Fast Real-World Classification of ECH-Enabled Applications

Encrypted Client Hello (ECH) reduces information leakage in encrypted packet connections, thereby complicating traditional Deep Packet Inspection (DPI) methods. While various machine learning approaches have been proposed for classifying ECH network connections, prior research typically requires lengthy observation times and focuses on a limited set of applications in constrained environments. This study demonstrates a highly accurate classification mechanism capable of identifying a large number of applications in real-world traffic cwithin one secondusing only the packets observed during an interval of up to 1 second. To train our models we created a novel dataset derived from operational network traffic, ensuring relevance and diversity in training and evaluation. Furthermore, we propose a novel hierarchical approach that leverages protocol-specific knowledge, enabling scalable and efficient classification in operational settings. We further show that a lightweight Random-Forest classifier attains virtually the same accuracy as deep neural network variants, indicating that complex sequence models are not needed for this task. Our findings highlight the effectiveness of leveraging short Per Packet Information (PPI) sequences and domain-specific features to overcome the challenges posed by ECH, achieving performance superior to that of existing methods.