Zhihan Li,Rui Yuan,Xiaohong Guan

DOI: https://doi.org/10.1109/icc.2007.231

2007-01-01

Abstract:The need to quickly and accurately classify Internet traffic for security and QoS control has been increasing significantly with the growing Internet traffic and applications over the past decade. Pattern recognition by learning the features in the training samples to classify the unknown flows is one of the main methods. However, many methods developed in the previous works are too complicated to be applied in real-time, and the prior probabilities based on the training samples are severely biased. This paper uses the SVM (support vector machine) method to train 7 classes of applications of different characteristics, captured from a campus network backbone. A discriminator selection algorithm is developed to obtain the best combination of the features for classification. Our optimized method yields approximately 96.9% accuracy for un-biased training and testing samples. For regular biased samples, the accuracy is about 99.4%. Furthermore, all the feature parameters are computable in real time from captured packet headers, suggesting real time network traffic classification with high accuracy is achievable.

Ruixi Yuan,Zhu Li,Xiaohong Guan,Li Xu

DOI: https://doi.org/10.1007/s10796-008-9131-2

2008-01-01

Information Systems Frontiers

Abstract:Accurate and timely traffic classification is critical in network security monitoring and traffic engineering. Traditional methods based on port numbers and protocols have proven to be ineffective in terms of dynamic port allocation and packet encapsulation. The signature matching methods, on the other hand, require a known signature set and processing of packet payload, can only handle the signatures of a limited number of IP packets in real-time. A machine learning method based on SVM (supporting vector machine) is proposed in this paper for accurate Internet traffic classification. The method classifies the Internet traffic into broad application categories according to the network flow parameters obtained from the packet headers. An optimized feature set is obtained via multiple classifier selection methods. Experimental results using traffic from campus backbone show that an accuracy of 99.42% is achieved with the regular biased training and testing samples. An accuracy of 97.17% is achieved when un-biased training and testing samples are used with the same feature set. Furthermore, as all the feature parameters are computable from the packet headers, the proposed method is also applicable to encrypted network traffic.

Yu Chen,Xiayu Ping,Tao Wei

DOI: https://doi.org/10.1109/ICITIS.2010.5689522

2010-01-01

Abstract:The principal technique employed in application traffic classification, a task of identifying the applications underlying network traffic, has evolved from based on port number to deep packet inspection to payload-independent classification. We propose a novel approach in the last category. The principal idea of our method is that we associate an application with temporal patterns of the command exchange modes (subsequences of packets) of TCP flows generated by the application. Since these patterns are local by nature, our approach might be able to identify an application even if only a portion of a full flow is observable. We have applied such method to classify a number of popular P2P applications and to detect suspicious botnet traffic. To identify these kinds of traffic, we not only utilize flow patterns, but also incorporate some statistics on multi-flow and host levels. We have tested our algorithm on P2P traffic collected from our institute's computer network and on botnet traffic collected from a national-wide distributed honeynet. The early results are quite encouraging. © 2010 IEEE.

Jiang-tao Ren,Xiao-ling Ou,Yi Zhang,Dong-Cheng Hu

DOI: https://doi.org/10.1109/ITSC.2002.1041268

2002-01-01

Abstract:Real-time network-level signal control, traffic assignment and route guidance are promising approaches for alleviating congestion. Different optimal sets of control parameters and strategies for area-wide signal control, traffic assignment and route guidance can be determined according to different traffic patterns using many methods. Because of the importance of pattern recognition of network-level traffic patterns in traffic control and other applications, we present some elementary research on the topic based on the theories and methods of pattern recognition. First, we formulate the general process of network-level traffic pattern recognition, then some useful methods, such as PCA and SVM, are used for feature extraction, training and classifying of network-level traffic patterns. The experimental results show that the effectiveness of the proposed methods.

Zhou Wengang,Chen Leiting,Dong Shi

DOI: https://doi.org/10.3724/sp.j.1187.2013.01114

2013-01-01

JOURNAL OF ELECTRONIC MEASUREMENT AND INSTRUMENT

Abstract:A number of network activities can benefit from accurate traffic classification and identification. However, the current classification methods, either port-based or payload-based, are becoming ineffective as many P2P applications use dynamic port numbers, masquerading techniques, and encryption to avoid detection. This paper discusses and explores a new method that is based on supervised machine learning mechanisms, which eliminate the inherent limitations of port-based or payload-based methods. A series of experiments show that, combined with a fast correlation-based feature selection filter, better performance and more accurate identification results can be obtained using the neural network method. Due to all the favorable features and satisfactory performance, the proposed methods are promising for internet traffic classification.

Jing Yuan,Zhu Li,Ruixi Yuan

DOI: https://doi.org/10.1109/icc.2008.307

2008-01-01

Abstract:In this paper, we develop an unsupervised machine learning method for network traffic classification. First, the traffic flows from active hosts are separated into different clusters by sequentially applying the information entropy techniques. The clusters are then classified into broad-based application types by examining the parameters of the clusters, as well as the dynamic properties of the clusters during the clustering process. Experiment results from a campus backbone environment are presented, where the network traffic flows from the top 20 active hosts are identified. The results showed that the identification accuracy is approximately 93.81%. This compares to prior works using unsupervised machine learning methods, where the classification accuracy is generally lower, with the highest being 86.5%. We also show that our method can be combined with supervised learning method to further improve the classification accuracy and perform automatic training on the classification engine.

Jun Li,Shunyi Zhang,Cuilian Li,Junrong Yan

DOI: https://doi.org/10.1002/nem.735

2010-01-01

International Journal of Network Management

Abstract:Accurate and real-time classifi cation of network traffic is significant to a number of network operation and management tasks such as quality of service differentiation, traffic shaping and security surveillance. However, with emerging P2P applications using dynamic port numbers, IP masquerading techniques and payload encryption, accurate and intelligent traffic classification continues to be a big challenge despite a wide range of research work on the topic. Since each classification method has its disadvantages and hardly could meet the specific requirement of Internet traffic classification, this paper innovatively presents a composite traffic classification system. The proposed lightweight system can accurately and effectively identify Internet traffic with good scalability to accommodate both known and unknown/encrypted applications. Furthermore, It promises to satisfy various Internet uses and is feasible for use in real-time line speed applications. Our experimental results show the distinct advantages of the proposed classification system.

Jun Li,Shunyi Zhang,Yanqing Lu,Junrong Yan

DOI: https://doi.org/10.1007/s11767-007-0110-4

2009-01-01

Abstract:Accurate and real-time classification of network traffic is significant to network operation and management such as QoS differentiation, traffic shaping and security surveillance. However, with many newly emerged P2P applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, traditional classification approaches turn to be ineffective. In this paper, we present a layered hybrid system to classify current Internet traffic, motivated by variety of network activities and their requirements of traffic classification. The proposed method could achieve fast and accurate traffic classification with low overheads and robustness to accommodate both known and unknown/encrypted applications. Furthermore, it is feasible to be used in the context of real-time traffic classification. Our experimental results show the distinct advantages of the proposed classification system, compared with the one-step Machine Learning (ML) approach.

Tao Qin,Lei Wang,Zhaoli Liu,Xiaohong Guan

DOI: https://doi.org/10.1016/j.knosys.2015.03.002

IF: 8.139

2015-01-01

Knowledge-Based Systems

Abstract:Application identification plays an essential role in network management such as intrusion detection and security monitoring. But the continuous growth of bandwidth and massive amount of packets pose serious challenges for efficacious and accurate application identification. In this paper, we develop a new method to reduce the number of packets being processed while achieving the goal of accurate P2P and VoIP application identification. Firstly, we employ the Bi-flow model to aggregate traffic packets into Bi-flow, which can capture the exchange behavior characteristics between different terminals. Then we employ the signature of Packet Size Distribution (PSD) to capture flow dynamics, which is defined as the payload length distribution probability of the packets in one Bi-flow. Secondly, we collect PSD of several different P2P and VoIP applications and the analysis results show that PSD of different applications are different with each other, which can be used as features to perform traffic identification. We also find the PSD characteristics of one Bi-flow can be captured by its first few packets, which demonstrate our methods can identify the Bi-flow quickly after its establishment. We employ the Renyi cross entropy to perform identification by calculating the similarity between PSD of the Bi-flow being identified and that of specific application. If the similarity is higher than a selected threshold, the Bi-flow being identified is classified to the specific application. Finally, as the PSD is a type of probability feature which is not sensitive to packet lose, we integrate the Poisson sampling method into our framework to process the massive data in backbone networks. Experimental results using the artificial and actual traces collected from monitoring platform in the Northwest Center of CERNET (China Education and Research Network) verify the accuracy and robustness of our method.

Yiyang Shao,Luoshi Zhang,Xiaoxian Chen,Yibo Xue

DOI: https://doi.org/10.1109/cns.2014.6997530

2014-01-01

Abstract:Many important network security areas, such as Intrusion Detection System and Next-Generation Firewall, leverage Traffic Classification techniques to reveal application-level protocols. Machine Learning algorithms give us the ability to identify encrypted or complicated traffic. However, classification accuracies of Machine Learning algorithms are always facing challenges and doubts in practical usage. In this paper, we propose a time-varying Logistic Regression model embedded with traffic pattern. The comparison between original Logistic Regression model and time-varying one shows an effective improvement in accuracy. We hope to exploit a new way to implement Machine Learning algorithms in network traffic analysis areas by considering the characteristics of traffic changes in time domain.

Meng Qin,Kai Lei,Bo Bai,Gong Zhang

DOI: https://doi.org/10.1145/3341216.3342213

2019-01-01

Abstract:In this paper, we study the network traffic classification task. Different from existing supervised methods that rely heavily on the labeled statistic features in a long period (e.g., several hours or days), we adopt a novel view of unsupervised profiling to explore the flow features and link patterns in a short time window (e.g., several seconds), dealing with the zero-day traffic problem. Concretely, we formulate the traffic identification task as a graph co-clustering problem with topology and edge attributes, and proposed a novel Hybrid Flow Clustering (HFC) model. The model can potentially achieve high classification performance, since it comprehensively leverages the available information of both features and linkage. Moreover, the two information sources integrated in HFC can also be utilized to generate the profiling for each flow category, helping to reveal the deep knowledge and semantics of network traffic. The effectiveness of the model is verified in the extensive experiments on several real datasets of various scenarios, where HFC achieves impressive results and presents powerful application ability.

Heyi Tang,Yong Cui,Jianping Wu,Xiaowei Yang,Zhenjie Yang

DOI: https://doi.org/10.1145/3326285.3329050

2019-01-01

Abstract:Network traffic classification is important to network operators to ensure visibility of traffic. Network management, monitoring, and other services are built upon such classification results for improving quality of service. Compared with traffic classification in non-mobile setting, classification in mobile settings focuses on applications and has become increasingly important. Traditionally, a rule-based method is deployed in a deep packet inspector (DPI) engine for traffic classification. However, with the explosive growth in application usage, the complicated relationships including the use of content delivery networks (CDN) and sharing behaviors among applications make such methods less effective. The traffic may be identified wrongly when one application is connected to another application's server. In this work, we present TRAC: T rigger R elationship A ware traffic C lassification, a systematic framework for classifying mobile traffic accurately. In TRAC, we first propose Trigger Relationship Graph model to describe the relationships among applications. Then, we introduce a Trigger Relationship Analyzer to build the graph based on a modified frequent item set mining method. TRAC classifies the traffic based on the application labels identified by a DPI engine. An Application Label Corrector is designed to correct the application labels based on the graph. We evaluate TRAC with one-month data collected from an enterprise network. The evaluation shows that our method can achieve a 17.4% accuracy improvement, from 64.8% to 82.2%.

Jun Li,Shunyi Zhang,Yanqing Lu,Junrong Yan

DOI: https://doi.org/10.1109/glocom.2008.ecp.475

2008-01-01

Abstract:Accurate and fast identification of network traffic is an important element of many network management tasks such as QoS provisioning and security monitoring. However, as many newly-emerged Peer-to-Peer (P2P) applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, the classical approaches based on port mapping and payload analysis are ineffective. An alternative approach is to classify traffic by distinguishing the behavior of an application within the first few packets of TCP connection. We pursue this approach and demonstrate that information of few packets is enough to effectively identify P2P traffic. In our work, C4.5 decision tree and REPTree are evaluated and compared with the previously used clustering method K-Means. Experimental results show that our approaches outperform K- Means algorithm in accuracy. In addition, the proposed approaches can accommodate known and unknown P2P traffic and even encrypted traffic in fast and accurate way, which ensures the real-time applications on the Internet traffic surveillance and QoS provisioning.

Wengang Zhou,Leiting Dong,Bic, L.,Mingtian Zhou

DOI: https://doi.org/10.1109/iccps.2011.6092257

2011-01-01

Abstract:Many network activities can benefit from accurate traffic classification and categorization, such as QOS control, network security monitoring, and traffic accounting. In this paper, a new approach based on feed-forward neural network is proposed for accurate traffic classification, which eliminates the disadvantages of port-based or payload-based classification methods. Extensive experimentation and comparison have been carried out to explore this new approach; it has been found out that, combined with a fast correlation-based feature selection filter, better performance and more accurate classification results can be obtained using neural network method compared to other techniques. For its good performance and elimination of accessing the contents of the packets, the proposed technique is expected to have a promising application prospect in internet traffic classification.

Xi Xiao,Rui Li,Hai-Tao Zheng,Runguo Ye,Arun KumarSangaiah,Shutao Xia

DOI: https://doi.org/10.1016/j.ins.2018.10.039

IF: 8.1

2018-01-01

Information Sciences

Abstract:Traffic classification has been widely used in networking and security issues. Previous works have involved many different techniques for mapping traffic to the application. However, little attention has been paid to traffic classification for dynamic network stream. In this paper, we propose a Dynamic Multiple Traffic Classification System (DMTCS). We first introduce the time-based distribution of the traffic protocol information to the traffic classification problem, as the traffic data is a data stream with time continuity. The packets are treated as documents and protocols are seen as topics. Thus, we can apply topic models to cluster packets. In our system, after initialization, packets arrived at a time point are classified as of some protocols. Then, these packets are assembled to clusters according to the protocol distribution at the last time point. Finally, we use these clusters to classify packets arrived at the next time point. Our method has several advantages: 1) does not require the prior knowledge of target applications: 2) tolerant with both TCP and UDP protocols; 3) support multiple classification; 4) preserve high accuracy for the traffic stream with dynamic and imbalanced traffic distribution. Evaluations on DMTCS are carried on two different datasets, and the experimental results demonstrate that DMTCS has an impressive performance in classification on the real-world network stream and the dynamic simulation stream. Whats more, DMTCS outperforms other state-of-the-art models in our experiment. (C) 2018 Published by Elsevier Inc.

Dawei Wang,Luoshi Zhang,Zhenlon Yuan,Yibo Xue,Yinfei Dong

DOI: https://doi.org/10.1109/iccnc.2014.6785298

2014-01-01

Abstract:Network traffic classification is critical to both network management and system security. However, existing traffic classification techniques become less effective as more P2P applications use proprietary protocols for delivery and encryption. Especially, current techniques usually focus on individual flows and do not consider all flows associated with an application together. To address this issue, this paper proposes a novel Application Behavior Characterization (ABC) technique. We design a novel application behavior feature extracting method and an effective classification algorithm, which explore the correlation of multiple flows of a specific application. We evaluate the proposed method with real network traffic. The experimental results show that it can correctly identify flows belonging to a set of known P2P applications (such as Skype, Thunder, and PPTV) with a probability over 90%. Moreover, it can further identify the particular application that a flow belongs to with a precision of 90% on average. More information about implementing and deploying ABC can be found in a technical report [10].

Guorui Xie,Qing Li,Yong Jiang,Tao Dai,Gengbiao Shen,Rui Li,Richard Sinnott,Shutao Xia

DOI: https://doi.org/10.1145/3405671.3405811

2020-01-01

Abstract:Network traffic classification categorizes traffic classes based on protocols (e.g., HTTP or DNS) or applications (e.g., Facebook or Gmail). Its accuracy is a key foundation of some network management tasks like Quality-of-Service (QoS) control, anomaly detection, etc. To further improve the accuracy of traffic classification, recent researches have introduced deep learning based methods. However, most of them utilize the privacy-concerned payload (user data). Besides, they generally do not consider the dependency of bytes in a packet, which we believe can be exploited for the more accurate classification. In this work, we treat the initial bytes of a network packet as a language and propose a novel Self-Attention based Method (SAM) for traffic classification. The average F1-scores of SAM on protocol and application classification are 98.62% and 98.93%. With the higher accuracy of SAM, better QoS and anomaly detection can be met.

Donghong Qin,Jiahai Yang,Jiamian Wang,Bin Zhang

DOI: https://doi.org/10.1109/icct.2011.6158005

2011-01-01

Abstract:With the rapid development of Internet, many network applications (e.g., P2P) use dynamic ports and encryption technology, which makes the traditional port and payload-based classification methods ineffective. Hence, it is important and necessary to find the more effective ones. Currently the machine learning (ML) techniques provide a promising alternative one for IP traffic classification. In this work, we use the ML-based classification method to identify the classes of the unknown flows using the payload-independent statistical features such as packet-length and arrival-interval. In order to improve the efficiency of the classification methods, the feature reduction techniques are further adopted to refine the selected features for attaining a best group of features. Finally we compare and evaluate the ML classification algorithms based on the BRASIL data source in terms of the three metrics such as overall accuracy, average precision and average recall. Our experiments show that the decision-tree algorithm is the best ML one for IP traffic classification and is able to construct the real-time classification system.

Shahbaz Rezaei,Xin Liu

DOI: https://doi.org/10.1109/ICCCN49398.2020.9209652

2020-05-09

Abstract:Traffic classification has various applications in today's Internet, from resource allocation, billing and QoS purposes in ISPs to firewall and malware detection in clients. Classical machine learning algorithms and deep learning models have been widely used to solve the traffic classification task. However, training such models requires a large amount of labeled data. Labeling data is often the most difficult and time-consuming process in building a classifier. To solve this challenge, we reformulate the traffic classification into a multi-task learning framework where bandwidth requirement and duration of a flow are predicted along with the traffic class. The motivation of this approach is twofold: First, bandwidth requirement and duration are useful in many applications, including routing, resource allocation, and QoS provisioning. Second, these two values can be obtained from each flow easily without the need for human labeling or capturing flows in a controlled and isolated environment. We show that with a large amount of easily obtainable data samples for bandwidth and duration prediction tasks, and only a few data samples for the traffic classification task, one can achieve high accuracy. We conduct two experiment with ISCX and QUIC public datasets and show the efficacy of our approach.

Machine Learning

Zhang Luoshi,Xue Yibo,Bao Yuanyuan

DOI: https://doi.org/10.14257/ijgdc.2015.8.3.29

2015-01-01

International Journal of Grid and Distributed Computing

Abstract:With development of scale, diversity and complexity of network traffic, the drawbacks of traditional machine learning methods on traffic classification is gradually exposed, especially the false positive problem in large-scale real network traffic classification is particularly serious. In this paper, aiming at reducing the false positive rate of network traffic classification, an effective network traffic classification method --- CMM method. CMM method contains three steps, including dividing the training set into clusters, forming sub-classifiers, and classifier integration in accordance with the principle of minimization and maximization. In this paper, we firstly demonstrate the effectiveness of this method in reducing the false positive rate. Secondly, we conduct experiments in large-scale national backbone network, such as the SSL protocol classification and experimental results verify the effectiveness of this method in large-scale the actual network traffic classification.