Zhenchang Xia,Yanjiao Chen,Libing Wu,Yu-Cheng Chou,Zhicong Zheng,Haoyang Li,Baochun Li

DOI: https://doi.org/10.1109/IWQOS52092.2021.9521291

2021-01-01

Abstract:The advent of new network architectures has resulted in the rise of network applications with different network performance requirements: live video streaming applications require low latency. In contrast, file transfer applications require high throughput. Existing congestion control protocols may fail to simultaneously meet the performance requirements of these different types of applications since their designed objective function is fixed and difficult to readjust according to the needs of the application. In this paper, we develop MOCC (Multi-Objective Congestion Control), a novel multi-objective congestion control protocol that can meet the performance requirements of different applications without the need to redesign the objective function. MOCC leverages multi-objective reinforcement learning with preferences in order to adapt to different types of applications. By addressing challenges such as slow convergence speed and the difficulty of designing the end of the episode, MOCC can quickly converge to the equilibrium point and adapt multi-objective reinforcement learning to congestion control. Through an extensive array of experiments, we discover that MOCC outperforms the most recent state-of-the-art congestion control protocols and can achieve a trade-off between throughput, latency, and packet loss, meeting the performance requirements of different types of applications by setting preferences.

Yu Chen,Xiayu Ping,Tao Wei

DOI: https://doi.org/10.1109/ICITIS.2010.5689522

2010-01-01

Abstract:The principal technique employed in application traffic classification, a task of identifying the applications underlying network traffic, has evolved from based on port number to deep packet inspection to payload-independent classification. We propose a novel approach in the last category. The principal idea of our method is that we associate an application with temporal patterns of the command exchange modes (subsequences of packets) of TCP flows generated by the application. Since these patterns are local by nature, our approach might be able to identify an application even if only a portion of a full flow is observable. We have applied such method to classify a number of popular P2P applications and to detect suspicious botnet traffic. To identify these kinds of traffic, we not only utilize flow patterns, but also incorporate some statistics on multi-flow and host levels. We have tested our algorithm on P2P traffic collected from our institute's computer network and on botnet traffic collected from a national-wide distributed honeynet. The early results are quite encouraging. © 2010 IEEE.

LI Chenglong,XUE Yibo,WANG Dongsheng

DOI: https://doi.org/10.3778/j.issn.1673-9418.2012.05.002

2012-01-01

Abstract:Traffic classification and protocol identification are the premise and the essential condition to effective network management. However, more and more encrypted protocols make traditional traffic classification methods less effective. To address the issue, this paper proposes an automatic reverse and message analysis (ARCA) method to identify encryption protocols. Different from traditional classification approaches, the proposed method exploits the protocol structure by automatically and reversely analyzing the target protocol, obtains the protocol interactive process by clustering messages, then identifies the protocol using the protocol structure and interactive process together. This method does not need to check payload, so it can classify the encrypted protocols. The paper evaluates the efficacy and accuracy of ARCA with real world traffic, such as encryption protocols Thunder, BitTorrent, QQ and GTalk. The experimental results show that the accuracy rates and the recall rates are over 96.9% and 93.1% respectively and only need check 0.9% of traffic. Therefore the proposed method has a great potential to accurately and quickly identify encryption protocols.

Chenglong Li,Yibo Xue,Yingfei Dong,Dongsheng Wang

DOI: https://doi.org/10.1109/glocom.2010.5683651

2010-01-01

Abstract:Thunder (also called Xunlei) is the most popular P2P file sharing application in China and probably the most popular P2P software in term of traffic volume and number of users. Precisely identifying Thunder traffic can help network administrators to efficiently manage their networks. Traditional methods of identifying P2P traffic such as port-based or content-based approaches are ineffective to Thunder traffic, because of its dynamic packet format, flexible port numbers, and payload encryption. In this paper, we developed a novel Heuristic Message Clustering approach (HMC) to identify Thunder traffic, and obtain its state machine and key transaction cycles, thus identifying Thunder traffic fast and accurately. We first evaluate our method in a controlled environment and then with real campus traces. The results show that HMC is able to identify Thunder flows with high precision and low error rate.

Jun Li,Shunyi Zhang,Yanqing Lu,Junrong Yan

DOI: https://doi.org/10.1109/glocom.2008.ecp.475

2008-01-01

Abstract:Accurate and fast identification of network traffic is an important element of many network management tasks such as QoS provisioning and security monitoring. However, as many newly-emerged Peer-to-Peer (P2P) applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, the classical approaches based on port mapping and payload analysis are ineffective. An alternative approach is to classify traffic by distinguishing the behavior of an application within the first few packets of TCP connection. We pursue this approach and demonstrate that information of few packets is enough to effectively identify P2P traffic. In our work, C4.5 decision tree and REPTree are evaluated and compared with the previously used clustering method K-Means. Experimental results show that our approaches outperform K- Means algorithm in accuracy. In addition, the proposed approaches can accommodate known and unknown P2P traffic and even encrypted traffic in fast and accurate way, which ensures the real-time applications on the Internet traffic surveillance and QoS provisioning.

Xiaoxian Chen,Zhenlong Yuan,Yibo Xue

DOI: https://doi.org/10.1109/iccnc.2014.6785437

2014-01-01

Abstract:Tencent QQ is the most popular instant message communication tool in China, which has more than 780 million users and thus generates huge traffic on the Internet. However, due to its proprietary protocol and encryption mechanism, it is very hard to identify QQ traffic at a fine-grained flow level. To solve this issue, this paper proposes a novel identification method, which uses a Payload and Behavior Combination (PBC) technology. PBC combines the packet payload characteristics with behavior characteristics existing in the QQ communication process. The experimental results show that PBC has a good identification accuracy in dealing with QQ traffic.

Zhongqiang Chen,Alex Delis,Peter Wei

DOI: https://doi.org/10.1142/s0218843008001750

2008-01-01

International Journal of Cooperative Information Systems

Abstract:Sessions generated by Instant Messaging and Peer-to-Peer systems (IM/P2Ps) not only consume considerable bandwidth and computing resources but also dramatically change the characteristics of data flows affecting both the operation and performance of networks. Most IM/P2Ps have known security loopholes and vulnerabilities making them an ideal platform for the dissemination of viruses, worms, and other malware. The lack of access control and weak authentication on shared resources further exacerbates the situation. Should IM/P2Ps be deployed in production environments, performance of conventional applications may significantly deteriorate and enterprise data may be contaminated. It is therefore imperative to identify, monitor and finally manage IM/P2P traffic. Unfortunately, this task cannot be easily attained as IM/P2Ps resort to advanced techniques to hide their traces including multiple channels to deliver services, port hopping, message encapsulation and encryption. In this paper, we propose an extensible framework that not only helps to identify and classify IM/P2P-generated sessions in real time but also assists in the manipulation of such traffic. Consisting of four modules namely, session manager, traffic assembler, IM/P2P dissector, and traffic arbitrator, our proposed framework uses multiple techniques to improve its traffic classification accuracy and performance. Through fine-tuned splay and interval trees that help organize IM/P2P sessions and packets in data streams, we accomplish stateful inspection, traffic re-assembly, data stream correlation, and application layer analysis that combined will boost the framework's identification precision. More importantly, we introduce IM/P2Ps "plug-and-play" protocol analyzers that inspect data streams according to their syntax and semantics; these analyzers render our framework easily extensible. Identified IM/P2P sessions can be shaped, blocked, or disconnected, and corresponding traffic can be stored for forensic analysis and threat evaluation. Experiments with our prototype show high IM/P2Ps detection accuracy rates under diverse settings and excellent overall performance in both controlled and real-world environments.

Jun Li,Shunyi Zhang,Cuilian Li,Junrong Yan

DOI: https://doi.org/10.1002/nem.735

2010-01-01

International Journal of Network Management

Abstract:Accurate and real-time classifi cation of network traffic is significant to a number of network operation and management tasks such as quality of service differentiation, traffic shaping and security surveillance. However, with emerging P2P applications using dynamic port numbers, IP masquerading techniques and payload encryption, accurate and intelligent traffic classification continues to be a big challenge despite a wide range of research work on the topic. Since each classification method has its disadvantages and hardly could meet the specific requirement of Internet traffic classification, this paper innovatively presents a composite traffic classification system. The proposed lightweight system can accurately and effectively identify Internet traffic with good scalability to accommodate both known and unknown/encrypted applications. Furthermore, It promises to satisfy various Internet uses and is feasible for use in real-time line speed applications. Our experimental results show the distinct advantages of the proposed classification system.

Dawei Wang,Luoshi Zhang,Zhenlon Yuan,Yibo Xue,Yinfei Dong

DOI: https://doi.org/10.1109/iccnc.2014.6785298

2014-01-01

Abstract:Network traffic classification is critical to both network management and system security. However, existing traffic classification techniques become less effective as more P2P applications use proprietary protocols for delivery and encryption. Especially, current techniques usually focus on individual flows and do not consider all flows associated with an application together. To address this issue, this paper proposes a novel Application Behavior Characterization (ABC) technique. We design a novel application behavior feature extracting method and an effective classification algorithm, which explore the correlation of multiple flows of a specific application. We evaluate the proposed method with real network traffic. The experimental results show that it can correctly identify flows belonging to a set of known P2P applications (such as Skype, Thunder, and PPTV) with a probability over 90%. Moreover, it can further identify the particular application that a flow belongs to with a precision of 90% on average. More information about implementing and deploying ABC can be found in a technical report [10].

Jun Li,Shunyi Zhang,Yanqing Lu,Junrong Yan

DOI: https://doi.org/10.1007/s11767-007-0110-4

2009-01-01

Abstract:Accurate and real-time classification of network traffic is significant to network operation and management such as QoS differentiation, traffic shaping and security surveillance. However, with many newly emerged P2P applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, traditional classification approaches turn to be ineffective. In this paper, we present a layered hybrid system to classify current Internet traffic, motivated by variety of network activities and their requirements of traffic classification. The proposed method could achieve fast and accurate traffic classification with low overheads and robustness to accommodate both known and unknown/encrypted applications. Furthermore, it is feasible to be used in the context of real-time traffic classification. Our experimental results show the distinct advantages of the proposed classification system, compared with the one-step Machine Learning (ML) approach.

Zhang Luoshi,Xue Yibo,Bao Yuanyuan

DOI: https://doi.org/10.14257/ijgdc.2015.8.3.29

2015-01-01

International Journal of Grid and Distributed Computing

Abstract:With development of scale, diversity and complexity of network traffic, the drawbacks of traditional machine learning methods on traffic classification is gradually exposed, especially the false positive problem in large-scale real network traffic classification is particularly serious. In this paper, aiming at reducing the false positive rate of network traffic classification, an effective network traffic classification method --- CMM method. CMM method contains three steps, including dividing the training set into clusters, forming sub-classifiers, and classifier integration in accordance with the principle of minimization and maximization. In this paper, we firstly demonstrate the effectiveness of this method in reducing the false positive rate. Secondly, we conduct experiments in large-scale national backbone network, such as the SSL protocol classification and experimental results verify the effectiveness of this method in large-scale the actual network traffic classification.

Tao Qin,Lei Wang,Zhaoli Liu,Xiaohong Guan

DOI: https://doi.org/10.1016/j.knosys.2015.03.002

IF: 8.139

2015-01-01

Knowledge-Based Systems

Abstract:Application identification plays an essential role in network management such as intrusion detection and security monitoring. But the continuous growth of bandwidth and massive amount of packets pose serious challenges for efficacious and accurate application identification. In this paper, we develop a new method to reduce the number of packets being processed while achieving the goal of accurate P2P and VoIP application identification. Firstly, we employ the Bi-flow model to aggregate traffic packets into Bi-flow, which can capture the exchange behavior characteristics between different terminals. Then we employ the signature of Packet Size Distribution (PSD) to capture flow dynamics, which is defined as the payload length distribution probability of the packets in one Bi-flow. Secondly, we collect PSD of several different P2P and VoIP applications and the analysis results show that PSD of different applications are different with each other, which can be used as features to perform traffic identification. We also find the PSD characteristics of one Bi-flow can be captured by its first few packets, which demonstrate our methods can identify the Bi-flow quickly after its establishment. We employ the Renyi cross entropy to perform identification by calculating the similarity between PSD of the Bi-flow being identified and that of specific application. If the similarity is higher than a selected threshold, the Bi-flow being identified is classified to the specific application. Finally, as the PSD is a type of probability feature which is not sensitive to packet lose, we integrate the Poisson sampling method into our framework to process the massive data in backbone networks. Experimental results using the artificial and actual traces collected from monitoring platform in the Northwest Center of CERNET (China Education and Research Network) verify the accuracy and robustness of our method.

Lu Xing,Duan Haixin,Li Xing

DOI: https://doi.org/10.1109/ISCIT.2007.4392088

2007-01-01

Abstract:Identification of P2P traffic is very useful for many network management tasks such as application-specific traffic engineering, network planning and monitoring. However, this is a challenging issue because many P2P applications use dynamic port numbers, and deriving signatures that can he used for reliable detection manually is time consuming and difficult. In this paper, we propose a novel approach to detect P2P traffic without any application-specific signatures. It is based on the content redistribution characteristic of P2P protocol: every peer acts both as a server and a client, so it will redistribute the content received to other peers. To evaluate our approach, we use traces collected in our campus network and a signature-based classifier is also implemented. Experiment results show that the approach can be used to identify known and unknown P2P traffic with very low false positive rate, and achieves high accuracy when detecting P2P streaming traffic.

Hui Liu,Wenfeng Feng,Yongfeng Huang,Xing Li

DOI: https://doi.org/10.1109/nas.2007.6

2007-01-01

Abstract:The use of peer-to-peer (P2P) applications is growing dramatically, which results in several serious problems such as the network congestion and traffic hindrance. In this paper, a method is', proposed to identify the P2P traffic based on the machine learning. The novelty of the proposed method is that it utilizes only the size of packets exchanged between IPs within seconds. By investigating the ratio between the upload and download traffic volume of several P2P applications, a characteristic library is constructed. Then the unknown network traffic can be recognized online using this library. The distinguished features of the proposed method lie in that fast computation, high identification accuracy, and resource-saving capability. Finally, experiment results show the satisfactory performance of the proposed method.

Hongtao Guan,Jianping Wu,Youjian Zhao,Zhenhua Liu,Xiaoping Zhang

DOI: https://doi.org/10.1049/cp:20080866

2008-01-01

Abstract:Packet classification is critical for applications such as traffic measurement, intrusion detection, and differentiated services. In most of existing methods, software has to participate in the procedure of classification information modification, which will degrade the performance of the system. In this paper, methods without software assistingare studied and a novel high speed packet classification method is proposed, which is especially suitable for traffic measurement systems. For the consideration of performance, TCAM and SRAM are widely used. Real link database from CAIDA is used to test the method and the results show that the system has the ability to process packets correctly when link speed is as high as 10Gbps. The method has been implemented at the T-Tester platform, which is capable of the measurement for OC192 link.

Wenzhong Li,Han Zhang,Shaohua Gao,Chaojing Xue,Xiaoliang Wang,Sanglu Lu

DOI: https://doi.org/10.1109/JSAC.2019.2933761

IF: 16.4

2019-01-01

IEEE Journal on Selected Areas in Communications

Abstract:The Multipath TCP (MPTCP) protocol has been standardized by the IETF as an extension of conventional TCP, which enables multi-homed devices to establish multiple paths for simultaneous data transmission. Congestion control is a fundamental mechanism for the design and implementation of MPTCP. Due to the diverse QoS characteristics of heterogeneous links, existing multipath congestion control mechanisms suffer from a number of performance problems such as bufferbloat, suboptimal bandwidth usage, etc. In this paper, we propose a learning-based multipath congestion control approach called <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">SmartCC</italic> to deal with the diversities of multiple communication path in heterogeneous networks. SmartCC adopts an asynchronous reinforcement learning framework to learn a set of congestion rules, which allows the sender to observe the environment and take actions to adjust the subflows’ congestion windows adaptively to fit different network situations. To deal with the problem of infinite states in high-dimensional space, we propose a hierarchical tile coding algorithm for state aggregation and a function estimation approach for <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$Q$ </tex-math></inline-formula> -learning, which can derive the optimal policy efficiently. Due to the asynchronous design of SmartCC, the processes of model training and execution are decoupled, and the learning process will not introduce extra delay and overhead on the decision making process in MPTCP congestion control. We conduct extensive experiments for performance evaluation, which show that SmartCC improves the aggregate throughput significantly and outperforms the state-of-the-art mechanisms on a variety of performance metrics.

Jinquan Zeng,Weiwen Tang,Caiming Liu,Jianbin Hu,Lingxi Peng

DOI: https://doi.org/10.1007/978-3-642-34038-3_79

2012-01-01

Abstract:Botnet is an attack network composed of hundreds of millions of compromised computers. Botnet is emerging as the most serious threat against cyber-security and is used to launch Distributed Denial of Service (DDoS) attacks, malware dissemination, phishing, remote control, click fraud, and etc. Although botnet has posed serious security threat on Internet, the research of detecting and preventing botnet is still in its infancy. One effective technique for botnet detection is to identify botnet C&C traffic. In this paper, we present a case study of the IRC-based botnet C&C communication and then present a novel method to detect botnet C&C communications. We develop quantitative ways to assess the C&C communications between the bot and the C&C server; furthermore, we also illustrate the correlation methods within the same botnet's C&C communications to decrease the false positive rate.

Zhu Li,Ruixi Yuan,Xiaohong Guan

DOI: https://doi.org/10.1007/978-3-540-73111-5_8

2007-01-01

Abstract:Timely traffic identification is critical in network security monitoring and traffic engineering. Traditional methods using well-known ports, protocols and precise signature matching are no longer accurate with the proliferation of new applications. Recently, applying pattern recognition methods to classify network application traffic based on the flow parameters (e.g. port, flow duration, etc.) has become increasing popular. However, many methods developed in the previous works are either too complex to be applied in real-time, or suffer from lower accuracy due to the insufficient knowledge of the application. In this paper, we first give an overview on the developments of pattern recognition methods as traffic classification tools. We then develop two separate pattern recognition methods: one with supervised learning, and one with un-supervised learning, and apply them to classify traffic captured from a campus backbone network. The supervised learning method (an optimized SVM method) yields approximately 99.41 % accuracy for the collected traffic. The un-supervised learning method (an entropy based clustering method) gets the average accuracy of 92.41% for the top 20 traffic generating hosts during the same time period. Performance test on a single PC with 3GHz Pentium 4 processors and 1 GB of memory show that both methods can handle more than 10000 network flows per second, close to real time requirements for many situations.

Ji-Ming Chen,Ting-Ting Li,John Panneerselvam

DOI: https://doi.org/10.1109/access.2018.2876153

IF: 3.9

2018-01-01

IEEE Access

Abstract:Message transmission in vehicular networks is increasing in popularity which exploits the network nodes to transmit messages using cooperative communication in a multi-hop fashion. But the increasing number of malicious nodes in the high-speed Internet of Vehicles demands additional methodologies to quickly detect the presence of such nodes to avoid serious security consequences. Early detection of malicious nodes, and accurate assessment of complex data to assess the node reliability are of absolute importance in vehicular networks. To this end, this paper proposes a security scheme that uses evidence combination method to combine local data with external evidence to evaluate the reliability of multi-dimensional data received from other peer nodes. In addition, this paper uses European Telecommunications Standards Institute standard and Decentralized Environmental Notification Message, and proposes a trust calculation method based on collaborative filtering by introducing a small-time interval to detect the changes in the node behaviors. While the former solution helps more accurate computation of the direct trust value, the latter scheme can calculate the indirect trust based on recommendations received from neighbors, ultimately to obtain the global trust value. Finally, more effective traffic data can be obtained to help traffic prediction. Experiments conducted under various network scenarios demonstrate that our proposed scheme outperforms the existing trust models, such as precision or recall and can resist bad-mouth attacks, selective-misbehavior attacks, and time-dependent attacks, especially under larger proportions of malicious nodes.

Paola Bermolen,Marco Mellia,Michela Meo,Dario Rossi,Silvio Valenti

DOI: https://doi.org/10.1016/j.comnet.2010.12.004

IF: 5.493

2011-04-01

Computer Networks

Abstract:Peer-to-Peer streaming (P2P-TV) applications offer the capability to watch real time video over the Internet at low cost. Some applications have started to become popular, raising the concern of Network Operators that fear the large amount of traffic they might generate. Unfortunately, most of P2P-TV applications are based on proprietary and unknown protocols, and this makes the detection of such traffic challenging per se. In this paper, we propose a novel methodology to accurately classify P2P-TV traffic and to identify the specific P2P-TV application which generated it. Our proposal relies only on the count of packets and bytes exchanged among peers during small time-windows: the rationale is that these two counts convey a wealth of useful information, concerning several aspects of the application and its inner workings, such as signaling activities and video chunk size.Our classification framework, which uses Support Vector Machines, accurately identifies P2P-TV traffic as well as traffic that is generated by other kinds of applications, so that the number of false classification events is negligible. By means of a large experimental campaign, which uses both testbed and real network traffic, we show that it is actually possible to reliably discriminate between different P2P-TV applications by simply counting packets.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture