Yu Wang,Shun-Zheng Yu

DOI: https://doi.org/10.1109/iita.2008.536

2008-01-01

Abstract:Network traffic classification plays an important role in various network activities. Due to the ineffectiveness of traditional port-based and payload-based methods, recent works proposed using machine learning methods to classify flows based on statistical characteristics. In this study, we evaluate the effectiveness of machine learning techniques on the real-time traffic classification problem. We identify the most suitable ML, classifier for network traffic classification by comparing various ML schemes, including both supervised and unsupervised methods. We also apply feature selection to identify significant features. Finally, we simulate real-time classification by using features derived from the first few packets of each flow. The results show that classifiers based on decision tree outperform others on both accuracy and performance; and that classifiers based on early flow properties can achieve high accuracy while reducing the computational complexity.

Chengjie Gu,Shunyi Zhang,Xudong Chen,Anyuan Du

2011-01-01

Journal of Computational Information Systems

Abstract:Since many Peer-to-Peer applications use dynamic port numbers, masquerading techniques and encryption, network traffic classification using traditional methods such as ports-based or payload-based analysis is becoming increasing difficult. An alternative approach is using machine learning methodology to classify network applications based on flow statistics. We propose realtime traffic classification based on semi-supervised learning in this paper. Experiment results illustrate 1) high classification accuracy can be achieved using dataset that consists of a small number of labeled and a large number of unlabeled flows. 2) It is extremely suitable to realize realtime traffic classification. 3) Our approach is robust and can handle both previously unseen applications and changed behaviour of existing applications. Copyright © 2011 Binary Information Press.

Zhu Li,Ruixi Yuan,Xiaohong Guan

DOI: https://doi.org/10.1007/978-3-540-73111-5_8

2007-01-01

Abstract:Timely traffic identification is critical in network security monitoring and traffic engineering. Traditional methods using well-known ports, protocols and precise signature matching are no longer accurate with the proliferation of new applications. Recently, applying pattern recognition methods to classify network application traffic based on the flow parameters (e.g. port, flow duration, etc.) has become increasing popular. However, many methods developed in the previous works are either too complex to be applied in real-time, or suffer from lower accuracy due to the insufficient knowledge of the application. In this paper, we first give an overview on the developments of pattern recognition methods as traffic classification tools. We then develop two separate pattern recognition methods: one with supervised learning, and one with un-supervised learning, and apply them to classify traffic captured from a campus backbone network. The supervised learning method (an optimized SVM method) yields approximately 99.41 % accuracy for the collected traffic. The un-supervised learning method (an entropy based clustering method) gets the average accuracy of 92.41% for the top 20 traffic generating hosts during the same time period. Performance test on a single PC with 3GHz Pentium 4 processors and 1 GB of memory show that both methods can handle more than 10000 network flows per second, close to real time requirements for many situations.

Yu Wang,Shun-Zheng Yu

DOI: https://doi.org/10.1109/CSSE.2008.911

2008-01-01

Abstract:A number of recent works have proposed using data mining and machine learning techniques to classify traffic flows based on statistical flow characteristics. Most of these classifiers work offline, since full-flow statistics are not available until a flow is finished. Therefore, it is usually too late to take actions for online deployment. In this paper, we propose a simple and effective technique to make these classifiers workable online. The idea is that different applications will show distinct traffic patterns from the very beginning of the flow, and so using statistics extracted from the first few packets can distinguish applications. Preliminary result shows that our method can achieve high flow accuracy, just a bit lower than using full-flow statistics. Using fewer packets per flow is promising, since it not only enables early classification and can easily apply to most of the existing classifiers, but also saves memory and computing power.

Shijun Huang,Kai Chen,Chao Liu,Alei Liang,Haibing Guan

DOI: https://doi.org/10.1109/icumt.2009.5345539

2009-01-01

Abstract:This Internet traffic classification using Machine Learning is an emerging research field since 1990's, and now it is widely used in numerous network activities. The classification technique focuses on modeling attributes and features of data flows to accomplish the identification of applications. In the paper we design and implement the classification model based on header-derived flow statistical features. Compared with the traditional methods, the model designed here, which is totally insensitive to port numbers and contents of payload on application level, overcomes difficulty in operation caused by unreliable port numbers and complexity of payload interpretation. Rather than relatively complex ML algorithms or even in mixture, supervised k-Nearest Neighbor estimator is adopted for the sake of computational efficiency, along with the effective and easy-to-calculate statistical features selected according to the operational background. Our results indicate that about 90% accuracy on per-flow classification can be achieved, which is a vast improvement over traditional techniques that achieve 50-70%.

LIU Qiong,LIU Zhen,HUANG Min

DOI: https://doi.org/10.3969/j.issn.1002-137x.2010.12.008

2010-01-01

Computer Science

Abstract:To identify the traffic based on the application in a large network, the major part is traffic classification and it is useful to provide quality of service, lawful interception and intrusion detection. A number of limitations have been exhibited by older methods such as port-based and payload based classification. Hence Machine learning techniques are used by the research community to analyse the flow statistics for detecting network applications. The statistical based approach is used here for traffic identification and classification process. The statistical features are flow size, flow duration, TCP port, packet inter-arrival times statistics, total number of packets, mean packet length, protocol, number of bytes transferred. There are two types of machine learning algorithms such as supervised and unsupervised algorithms. These two machine learning algorithms are analysed with datasets respectively based on the set of algorithms. By evaluating the results of supervised and unsupervised algorithms respectively, best algorithm from each technique is combined together to yield

Meng Qin,Kai Lei,Bo Bai,Gong Zhang

DOI: https://doi.org/10.1145/3341216.3342213

2019-01-01

Abstract:In this paper, we study the network traffic classification task. Different from existing supervised methods that rely heavily on the labeled statistic features in a long period (e.g., several hours or days), we adopt a novel view of unsupervised profiling to explore the flow features and link patterns in a short time window (e.g., several seconds), dealing with the zero-day traffic problem. Concretely, we formulate the traffic identification task as a graph co-clustering problem with topology and edge attributes, and proposed a novel Hybrid Flow Clustering (HFC) model. The model can potentially achieve high classification performance, since it comprehensively leverages the available information of both features and linkage. Moreover, the two information sources integrated in HFC can also be utilized to generate the profiling for each flow category, helping to reveal the deep knowledge and semantics of network traffic. The effectiveness of the model is verified in the extensive experiments on several real datasets of various scenarios, where HFC achieves impressive results and presents powerful application ability.

WANG Tao,YU Shun-zheng

DOI: https://doi.org/10.3969/j.issn.1000-1220.2012.05.021

2012-01-01

Abstract:ML(machine learning) employs statistical network flow characteristics to assist in the IP traffic classification identification and classification,which is different with traditional methods that depend on well known application port numbers or deeply inspecting the contents of packet payloads.ML-based network traffic classification has been researched widely and developed rapidly.This survey reviews the significant works that cover the dominant period since 2004,and categorize,analyze and compare them according to their choice of ML strategies which include supervised,unsupervised and semi-supervised learning algorithms.We importantly discuss the orientations and challenges for the employment of ML-based traffic classifiers in operational IP networks.More specifically,the key issues such as sample labeling bottleneck,skewed data distribution,real-time and continuous classification and scalability of classification algorithms are discussed.

Jun Zhang,Chao Chen,Yang Xiang,Wanlei Zhou,Athanasios V. Vasilakos

DOI: https://doi.org/10.1109/TNSM.2013.022713.120250

2013-01-01

IEEE Transactions on Network and Service Management

Abstract:Traffic classification technique is an essential tool for network and system security in the complex environments such as cloud computing based environment. The state-of-the-art traffic classification methods aim to take the advantages of flow statistical features and machine learning techniques, however the classification performance is severely affected by limited supervised information and unknown applications. To achieve effective network traffic classification, we propose a new method to tackle the problem of unknown applications in the crucial situation of a small supervised training set. The proposed method possesses the superior capability of detecting unknown flows generated by unknown applications and utilizing the correlation information among real-world network traffic to boost the classification performance. A theoretical analysis is provided to confirm performance benefit of the proposed method. Moreover, the comprehensive performance evaluation conducted on two real-world network traffic datasets shows that the proposed scheme outperforms the existing methods in the critical network environment.

Changyu Wang,Xiaohong Guan,Tao Qin

DOI: https://doi.org/10.23919/INM.2017.7987336

2017-01-01

Abstract:Recently, network traffic classification has attracted a great deal of attention among researchers. In this paper, we proposed a traffic classification approach based on characteristics of subflows and ensemble learning. Aiming at neutralization of unstable network environment as well as taking advantage of ensemble learning, we divided the traffic flows into different subflows in order to reduce the affection of time. Moreover, we develop truncation method on flows for real-time processing and an aggregation machine learning method based on accuracy of each classifier to different applications. Finally, the experimental results based on actual traffic traces collected from the campus network of Xian Jiaotong University verify the effectiveness of our methods.

Jian Zhang,ZongJue Qian,Guochu Shou,Yihong Hu

DOI: https://doi.org/10.1109/ICEMI.2009.5274334

2009-01-01

Abstract:Recently traffic classifications based on statistics methods and machine learning techniques have attracted a great deal of interest. Some challenging issues for these methods are that most of them need prior analysis to detect traffic applications and training data sets to generate classification model offline; some require a high amount computation and memory resource. These are infeasible to cope with the fast growing number of new applications and online traffic classifications. We propose an online automatic traffic classification architecture using unsupervised machine learning technique, in which flows are automatically clustered based on sub-flow statistical features instead of full flows. We select best-first features algorithm to find an optimal feature-sets which is suited for access network, then map the traffic flows to applications based on maximized probabilities applications in the clusters. The experiment results demonstrate the efficiency and capability of the proposed automated classification architecture.

Yu Wang,Yang Xiang,Shunzheng Yu

DOI: https://doi.org/10.1109/cse.2011.58

2011-01-01

Abstract:Due to the increasing unreliability of traditional port-based methods, Internet traffic classification has attracted a lot of research efforts in recent years. Quite a lot of previous papers have focused on using statistical characteristics as discriminators and applying machine learning techniques to classify the traffic flows. In this paper, we propose a novel machine learning based approach where the features are extracted from packet payload instead of flow statistics. Specifically, every flow is represented by a feature vector, in which each item indicates the occurrence of a particular token, i.e., a common substring, in the payload. We have applied various machine learning algorithms to evaluate the idea and used different feature selection schemes to identify the critical tokens. Experimental result based on a real-world traffic data set shows that the approach can achieve high accuracy with low overhead.

Jun Zhang,Chao Chen,Yang Xiang,Wanlei Zhou

DOI: https://doi.org/10.1109/icdcsw.2012.12

2012-01-01

International Journal of Security and Networks

Abstract:This paper presents a new semi-supervised method to effectively improve traffic classification performance when few supervised training data are available. Existing semi supervised methods label a large proportion of testing flows as unknown flows due to limited supervised information, which severely affects the classification performance. To address this problem, we propose to incorporate flow correlation into both training and testing stages. At the training stage, we make use of flow correlation to extend the supervised data set by automatically labeling unlabeled flows according to their correlation to the pre-labeled flows. Consequently, the traffic classifier has better performance due to the extended size and quality of the supervised data sets. At the testing stage, the correlated flows are identified and classified jointly by combining their individual predictions, so as to further boost the classification accuracy. The empirical study on the real-world network traffic shows that the proposed method outperforms the state-of-the-art flow statistical feature based classification methods.

Changsheng Miao,Lu Meng,Changqing Yuan,Xingwei Wang,Guiran Chang

DOI: https://doi.org/10.1504/ijwmc.2013.057575

2013-01-01

International Journal of Wireless and Mobile Computing

Abstract:Traffic classification has wide applications in network measurements, network security and quality of service. Recent research tends to apply machine learning methods based on flow statistical features to improve traffic classification performance. In this paper, we propose a novel non-parametric approach for traffic classification, which can improve the classification performance effectively by incorporating correlated information into the classification process. Meanwhile, our system employs a lightweight modular architecture, which combines a series of simple linear binary classifiers, each of which can be efficiently implemented and trained on vast amounts of flow data in parallel, to achieve scalability while attaining high accuracy. A large number of experiments are carried out on real traffic data to validate the proposed approach. The results show that the traffic classification performance can be improved significantly while meeting the scalability and stability requirements of large networks.

Shuyuan Zhao,Yongzheng Zhang,Peng Chang

DOI: https://doi.org/10.1109/trustcom/bigdatase/icess.2017.254

2017-01-01

Abstract:Network traffic classification technique is currently a key part of network security systems. In recent years, some network traffic classification algorithms using machine learning based on packet and flow level features have been proposed, yet the results are frequently disappointing. On the one hand, obtaining a large, representative, training data set that is fully labeled to train a classifier is difficult, time-consuming, and expensive. On the other hand, the classification performance is affected by the new protocols and applications which can produce unknown traffic that existing classification systems cannot identify. To achieve effective and inexpensive classification, we propose a framework based on unsupervised methods and the tri-training method. By two independent clusterings, the proposed method can precisely detect unknown applications and extend labeled flows from a few labeled and many unlabeled flows. Meanwhile, tri-training method can effectively exploit unlabeled flows to enhance the proposed method performance. We implement our approach and evaluate it on two real-world Internet traffic traces. The experimental results demonstrate that the proposed method has more excellent performance in terms of Precision and Recall in comparison with the state-of-the-art approaches and can better handle different data sets.

Jian Zhang,Zongjue Qian,Guochu Shou,Yihong Hu

DOI: https://doi.org/10.1109/iih-msp.2009.188

2009-01-01

Abstract:Traffic classifications based on Statistics methods and Machine Learning techniques have attracted a great deal of interest. One challenging issue is that most of supervised algorithms need traffic application information and training data sets to generate classification model offline, which is infeasible to cope with the fast growing number of new applications and online traffic classifications. Cluster algorithms are promising methods. How to identify the feature subset suitable for cluster algorithm is a critical question in our proposed online traffic classification architecture. Two feature selection algorithms Wrapper Search Approach and Correlation-Based Filter Approach are evaluated to find an optimal feature subset. The experiment results demonstrate that Wrapper Search Approach outperforms Correlation-Based Filter Approach in the automated classification architecture.

Xiang Li,Feng Qi,Dan Xu,Xuesong Qiu

DOI: https://doi.org/10.1109/icc.2011.5962736

2011-01-01

Abstract:Identifying and classifying different network applications is very important for trend analysis, dynamic access control, network security and traffic engineering, while traffic classification is able to classify applications effectively. Current popular methods of traffic classification mainly include machine learning algorithm based on supervised or unsupervised and the method based load. In practical applications, the above methods have high complexity or low accuracy degree, so we propose a semi-supervised support vector machine method only based on flow statistics to identify and classify network applications. In this method, SVM, "constant" flow and co-training algorithm are the key core to obtain a classifier rapidly. The classifier got by this method has three advantages contrast to the previous classical methods: 1) high classification degree; 2) high generalization performance; 3) rapid computational performance. As a proof of concept, we implement the classification algorithm based on open-resource, and show the characteristics and feasibility of our method in the campus and resident network.

Hongli Zhang,Gang Lu,Mahmoud T. Qassrawi,Yu Zhang,Xiangzhan Yu

DOI: https://doi.org/10.1016/j.comcom.2012.04.012

IF: 5.047

2012-01-01

Computer Communications

Abstract:Machine learning (ML) algorithms have been widely applied in recent traffic classification. However, due to the imbalance in the number of traffic flows, ML based classifiers are prone to misclassify flows as the traffic type that occupies the majority of flows on the Internet. To address the problem, a novel feature selection metric named Weighted Symmetrical Uncertainty (WSU) is proposed. We design a hybrid feature selection algorithm named WSU_AUC, which prefilters most of features with WSU metric and further uses a wrapper method to select features for a specific classifier with Area Under roc Curve (AUC) metric. Additionally, to overcome the impacts of dynamic traffic flows on feature selection, we propose an algorithm named SRSF that Selects the Robust and Stable Features from the results achieved by WSU_AUC. We evaluate our approaches using three classifiers on the traces captured from entirely different networks. Experimental results obtained by our algorithms are promising in terms of true positive rate (TPR) and false positive rate (FPR). Moreover, our algorithms can achieve 94% flow accuracy and 80% byte accuracy on average.

Jing Ran,Xiaochen Kong,Gan Lin,Dongming Yuan,Hefei Hu

DOI: https://doi.org/10.1109/compcomm.2017.8322736

2017-01-01

Abstract:Traffic classification technique is an essential tool for network management and system security in terms of high accuracy and fast classification speed. However, in the complex environments such as cloud computing environment, the traditional traffic classifiers will fail facing the unknown protocols that are never seen during training. The state-of-the-art traffic classification methods aim to utilize the semi-supervised learning algorithm to solve the problem. In this paper, we develop a self-adaptive traffic classification system based on semi-supervised learning, which adopts the method, dynamically adding the centers and iterative semi-supervised k-means to choose optimal system parameter and achieve high accuracy. Experiment results derived from real-world traffic are presented to show the effectiveness of the system.

Bin Hu,Yi Shen

2012-01-01

Journal of Information and Computational Science

Abstract:The classification of network applications is essential to numerous network activities, including quality of service, accounting, and intrusion detection. Originally, port-match was regarded as the most popular and effective method. After that, with the booming of new Internet businesses, researchers shifted to the use of payload analysis. However, the payload analysis is unable to process encrypted traffic, which motivated scientists to develop more general and effective solutions. To do so, traffic classification has been of great concern to academia and industry and gradually formed a relatively independent area of research. Due to the ability of handling large number of flow samples and multidimensional feature spaces efficiently, Machine Learning based classification has stood out among multitude research findings. This paper aims to provide an overview of recent advances in such study area. We focus on how to divide machine learning based classification into two categories: supervised and clustering. We also present the algorithms of creating specific feature sets and classification models such as Genetic Algorithm and Bayesian algorithm. Finally, we compare the efficiency of these algorithms and discuss the future direction of machine learning based classification. © 2012 Binary Information Press.