Leveraging synthetic traffic data samples for flow classifier training

What is claimed is: 1 . A method comprising: receiving, at a device in a network, traffic data regarding a plurality of observed traffic flows; mapping, by the device, one or more characteristics of the observed traffic flows from the traffic data to traffic characteristics associated with a targeted deployment environment; generating, by the device, synthetic traffic data based on the mapped traffic characteristics associated with the targeted deployment environment; and training, by the device, a machine learning-based traffic classifier using the synthetic traffic data. 2 . The method as in claim 1 , wherein the machine learning-based traffic classifier is configured to classify a particular traffic flow as benign or malware-related. 3 . The method as in claim 1 , wherein the machine learning-based traffic classifier is configured to determine an application associated with a particular traffic flow. 4 . The method as in claim 1 , further comprising: deploying, by the device, the trained traffic classifier to the target deployment environment. 5 . The method as in claim 1 , wherein the machine learning-based traffic classifier is further trained using one or more of the characteristics of the observed traffic flows. 6 . The method as in claim 1 , wherein at least one of the mapped characteristics corresponds to a ciphersuite in use in the targeted deployment environment. 7 . The method as in claim 1 , wherein at least one of the mapped characteristics corresponds to at least one of: an advertised security extension, a proxy-related header field, packet length information, inter-packet timing information, or a Hypertext Transfer Protocol (HTTP) header field. 8 . The method as in claim 1 , wherein the observed traffic flows were generated in a sandbox testing environment. 9 . The method as in claim 1 , further comprising: receiving, at the device, data indicative of the traffic characteristics associated with a targeted deployment environment, wherein the data indicative of the traffic characteristics associated with the targeted deployment environment identifies one or more device configurations in use in the targeted deployment environment. 10 . An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed operable to: receive traffic data regarding a plurality of observed traffic flows; map one or more characteristics of the observed traffic flows from the traffic data to traffic characteristics associated with a targeted deployment environment; generate synthetic traffic data based on the mapped traffic characteristics associated with the targeted deployment environment; and train a machine learning-based traffic classifier using the synthetic traffic data. 11 . The apparatus as in claim 10 , wherein the machine learning-based traffic classifier is configured to classify a particular traffic flow as benign or malware-related. 12 . The apparatus as in claim 10 , wherein the machine learning-based traffic classifier is configured to determine an application associated with a particular traffic flow. 13 . The apparatus as in claim 10 , wherein the process when executed is further operable to: deploy the trained traffic classifier to the target deployment environment. 14 . The apparatus as in claim 10 , wherein the machine learning-based traffic classifier is further trained using one or more of the characteristics of the observed traffic flows. 15 . The apparatus as in claim 10 , wherein at least one of the mapped characteristics corresponds to a ciphersuite in use in the targeted deployment environment. 16 . The apparatus as in claim 10 , wherein at least one of the mapped characteristics corresponds to at least one of: an advertised security extension, a proxy-related header field, packet length information, inter-packet timing information, or a Hypertext Transfer Protocol (HTTP) header field. 17 . The apparatus as in claim 10 , wherein the observed traffic flows were generated in a sandbox testing environment. 18 . The apparatus as in claim 10 , wherein the process when executed is further operable to: receive data indicative of the traffic characteristics associated with a targeted deployment environment, wherein the data indicative of the traffic characteristics associated with the targeted deployment environment identifies one or more device configurations in use in the targeted deployment environment. 19 . A tangible, non-transitory, computer-readable medium storing program instructions that cause a device in a network to execute a process comprising: receiving, at the device, traffic data regarding a plurality of observed traffic flows; mapping, by the device, one or more characteristics of the observed traffic flows from the traffic data to traffic characteristics associated with a targeted deployment environment; generating, by the device, synthetic traffic data based on the mapped traffic characteristics associated with the targeted deployment environment; and training, by the device, a machine learning-based traffic classifier using the synthetic traffic data. 20 . The computer-readable medium as in claim 19 , wherein at least one of the mapped characteristics corresponds to at least one of: a ciphersuite in use in the targeted deployment environment, an advertised security extension in use in the targeted deployment environment, a header field in use in the targeted deployment environment, a packet length in use in the targeted deployment environment, or inter-packet timing information associated with the targeted deployment environment.