Jing Yuan,Zhu Li,Ruixi Yuan

DOI: https://doi.org/10.1109/icc.2008.307

2008-01-01

Abstract:In this paper, we develop an unsupervised machine learning method for network traffic classification. First, the traffic flows from active hosts are separated into different clusters by sequentially applying the information entropy techniques. The clusters are then classified into broad-based application types by examining the parameters of the clusters, as well as the dynamic properties of the clusters during the clustering process. Experiment results from a campus backbone environment are presented, where the network traffic flows from the top 20 active hosts are identified. The results showed that the identification accuracy is approximately 93.81%. This compares to prior works using unsupervised machine learning methods, where the classification accuracy is generally lower, with the highest being 86.5%. We also show that our method can be combined with supervised learning method to further improve the classification accuracy and perform automatic training on the classification engine.

Yu Wang,Yang Xiang,Shunzheng Yu

DOI: https://doi.org/10.1109/cse.2011.58

2011-01-01

Abstract:Due to the increasing unreliability of traditional port-based methods, Internet traffic classification has attracted a lot of research efforts in recent years. Quite a lot of previous papers have focused on using statistical characteristics as discriminators and applying machine learning techniques to classify the traffic flows. In this paper, we propose a novel machine learning based approach where the features are extracted from packet payload instead of flow statistics. Specifically, every flow is represented by a feature vector, in which each item indicates the occurrence of a particular token, i.e., a common substring, in the payload. We have applied various machine learning algorithms to evaluate the idea and used different feature selection schemes to identify the critical tokens. Experimental result based on a real-world traffic data set shows that the approach can achieve high accuracy with low overhead.

Shijun Huang,Kai Chen,Chao Liu,Alei Liang,Haibing Guan

DOI: https://doi.org/10.1109/icumt.2009.5345539

2009-01-01

Abstract:This Internet traffic classification using Machine Learning is an emerging research field since 1990's, and now it is widely used in numerous network activities. The classification technique focuses on modeling attributes and features of data flows to accomplish the identification of applications. In the paper we design and implement the classification model based on header-derived flow statistical features. Compared with the traditional methods, the model designed here, which is totally insensitive to port numbers and contents of payload on application level, overcomes difficulty in operation caused by unreliable port numbers and complexity of payload interpretation. Rather than relatively complex ML algorithms or even in mixture, supervised k-Nearest Neighbor estimator is adopted for the sake of computational efficiency, along with the effective and easy-to-calculate statistical features selected according to the operational background. Our results indicate that about 90% accuracy on per-flow classification can be achieved, which is a vast improvement over traditional techniques that achieve 50-70%.

Luming Yang,Shaojing Fu,Yongjun Wang,Chao Li,Shanghuai Feng,Yuchuan Luo,Lin Liu

DOI: https://doi.org/10.1109/ispa-bdcloud-socialcom-sustaincom52081.2021.00155

2021-01-01

Abstract:With the development of Internet technology, application traffic identification based on Machine learning has taken much attention in the past decade. However, there are still some problems even if many traffic classification schemes have been proposed, which will affect the QoS (Quality of Service) of application traffic identification. First, the complete-flow-based methods will fail when facing incomplete flows and multiple flows in real-time detection. Second, the model generalization ability will decrease if using raw traffic data as input directly, especially the representation learning model. For these reasons, in this paper, we developed a new traffic classification method based on packet-sequence and byte-distribution, which can be used for application traffic identification. The byte-distribution of packet-sequence can be obtained through statistics directly without parsing the application protocol. The packet-sequence analysis unit avoids problems caused by the incomplete network flow, which is more suitable for real-time detection. Using packet payload byte-distribution instead of raw data balances the relationship between raw input and manual intervention to a certain extent. In order to prove that packet-sequence and byte-distribution are enough for application traffic classification, we tested our traffic classification method on the dataset we collected in the environment of Ethernet. We achieved an accuracy of 97.485%, which is a good performance. Our method also demonstrated good real-time performance and an acceptable detection result.

Renjie Zhou,Xiao Wang,Jingjing Yang,Wei Zhang,Sanyuan Zhang

DOI: https://doi.org/10.1155/2021/5560185

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The prosperity of mobile networks and social networks brings revolutionary conveniences to our daily lives. However, due to the complexity and fragility of the network environment, network attacks are becoming more and more serious. Characterization of network traffic is commonly used to model and detect network anomalies and finally to raise the cybersecurity awareness capability of network administrators. As a tool to characterize system running status, entropy-based time-series complexity measurement methods such as Multiscale Entropy (MSE), Composite Multiscale Entropy (CMSE), and Fuzzy Approximate Entropy (FuzzyEn) have been widely used in anomaly detection. However, the existing methods calculate the distance between vectors solely using the two most different elements of the two vectors. Furthermore, the similarity of vectors is calculated using the Heaviside function, which has a problem of bouncing between 0 and 1. The Euclidean Distance-Based Multiscale Fuzzy Entropy (EDM-Fuzzy) algorithm was proposed to avoid the two disadvantages and to measure entropy values of system signals more precisely, accurately, and stably. In this paper, the EDM-Fuzzy is applied to analyze the characteristics of abnormal network traffic such as botnet network traffic and Distributed Denial of Service (DDoS) attack traffic. The experimental analysis shows that the EDM-Fuzzy entropy technology is able to characterize the differences between normal traffic and abnormal traffic. The EDM-Fuzzy entropy characteristics of ARP traffic discovered in this paper can be used to detect various types of network traffic anomalies including botnet and DDoS attacks.

Zhu Li,Ruixi Yuan,Xiaohong Guan

DOI: https://doi.org/10.1007/978-3-540-73111-5_8

2007-01-01

Abstract:Timely traffic identification is critical in network security monitoring and traffic engineering. Traditional methods using well-known ports, protocols and precise signature matching are no longer accurate with the proliferation of new applications. Recently, applying pattern recognition methods to classify network application traffic based on the flow parameters (e.g. port, flow duration, etc.) has become increasing popular. However, many methods developed in the previous works are either too complex to be applied in real-time, or suffer from lower accuracy due to the insufficient knowledge of the application. In this paper, we first give an overview on the developments of pattern recognition methods as traffic classification tools. We then develop two separate pattern recognition methods: one with supervised learning, and one with un-supervised learning, and apply them to classify traffic captured from a campus backbone network. The supervised learning method (an optimized SVM method) yields approximately 99.41 % accuracy for the collected traffic. The un-supervised learning method (an entropy based clustering method) gets the average accuracy of 92.41% for the top 20 traffic generating hosts during the same time period. Performance test on a single PC with 3GHz Pentium 4 processors and 1 GB of memory show that both methods can handle more than 10000 network flows per second, close to real time requirements for many situations.

Jun Li,Shunyi Zhang,Yanqing Lu,Junrong Yan

DOI: https://doi.org/10.1007/s11767-007-0110-4

2009-01-01

Abstract:Accurate and real-time classification of network traffic is significant to network operation and management such as QoS differentiation, traffic shaping and security surveillance. However, with many newly emerged P2P applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, traditional classification approaches turn to be ineffective. In this paper, we present a layered hybrid system to classify current Internet traffic, motivated by variety of network activities and their requirements of traffic classification. The proposed method could achieve fast and accurate traffic classification with low overheads and robustness to accommodate both known and unknown/encrypted applications. Furthermore, it is feasible to be used in the context of real-time traffic classification. Our experimental results show the distinct advantages of the proposed classification system, compared with the one-step Machine Learning (ML) approach.

LIU Qiong,LIU Zhen,HUANG Min

DOI: https://doi.org/10.3969/j.issn.1002-137x.2010.12.008

2010-01-01

Computer Science

Abstract:To identify the traffic based on the application in a large network, the major part is traffic classification and it is useful to provide quality of service, lawful interception and intrusion detection. A number of limitations have been exhibited by older methods such as port-based and payload based classification. Hence Machine learning techniques are used by the research community to analyse the flow statistics for detecting network applications. The statistical based approach is used here for traffic identification and classification process. The statistical features are flow size, flow duration, TCP port, packet inter-arrival times statistics, total number of packets, mean packet length, protocol, number of bytes transferred. There are two types of machine learning algorithms such as supervised and unsupervised algorithms. These two machine learning algorithms are analysed with datasets respectively based on the set of algorithms. By evaluating the results of supervised and unsupervised algorithms respectively, best algorithm from each technique is combined together to yield

Jie Ding,Liang Huang,Yupeng Tuo,Yafei Sang,Yongzheng Zhang

DOI: https://doi.org/10.3969/j.issn.1000-386x.2017.02.026

2017-01-01

Abstract:Accurate and efficient network traffic classification technology plays a significant role for improving network quality of service,optimizing network bandwidth allocation,enhancing network security management and research in network-related field.Currently,most research work in network traffic classification field focuses on how to identify the type of the network applications and protocols.However,the existing methods cannot be applied to analyze and classify the unknown traffic (generated by unknown applications or protocols) and encrypted traffic.Therefore,a flow nature classification method based on multi-features of n-gram is proposed,which can classify the network traffic according to the content type of the payload in the packets (including text,audio,video,picture,executable,compressed and encrypted).Firstly,a set of frequent subsequences by means of a threshold-based strategy is selected,then multifeatures is extracted to characterize the frequency distribution of the selected set,finally a desirable performance is obtained to classify the content type of the traffic payload by employing C4.5 decision tree classifier.The experimental results show that the average precision ratio and the average recall ratio of our approach achieve 92.7％ and 91.9％ respectively with only 1 KB of data per flow.Compared with the classification methods based on entropy features,the proposed method increases by approximately 10.8％ and 12.1％ in terms of average precision ratio and average recall ratio.

Jun Li,Shunyi Zhang,Cuilian Li,Junrong Yan

DOI: https://doi.org/10.1002/nem.735

2010-01-01

International Journal of Network Management

Abstract:Accurate and real-time classifi cation of network traffic is significant to a number of network operation and management tasks such as quality of service differentiation, traffic shaping and security surveillance. However, with emerging P2P applications using dynamic port numbers, IP masquerading techniques and payload encryption, accurate and intelligent traffic classification continues to be a big challenge despite a wide range of research work on the topic. Since each classification method has its disadvantages and hardly could meet the specific requirement of Internet traffic classification, this paper innovatively presents a composite traffic classification system. The proposed lightweight system can accurately and effectively identify Internet traffic with good scalability to accommodate both known and unknown/encrypted applications. Furthermore, It promises to satisfy various Internet uses and is feasible for use in real-time line speed applications. Our experimental results show the distinct advantages of the proposed classification system.

Yu Chen,Xiayu Ping,Tao Wei

DOI: https://doi.org/10.1109/ICITIS.2010.5689522

2010-01-01

Abstract:The principal technique employed in application traffic classification, a task of identifying the applications underlying network traffic, has evolved from based on port number to deep packet inspection to payload-independent classification. We propose a novel approach in the last category. The principal idea of our method is that we associate an application with temporal patterns of the command exchange modes (subsequences of packets) of TCP flows generated by the application. Since these patterns are local by nature, our approach might be able to identify an application even if only a portion of a full flow is observable. We have applied such method to classify a number of popular P2P applications and to detect suspicious botnet traffic. To identify these kinds of traffic, we not only utilize flow patterns, but also incorporate some statistics on multi-flow and host levels. We have tested our algorithm on P2P traffic collected from our institute's computer network and on botnet traffic collected from a national-wide distributed honeynet. The early results are quite encouraging. © 2010 IEEE.

Jun Zhang,Chao Chen,Yang Xiang,Wanlei Zhou

DOI: https://doi.org/10.1145/2484313.2484366

2013-01-01

Abstract:ABSTRACTTraffic classification is a fundamental component in advanced network management and security. Recent research has achieved certain success in the application of machine learning techniques into flow statistical feature based approach. However, most of flow statistical feature based methods classify traffic based on the assumption that all traffic flows are generated by the known applications. Considering the pervasive unknown applications in the real world environment, this assumption does not hold. In this paper, we cast unknown applications as a specific classification problem with insufficient negative training data and address it by proposing a binary classifier based framework. An iterative method is proposed to extract unknown information from a set of unlabelled traffic flows, which combines asymmetric bagging and flow correlation to guarantee the purity of extracted negatives. A binary classifier is used as an application signature which can operate on a bag of correlated flows instead of individual flows to further improve its effectiveness. We carry out a series of experiments in a real-world network traffic dataset to evaluate the proposed methods. The results show that the proposed method significantly outperforms the-state-of-art traffic classification methods under the situation of unknown applications present.

Zhou Wengang,Chen Leiting,Dong Shi

DOI: https://doi.org/10.3724/sp.j.1187.2013.01114

2013-01-01

JOURNAL OF ELECTRONIC MEASUREMENT AND INSTRUMENT

Abstract:A number of network activities can benefit from accurate traffic classification and identification. However, the current classification methods, either port-based or payload-based, are becoming ineffective as many P2P applications use dynamic port numbers, masquerading techniques, and encryption to avoid detection. This paper discusses and explores a new method that is based on supervised machine learning mechanisms, which eliminate the inherent limitations of port-based or payload-based methods. A series of experiments show that, combined with a fast correlation-based feature selection filter, better performance and more accurate identification results can be obtained using the neural network method. Due to all the favorable features and satisfactory performance, the proposed methods are promising for internet traffic classification.

Jian-Zhen Luo,Shun-Zheng Yu,Man Li

2014-01-01

Abstract:Classifying and identifying Internet traffic by application type has drawn more attention over the past few years in many fields of computer networks. More importantly, unsupervised techniques for traffic classification are useful for network administrators to cluster unknown traffic. In this paper, we propose a novel technique for unsupervised traffic classification based on affinity propagation mechanism. The application payloads are parsed into 3-grams and similarities between payloads are computed based on information theory. An affinity propagation based algorithm is used to cluster application payloads according to the payloads similarity metrics. We implement our approach on a system and evaluate our system on three data sets and compare the performance with EM and K-means. The results show that our approach excellently outperforms the EM and K-means clustering algorithms in the clustering categorical data.

Muhammad Shafiq,Xiangzhan Yu,Asif Ali Laghari,Lu Yao,Abin Kumar Karn,Oudil Abdessamia

DOI: https://doi.org/10.1109/compcomm.2016.7925139

2016-01-01

Abstract:Network Traffic Classification is a central topic nowadays in the field of computer science. It is a very essential task for Internet service providers (ISPs) to know which types of network applications flow in a network. Network Traffic Classification is the first step to analyze and identify different types of applications flowing in a network. Through this technique, internet service providers or network operators can manage the overall performance of a network. There are many methods traditional technique to classify internet traffic like Port Based, Pay Load Based and Machine Learning Based technique. The most common technique used these days is Machine Learning (ML) technique. Which is used by many researchers and got very effective accuracy results. In this paper, we discuss network traffic classification techniques step by step and real time internet data set is develop using network traffic capture tool, after that feature extraction tool is use to extract features from the capture traffic and then four machine learning classifiers Support Vector Machine, C4.5 decision tree, Naïve Bays and Bayes Net classifiers are applied. Experimental analysis shows that C4.5 classifiers gives very good accuracy result as compare to other classifies.

Du Min,Chen Xingshu,Tan Jun

DOI: https://doi.org/10.1109/cc.2013.6472861

2013-01-01

Abstract:Internet traffic classification plays an important role in network management. Many approaches have been proposed to classify different categories of Internet traffic. However, these approaches have specific usage contexts that restrict their ability when they are applied in the current network environment. For example, the port based approach cannot identify network applications with dynamic ports; the deep packet inspection approach is invalid for encrypted network applications; and the statistical based approach is time-consuming. In this paper, a novel technique is proposed to classify different categories of network applications. The port based, deep packet inspection based and statistical based approaches are integrated as a multistage classifier. The experimental results demonstrate that this approach has high recognition rate which is up to 98% and good performance of real-time for traffic identification.

Zheng Liming,Zou Peng,Jia Yan,Han Weihong

2012-01-01

China Communications

Abstract:Detecting traffic anomalies is essential. for diagnosing attacks. High-Speed Backbone Networks (HSBN) require Traffic Anomaly Detection Systems (TADS) which are accurate (high detection and low false positive rates) and efficient. The proposed approach utilizes entropy as traffic distributions metric over some traffic dimensions. An efficient algorithm, having low computational and space complexity, is used to estimate entropy. Entropy values over all dimensions are collected to form a detection vector for every sliding window. One class support vector machine classifies all detection vectors into one of two groups: abnormal vectors and normal vectors. A Multi-Windows Correlation Algorithm (MWCA) calculates comprehensive anomaly scores observed in a sequence of windows in order to reduce false positive rates and obtain high detection rates. Some real-world traffic traces have been used to validate and evaluate the efficiency and accuracy of this system through three experiments. In Experiment 1, the estimating algorithm of entropy which costs less memory and runs faster than traditional algorithms is more suitable for detection anomalies. In Experiment 2, the classification and correlation algorithms can improve the detection accuracy significantly. Experiment 3 compares the subject system and three well-known systems. Ours system is the most accurate one. Those results have indicated that the proposed system significantly improves the accuracy and efficiency.

Jiahui Chen,Joe Breen,Jeff M. Phillips,Jacobus Van der Merwe

DOI: https://doi.org/10.1007/s10586-021-03393-2

2021-07-10

Abstract:Network traffic classification that is widely applicable and highly accurate is valuable for many network security and management tasks. A flexible and easily configurable classification framework is ideal, as it can be customized for use in a wide variety of networks. In this paper, we propose a highly configurable and flexible machine learning traffic classification method that relies only on statistics of sequences of packets to distinguish known, or approved, traffic from unknown traffic. Our method is based on likelihood estimation, provides a measure of certainty for classification decisions, and can classify traffic at adjustable certainty levels. Our classification method can also be applied in different classification scenarios, each prioritizing a different classification goal. We demonstrate how our classification scheme and all its configurations perform well on real-world traffic from a high performance computing network environment.

Machine Learning,Networking and Internet Architecture

Meng Shen,Mingwei Wei,Liehuang Zhu,Mingzhong Wang

DOI: https://doi.org/10.1109/tifs.2017.2692682

IF: 7.231

2017-01-01

IEEE Transactions on Information Forensics and Security

Abstract:With a profusion of network applications, traffic classification plays a crucial role in network management and policy-based security control. The widely used encryption transmission protocols, such as the secure socket layer/transport layer security (SSL/TLS) protocols, lead to the failure of traditional payload-based classification methods. Existing methods for encrypted traffic classification cannot achieve high discrimination accuracy for applications with similar fingerprints. In this paper, we propose an attribute-aware encrypted traffic classification method based on the second-order Markov Chains. We start by exploring approaches that can further improve the performance of existing methods in terms of discrimination accuracy, and make promising observations that the application attribute bigram, which consists of the certificate packet length and the first application data size in SSL/TLS sessions, contributes to application discrimination. To increase the diversity of application fingerprints, we develop a new method by incorporating the attribute bigrams into the second-order homogeneous Markov chains. Extensive evaluation results show that the proposed method can improve the classification accuracy by 29% on the average compared with the state-of-the-art Markov-based method.

颜若愚,郑庆华

2010-01-01

Abstract:A traffic anomaly detection and classification method based on cross entropy is proposed to identify network attack behaviors accurately.Both features of traffic flow header and traffic behavior are used to characterize three types of common attacks,such as DoS attacks,port scans and network scans.The cross entropy is used to measure traffic distribution changes for each traffic feature,and a behavior vector for each attack type is built.Then exponentially weighted moving average control chart method is applied to multiple cross entropy indicators for anomaly detection,and an anomaly vector is generated.The similarity between the anomaly vector and each behavior vector is computed to classify attacks.Experimental results and comparisons with the Shannon entropy measurement on Netflow traffic in a router show that under relatively weaker attacks,the true positive rate,average precision and accuracy of the cross entropy measurement in attack classification rise by 13%,15%,and 13%,respectively.