Contents I. Introduction
Initiated by Google, the QUIC protocol has evolved to become a next-generation transport standard, now standardized by the Internet Engineering Task Force (IETF). Many leading companies in the Internet have deployed QUIC on their infrastructure. The RFCs standardizing QUIC are the following [1]–[4]. Between 2015 and 2016, the percentage of Google traffic served by QUIC increased from 1% to 30 % [5]. Traffic visibility [6] is reduced when using the QUIC protocol. This is due to one of the features of QUIC, which encrypts transport layer data. This is a challenge for the design of monitoring systems that analyze traffic in the clear. With the widespread adoption of the HTTPS protocol, more and more websites have migrated to encrypted communication to protect the data exchanged between users and web servers. This means that application data in HTTP traffic is no longer visible to third-party observers, ensuring greater privacy and security for users. When addressing the advancements in web data transfer protocols, it's crucial to understand the interconnections between HTTP/3, QUIC, and HTTPS. Unlike HTTP/1.1 and 2, which rely on TCP, HTTP/3 adopts the QUIC protocol as its means of transport. Simultaneously, HTTPS also incorporates QUIC to encrypt HTTP exchanges. One unique aspect of QUIC is that TLS encrypts a portion of the QUIC protocol, providing a broader level of security compared to TCP, where the entirety of the Layer 4 remains encrypted. However, with the introduction of the QUIC protocol in recent years, this has posed a new challenge for network operators. QUIC, which operates at a higher level than traditional transport protocols such as TCP, has made much of the transport data unavailable for third-party observation. With the increasing prevalence of encrypted transport data through HTTPS and QUIC, detecting intrusions and diagnosing network faults has become more challenging. Addressing this encrypted traffic growth requires innovative approaches to enhance visibility. Artificial intelligence algorithms offer a solution for real-time monitoring and analysis of encrypted traffic, detecting anomalies and potential threats [7]. Our focus is on utilizing AI specifically for monitoring encrypted traffic rather than solely improving visibility. In our study, we employ KNN, Logistic Regression, SVM, and RandomForest classification algorithms on one-second traffic samples generated from a simulated network architecture using Docker containers. This setup includes simulating browser traffic labeled as regular HTTP/3 between web clients and a server using the Selenium library. We also simulate attack traffic with a container group flooding the web server through QUIC. The remainder of the paper is organized as follows. Section II presents related work on the use of Artificial Intelligence in network traffic classification. We introduce the architecture and tools used for traffic generation in Section III. Section IV outlines the process of feature extraction and dataset generation. Subsequently, we employ the ANOVA algorithm to derive variance scores for our features, to derive the variance scores for our features in order to evaluate the suitability of each feature for sample classification. The objective is to develop an intelligent system capable of autonomously identifying specific types of DDoS attacks and implementing appropriate countermeasures.
