEP LEARNING METHODS
The deep learning (DL) methods have been used successfully in various filed such as computer vision, image and language processing, speech and pattern recognition, etc. The DL model has been emerging from communication technology to traffic classification and identification in recent years [141], [107]. The convolution neural network (CNN) is a type of DL model, which is used to facilitate imaging applications. The residual neural network is the part of CNN architecture, which consists of skip connections to overcome the gradient issues.
Several deep learning models have been proposed to classify traffic in recent years. McLaughlin et al. [105] proposed a deep CNN method for android malware detection based on the raw opcode sequence (ROPS). They learned the malware features from the network based on the ROPS. McLaughlin et al. claimed that the proposed model obtained a better performance than the n-gram based classification model. Wang [142] proposed a DL model to classify and identify traffic by considering 1000 bytes in each flow. Wang et al. [106] proposed a CNN-based traffic classification model for representation learning by considering traffic data as images. They determined the best traffic features among other layers using various experiments. Similarly, Wang et al. [107] proposed an end-to-end encrypted traffic classification model using one-dimensional CNN. They integrated an end-to-end model with features extraction and selection for learning the relationship between raw input and encrypted output. Rezaei and Liu [108] proposed a CNN model that takes the time series features as input of the sampled packets. They developed a new model based on the learned weights that consist of a small labeled dataset. Martin et al. [143] proposed a model to classify traffic using the statistical features based on the CNN and recurrent neural network (RNN) techniques. The results show that the proposed model obtained better performance than other methods without requiring any Engineering features. Wang et al. [109] proposed a real-time traffic classification method based on the parallelized CNN model. They applied the spark and spark streaming platforms to model the requirements of the real-time classification of network traffic. Zhou et al. [110] proposed a traffic classification model based on the CNN using the spatial pyramid pooling (SPP) framework. They used the LeNet-5 model to replace the max pooling with the SPP. Salman et al. [111] applied a DL model to classify traffic based on various QoS and network policies. The authors claimed that the proposed model outperforms the previous model in terms of allowing the traffic classification at different granularity.

VI. OBFUSCATION TRAFFIC CLASSIFICATION
The traffic classification obfuscation techniques can be employed by attackers to attack the network without being detected by the intrusion detection system (IDS). We This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2022 comprehensively discuss the obfuscation techniques, which could help to design a better classifier. In this regards, several methods have been proposed such as Iwai et al. [144] proposed a ML based adaptive identification method and identified the unknown traffic flow using the trained classifier. They tested the performance of the presented method based on existing obfuscation techniques such as direct target sampling [145] and tamaraw [146].
We reviewed ML techniques for traffic classification in earlier section. We will review methods for traffic obfuscation, which may affect the traffic characteristics. The obfuscation traffic classification techniques can be further classified as encryption, steganography, tunneling, mutation, morphing, and layer obfuscation. Table 3 shows the summary of some of the traffic obfuscation techniques and its approaches.

A. ENCRYPTION
The Internet applications depend on the user private and confidential information which needs to prevent them from any malicious activity such as an attacker modify the original information, copy useful information without any permission and disclose information to illegitimate users. Therefore, the traffic encryption could be adopted over the Internet to hide the user's useful information. In the traffic classification scenarios, the encryption mechanism can hide the signature which could be used for traffic packet-based inspection classification techniques. Also, some encryption algorithms require fixed length which could the affect length and size. Several ML-based classification methods were demonstrated the effectiveness of their proposed method by classifying and identifying encrypted Internet traffic based on the interval time and network packet size [147], [148].

B. TUNNELING
The traffic encryption do not ensure the total privacy, therefore, the tunnel protocols could be used to overcome this issue. The tunneling protocols could be used to hide the metadata connection and to ensure user policy. The famous tunneling service could be used to determine the virtual private network (VPN). The VPN depends on various protocols such as IKE, SSL, etc. Generally, VPN acts as a tunnel between the client and server, and the server is able to transmit the packets to its destination. Also, the VPN user (client) could encrypt the data prior to sending it to destination. A few works have been proposed which aims to classify VPN traffic based on the traffic class and type [107], [149].

C. LAYER OBFUSCATION
The traffic classification in the wireless and sensing network could be used to determine leak side-channel information and network signal pattern. Therefore, it is necessary for obfuscation traffic classification to apply them in order to use for land networks such as morphing, padding [150], and other approaches [151]. In this regard, Zhang et al. [152] proposed a traffic model which aims to develop media access control (MAC) interfaces and it scheduled packets over these interfaces, therefore, redevelop the features of packets based on each interface.

D. STEGANOGRAPHY
The steganography is a process containing confidential data in visual domain. It aims to hide the confidential data into packets, and send them through the network. Recently, a few steganography related works have been proposed which aims to ensure the untraceable of various protocols [153], [154]. Some steganography methods such as Deepflow could be used to hide the TOR in the P2P traffic. The Deepflow hides the unknown traffic in the P2P network using the steganography [119]. In particular, the deepflow node could be used to connect the PPS stream and it works as a client of PPS and transmit the data in the form of video packets and these packets are reach to their destination via PPStream nodes. Facet is another commonly used method of steganography obfuscation method [120], which aims to hide the video traffic of video communication tool such as Skype. First, the facet could be used to generate a message to the server giving the URL address of the video, which it wants to see. The server downloads the selected video and the content is transmitted via a Skype video platform to the facet client.

E. MUTATION
The traffic classification tunneling could use to hide the information contain in the network packet payload. The traffic classification could be obtained using the statistical flow features by considering the time interval and size of packet, and features can be modified based on traffic mutation mechanism. In this regard, the padding technique could be used to hide the network packet detail.
Linear padding: It consists of passing the traffic packet based as the expression below.
where denotes the system parameter and * represent the ceiling, and the length of packets are multiplication of .
Exponent padding: The padding packets can be represented into the exponential form using the below equation.

F. MORPHING
The morphing technique could be used to divert the classifier based on the classifying the traffic application. It's widely used to avoid censorship issues of application protocols and make them legitimate in various applications. Wright et al. [155] presented a traffic morphing approach to obfuscation traffic analysis. They used to morph the one class traffic into another class traffic by using convex optimization method. They also assessed the performance of the present method against other classifiers such as Web traffic [156] and VoIP [157]. Wang et al. [158] revealed that the TOR traffic could be easily detection after obfuscating using two different variants such as format transforming encryption and obfsproxy. The TOR traffic has been used to overcome the issues in [159], [160]. The stegotorus is considered as a TOR plugin which aims to detect and unblock the TOR traffic. It employs steganography to form a TOR traffic which considered as the traffic which developed by another software [160].

VII. KEY FINDINGS, LIMITATIONS, AND RECOMMENDATIONS
This section highlights the key findings, limitations and recommendations after reviewing existing methods for employing ML based traffic classification as illustrate in Figure 7.

A. KEY FINDINGS OF TRAFFIC CLASSIFICATION
This section discusses the key findings for employing ML based traffic classifications.

1) DATA COLLECTION
The data which are used for obtaining traffic classification in most of the reviewed papers were not updated. In the recent years, traffic classification continues to evolve with latest trends and technologies such as new traffic devices and applications. Consequently, the collection of Internet traffic classification based on latest trends is necessary to overcome the issue. Most of the datasets were labelled using deep packet inspection technique which were unable to integrate with portbased labeling with dynamic port allocation.

2) DATA REPRESENTATION AND SELECTION
Several methods have been proposed for traffic classification in recent past years. Moore et al. [53] revealed that various feature sets have relied on network packets, TCP flags, port numbers, and different IP addresses. While the other techniques use the domain name and used protocol request contents. Some researchers applied the datasets for detecting anomalies and identifying the intrusion traffic classification using ML algorithms. They investigated the misuse detection of cyber security and identifying traffic classification [161].
Most of the researchers used the available public datasets for validating the performance of their proposed algorithms, but designing an effective algorithm that employed these datasets is a difficult task. Therefore, it is necessary to develop a new dataset while reusing the available public datasets. Also, some authors use traffic trace while designing an ML-based traffic classification. Though, these traces do not contain accurate information related to traffic classification. Therefore, a new framework is necessary for collecting accurate datasets and effectively applied in various applications.

3) METHOD SELECTION PROCESS
The selection of method plays a significant role in obtaining the best performance of the algorithms. Several types of ML techniques are available and each of them has an advantage and disadvantage. The aim of traffic classification is to obtain a better QoS and improve the privacy and security of the network. In the literature review, different network protocols, approaches, and application have been considered in order to select the best ML technique for traffic classification.

4) ML TECHNIQUES FOR INTRUSION TRAFFIC CLASSIFICATION
Machine learning (ML) methods play an important role in identifying traffic classification as discussed in section 5. They are useful for obtaining traffic classification based on various schemes such as statistical and entropy (decision), etc. Note that the training datasets have effective features and statistical properties. Therefore, it is necessary to determine whether the proposed model works with the online and offline datasets. We have found from the literature review that no study had proposed a robust ML-based classifier for traffic classification. Therefore, there is a need to develop a new ML based classifier and effective datasets should be used for obtaining a better traffic classification.

5) EFFECTIVENESS OF PACKET NUMBER FOR TRAFFIC CLASSIFICATION
Traffic classification plays a crucial role for network application and intrusion detection identification. It identifies and classifies the unknown traffic classes on the entire network. A few research works related to traffic classification using the ML method were proposed. Different approaches were presented to identify traffic classification, in which the early-stage traffic classification technique is popular among those methods. Several studies found that the early network packet up to ten is sufficient and effective for obtaining traffic classification. Some demonstrated that up to six early packets are enough for accurate traffic classification. Early-stage classification is still at the beginning stage, and it needs to determine how many network packets could be used for traffic classification through investigation and review. Researchers should also thoroughly examine and study feature extraction and selection methods. It needs a comprehensive review to enhance the performance of existing approaches by designing an effective feature set for traffic classification at an early stage.

6) ML BASED INTRUSION DETECTION PERFORMANCE
An effective dataset plays an important role for identifying a robust and accurate network-based anomaly detection. Several researchers used various datasets such as NetFlow data, packet dataset, and KDD dataset and applied various ML-based methods to identify effective traffic. Their studies did not propose appropriate methods for anomaly intrusion detection as they just assess the effectiveness of the proposed methods using anomaly datasets. Therefore, it is necessary to develop a new and robust anomaly-based intrusion detection system, which could evaluate the performance of these ML-based methods and identify the best algorithm among them. We have found from the literature review that several studies have employed the classical ML-based methods for detecting anomalies, but they did not propose a new ML method. For example, several authors studied the decision tree, deep reinforcement learning (DRL), fuzzy, logic, and game theory methods. They are effective MLbased methods for detecting anomalies, but a few studies have applied them. Therefore, a need for a new ML-based algorithm arises, which comprises of these ML-based algorithms, such as decision tree, deep reinforcement learning, and so on.

B. LIMITATIONS OF ML FOR TRAFFIC CLASSIFICATION
In this section, we will discuss the challenges and limitations that researchers may face when applying the ML technique for traffic classification.

1) TRAFFIC SAMPLING
The main challenges of traffic classification are that it hides the features of traffic classification applications due to the high speed requirements of the traffic network. It's not reliable to extract features from network packet which requires high speed network. Therefore, traffic sampling could be used to overcome this problem. It could transform different characteristics and features of the traffic, but requires a large computational time to process these characteristics and features, which may resulted in a lower accuracy of traffic classification techniques.

2) TRAFFIC CLASSIFICATION DIMENSION
The weight of traffic classification must be smaller when they are applied in real-time applications. To determine the traffic classification, data representation and selection must be analyzed carefully in terms of time and computational processing that are required to process the traffic classifier. Under this condition, several factors need to be considered such as algorithm complexity, memory space, and computational timing in order to design a better classifier. However, it may cause several issues, such as delay in detecting an intrusion detection system.

3) EFFICIENCY OF CLASSIFICATION ALGORITHMS IN REAL-TIME
From the literature review, it can be observed that most of the classification methods are unable to identify and classify traffic in real-time. However, these methods can classify and identify the traffic in a short period of time after the traffic is generated. The real-time classification plays an important role for ensuring network security and improving QoS. As discussed above, traffic classification needs different procedures such as extraction and selection features, train data, validation, etc. Therefore, the real-time classification of traffic remains a challenging issue in traffic network. The researchers and practitioners need to work on lightweight classification techniques to improve the classifier speed in each process of classification algorithms.

4) CLASSIFICATION FROM UNKNOW TRAFFIC
We observe from the literature review that most of the studies do not obtain the classification from unknown traffic and are focused on the known traffic. That causes the classification results not accurate in some conditions. For example, if the traffic category does not appear accurately in the training data, the algorithm might classify the traffic as known traffic. Also, note that some methods classify traffic into a known category, but it is very difficult for them to reclassify unknown traffic in different categories. Therefore, the reclassification of unknown traffic remains a challenging issue in existing research that needs to be studied in depth to overcome this issue.

5) NETWORK FUNCTIONALITY FOR TRAFFIC CLASSIFICATION
The network functionality plays an important role in selecting the best classifier. Various network function such as NATing and tunneling influence the performance of classifier [162]. Therefore, the researchers and practitioners must consider these network functions when designing a classifier which may resulted in a better performance of traffic classification algorithm.

6) REAL-TIME APPLICATION
Various ML techniques such as Bayesian Network and Decision Tree have been used for traffic classification. From literature review, we observed that a few researchers employed DPI for P2P applications of traffic classifications [11], [69]. However, security and privacy remains a critical issue while deploying DPI. Researchers should consider various factors such as traffic speed and big data when designing ML based traffic classification algorithm. These factors could affect the performance of traffic classifier in real-time applications. Moreover, model training and unknown traffic are considered as other limitations for real-time implementation of traffic classification algorithm. Also, parameter selection and its tuning based on network features and characteristics also pose certain challenges and limitations when employing on real environment. Several Big Tech companies are trying to combine ML methods with network functions to overcome these limitations [163].

C. RECOMMENDATIONS FOR ML FOR TRAFFIC CLASSIFICATION
This section discusses the recommendations that researchers needs to consider when employing ML methods for traffic classification. It investigates how importance these recommendations are to researchers and practitioners in order to effectively apply them for obtain a better Internet traffic classification. We outline several recommendations that could be used to enhance the traffic classification framework.

1) GENERALIZE MODEL
The generalized ML model should be tested on datasets collected from different network environments in order to demonstrate the effectiveness of the ML model. For instance, if an ML algorithm is considered a generalized model, it may indicate that the hidden data are present at low variance.

2) ANONYMOUS TRAFFIC DETECTION
The traffic classification aims to identify the traffic characteristic, type, and network application name. These features are constantly emerging in the network environment. Therefore, detecting rapid changes in the network and identifying attacks could be beneficial for reducing the chances of misclassification. In this context, traffic classification model uncertainty need to assess based on the traffic types and features, and a model must have a capability to detect anomalies. The unsupervised ML techniques should be able to detect unknown traffic without requiring any prior knowledge or information of traffic characteristics within the network.

3) ROBUSTNESS OF TRAFFIC CLASSIFICATION
In order to make the classifier more robust for detecting anomaly detection or identifying traffic obfuscation plays an important role to reduce the chances of misclassification. In this regard, the unsupervised learning could be used to detect different unknown traffic classes. Therefore, the traffic classifier is necessary to test against anomaly and intrusion detection system along with different obfuscation approaches. Consequently, we could detect various kinds of attacks or traffic mutations in order to obtain a better classifier.

4) RIGOROUS ANALYSIS
Developed traffic classification models should be comprehensively analyzed using different tools in order to evaluate their effectiveness and efficiency. This can be accomplished using performance and standard metrics and compare its implementations on various Internet traffic such as encryption, decryption along with the multichannel application flows of different length.

5) UPDATED MODEL
Update model of traffic classification techniques evolving rapidly in network, such as traffic classification in IoT network by considering different kinds of IoT devices. It requires to train the model based on latest trends of traffic types. Developing ML techniques should be employed that uses online training for updating traffic classifiers. In this context, reinforcement learning could be used to update training model by relying on the feedback from the users in terms of QoS, security and privacy issues, and number of false alarms of network security.

6) DATA COLLECTION
Data collection plays an important role for assessing the performance of ML based classifier. Training the ML model in terms of representative data that could be used to obtain the useful information or pattern and helps to classify the hidden data with higher accuracy.
Data should be accurately labelled and ensure its collection from different network edges and points. Also, collection of data from a variety of sources such as devices, applications, etc. could be useful for implementing ML model. Furthermore, the availability of open-access or public data could be used to assess the effectiveness of the developed ML algorithms. Handling big data requires large amount of data to process. The tool required to process the ML technique using big data could be beneficial for obtaining high speed traffic, but it requires large storage techniques to process the ML method with big data.

VIII. CONCLUSION
The research interest on traffic classification has been gaining popularity among researchers from Communication and Networking backgrounds over the last couple of years. Through this technique, network operators could monitor the performance of the traffic classification such as service identifications, network designing, and perform the optimization to classify and identify traffic. It has produced robust and novel results and attained a better accuracy when it applies to different behaviors of Internet applications. Current investigation on emerging trends of traffic classification methods is necessary for researchers, practitioners, and Internet service providers who can monitor the performance of the entire classification network. This paper gave a thorough review of the network traffic classification techniques, traffic datasets, and ML-based methods for traffic classification. We first introduced the traffic classification procedures, in which we thoroughly reviewed the datasets and discussed the extraction and feature selection methods that are widely used in traffic classification. Then, we further presented the criteria for traffic classification, which can be used to assess the effectiveness of classification algorithms. We thoroughly discussed the recent state-of-the-art techniques for traffic classification in terms of four categories such as port-based classification, payload-based classification, statistical-based classification, and behavior-based classification. Then, we discussed the ML methods for traffic classification, which is followed by a thorough discussion of traffic obfuscation techniques. Finally, key findings and open research challenges are identified along with recommendations for future research directions in traffic classification. In short, this survey is well developed to cover traffic classification techniques. It fills the literature gaps of existing surveys and incorporates the recent trends and approaches in traffic classifications.