LI Pinghong,WANG Yong,TAO Xiaoling

DOI: https://doi.org/10.3724/sp.j.1087.2013.01515

2013-01-01

Journal of Computer Applications

Abstract:In order to solve low accuracy,large time consumption and limited application range in traditional network traffic classification,a semi-supervised network traffic classification method of Support Vector Machine(SVM) was proposed.During the training of SVM,it determined the support vectors from the initial and new sample set by using incremental learning technology,avoided unnecessary repetition training,and improved the situation of original classifiers' low accuracy and time-consuming as a result of new samples that appeared.This paper also proposed an improved Tri-training method to train multiple classifiers,and a large number of unlabeled samples and a small amount of labeled samples were used to modify the classifiers,which reduced auxiliary classifier's noise data and overcame the strict limitation of sample types and traditional Co-verification for classification methods.The experimental results show that the proposed algorithm has excellent accuracy and speed in traffic classification.

Xiang Li,Feng Qi,Dan Xu,Xuesong Qiu

DOI: https://doi.org/10.1109/icc.2011.5962736

2011-01-01

Abstract:Identifying and classifying different network applications is very important for trend analysis, dynamic access control, network security and traffic engineering, while traffic classification is able to classify applications effectively. Current popular methods of traffic classification mainly include machine learning algorithm based on supervised or unsupervised and the method based load. In practical applications, the above methods have high complexity or low accuracy degree, so we propose a semi-supervised support vector machine method only based on flow statistics to identify and classify network applications. In this method, SVM, "constant" flow and co-training algorithm are the key core to obtain a classifier rapidly. The classifier got by this method has three advantages contrast to the previous classical methods: 1) high classification degree; 2) high generalization performance; 3) rapid computational performance. As a proof of concept, we implement the classification algorithm based on open-resource, and show the characteristics and feasibility of our method in the campus and resident network.

Jun Zhang,Chao Chen,Yang Xiang,Wanlei Zhou

DOI: https://doi.org/10.1109/icdcsw.2012.12

2012-01-01

International Journal of Security and Networks

Abstract:This paper presents a new semi-supervised method to effectively improve traffic classification performance when few supervised training data are available. Existing semi supervised methods label a large proportion of testing flows as unknown flows due to limited supervised information, which severely affects the classification performance. To address this problem, we propose to incorporate flow correlation into both training and testing stages. At the training stage, we make use of flow correlation to extend the supervised data set by automatically labeling unlabeled flows according to their correlation to the pre-labeled flows. Consequently, the traffic classifier has better performance due to the extended size and quality of the supervised data sets. At the testing stage, the correlated flows are identified and classified jointly by combining their individual predictions, so as to further boost the classification accuracy. The empirical study on the real-world network traffic shows that the proposed method outperforms the state-of-the-art flow statistical feature based classification methods.

Xiang Li,Feng Qi,Yu, Li kun,Xue song Qiu

DOI: https://doi.org/10.1049/cp.2010.0751

2010-01-01

Abstract:Currently the popular methods of network traffic classification are the classification based on payload and supervised or unsupervised machine learning algorithm. But in the actual flows classification, traditional methods have faced more and more challenges due to increasing applications and difficult to obtain labeled flows. This paper proposes a traffic classification method based on co-training semi-supervised clustering. This method uses a few labeled flows and classifiers based on two different evaluation metrics to achieve high-performance classifiers. Finally we intercept data from the campus backbone and use open source tools to implement the experiment, which shows higher accuracy, precision and recall than other classic clustering methods (such as K-means, DBSCAN and two-layer semi-supervised clustering).

Ning Jing,Ming Yang,Shaoyin Cheng,Qunfeng Dong,Hui Xiong

DOI: https://doi.org/10.1109/PCCC.2011.6108074

2011-01-01

Abstract:Multi-class network traffic classification is a fundamental function for network services and management. Support vector machine (SVM) based network traffic classification has recently attracted increasing interest, for its high accuracy and low training sample size requirement. However, to better fit applications with delay requirements, it is desirable to reduce the high computation cost of existing SVM-based traffic classifiers. In this paper, we propose a novel scheme for SVM-based traffic classification (called fuzzy tournament). Experiment results based on real network traffic traces show that our proposed scheme can reduce computation cost by as much as 7.65 times; in the mean time, misclassification ratio is consistently reduced by up to 2.35 times as well.

Shuyuan Zhao,Yongzheng Zhang,Peng Chang

DOI: https://doi.org/10.1109/trustcom/bigdatase/icess.2017.254

2017-01-01

Abstract:Network traffic classification technique is currently a key part of network security systems. In recent years, some network traffic classification algorithms using machine learning based on packet and flow level features have been proposed, yet the results are frequently disappointing. On the one hand, obtaining a large, representative, training data set that is fully labeled to train a classifier is difficult, time-consuming, and expensive. On the other hand, the classification performance is affected by the new protocols and applications which can produce unknown traffic that existing classification systems cannot identify. To achieve effective and inexpensive classification, we propose a framework based on unsupervised methods and the tri-training method. By two independent clusterings, the proposed method can precisely detect unknown applications and extend labeled flows from a few labeled and many unlabeled flows. Meanwhile, tri-training method can effectively exploit unlabeled flows to enhance the proposed method performance. We implement our approach and evaluate it on two real-world Internet traffic traces. The experimental results demonstrate that the proposed method has more excellent performance in terms of Precision and Recall in comparison with the state-of-the-art approaches and can better handle different data sets.

Guan-zhou LIN,Yang XIN,Xin-xin NIU,Hui-bai JIANG

DOI: https://doi.org/10.1016/s1005-8885(09)60577-x

2010-01-01

Abstract:The diminished accuracy of port-based and payload-based classification motivates use of transport layer statistics for network traffic classification. A semi-supervised clustering approach based on improved K-Means clustering algorithm is proposed in this paper to partition a training network flows set that contains a huge number of unlabeled flows and scarce labeled flows. The variance of flow attributes is used to initialize clusters centers instead of the random selection of the cluster centers in initialization. Scarce labeled flows are selected to construct a mapping from the clusters to the predefined traffic classes set. The experimental results show that both the overall accuracy and square error (SSE) value of our algorithm present better than those based on normal K-Means algorithm defined in Ref. [5].

Dunming Li,Jenwen Mao,Fuke Shen

DOI: https://doi.org/10.1007/978-3-030-21548-4_39

2019-01-01

Abstract:With the development of the network, network attacks become more frequent and serious, so network security is becoming more and more important. Machine learning has been widely used for network traffic detection, but traditional supervised learning does not perform good in the case of a small amount of labeled data and a large amount of unlabeled data. And this situation exists in a large number in practical applications, so research on semi-supervised algorithms is necessary. The Tri-training algorithm is a semi-supervised learning algorithm with strong generalization ability, which can effectively improve the accuracy of detection. In this paper, we improve the traditional Tri-training algorithm and combine the ensemble learning algorithm to generate the final hypothesis by estimating the confidence of unlabeled data. Experiments show that the improvement of the Tri-training is effective, and a better detection rate is achieved. The proposed system performs well in network traffic detection. Even in the case where the training data set has only a small amount of tagged data, the system can achieve a good detection rate and a low false positive rate. On the NSL-KDD data set, the system performs best in terms of accuracy and algorithm time consumption. On the Kyoto data set, the system achieves a good balance between accuracy and time cost.

Jie Cao,Da Wang,Zhaoyang Qu,Hongyu Sun,Bin Li,Chin-Ling Chen

DOI: https://doi.org/10.3390/sym12020301

2020-02-20

Symmetry

Abstract:Network traffic classification based on machine learning is an important branch of pattern recognition in computer science. It is a key technology for dynamic intelligent network management and enhanced network controllability. However, the traffic classification methods still facing severe challenges: The optimal set of features is difficult to determine. The classification method is highly dependent on the effective characteristic combination. Meanwhile, it is also important to balance the experience risk and generalization ability of the classifier. In this paper, an improved network traffic classification model based on a support vector machine is proposed. First, a filter-wrapper hybrid feature selection method is proposed to solve the false deletion of combined features caused by a traditional feature selection method. Second, to balance the empirical risk and generalization ability of support vector machine (SVM) traffic classification model, an improved parameter optimization algorithm is proposed. The algorithm can dynamically adjust the quadratic search area, reduce the density of quadratic mesh generation, improve the search efficiency of the algorithm, and prevent the over-fitting while optimizing the parameters. The experiments show that the improved traffic classification model achieves higher classification accuracy, lower dimension and shorter elapsed time and performs significantly better than traditional SVM and the other three typical supervised ML algorithms.

Chengjie Gu,Shunyi Zhang,Xudong Chen,Anyuan Du

2011-01-01

Journal of Computational Information Systems

Abstract:Since many Peer-to-Peer applications use dynamic port numbers, masquerading techniques and encryption, network traffic classification using traditional methods such as ports-based or payload-based analysis is becoming increasing difficult. An alternative approach is using machine learning methodology to classify network applications based on flow statistics. We propose realtime traffic classification based on semi-supervised learning in this paper. Experiment results illustrate 1) high classification accuracy can be achieved using dataset that consists of a small number of labeled and a large number of unlabeled flows. 2) It is extremely suitable to realize realtime traffic classification. 3) Our approach is robust and can handle both previously unseen applications and changed behaviour of existing applications. Copyright © 2011 Binary Information Press.

Shengnan Hao,Jing Hu,Songyin Liu,Tiecheng Song,Jinghong Guo,Shidong Liu

DOI: https://doi.org/10.1109/iccais.2015.7338641

2015-01-01

Abstract:Network traffic classification plays an extremely important role in network management and service. Support vector machine (SVM) is widely adopted to classify traffic flows for its high accuracy. All features selected are treated equally in traditional SVM network traffic classification, which take little consideration of that each feature exerts a different influence on classification. Therefore, we adopt feature weight learning to assign individual feature a corresponding weight according to its importance on classification. Moreover, SVM is a method to solve binary classes problem and multi-classification problem is usually decomposed into a series of binary classification problems. Considering the differences of sample distribution between those binary classifiers, the improved SVM network traffic classification method proposed in this paper computes its own feature weights and parameter values for each individual SVM binary classifier. Experimental results show that the improved method proposed has a higher and more stable performance.

Jing Ran,Xiaochen Kong,Gan Lin,Dongming Yuan,Hefei Hu

DOI: https://doi.org/10.1109/compcomm.2017.8322736

2017-01-01

Abstract:Traffic classification technique is an essential tool for network management and system security in terms of high accuracy and fast classification speed. However, in the complex environments such as cloud computing environment, the traditional traffic classifiers will fail facing the unknown protocols that are never seen during training. The state-of-the-art traffic classification methods aim to utilize the semi-supervised learning algorithm to solve the problem. In this paper, we develop a self-adaptive traffic classification system based on semi-supervised learning, which adopts the method, dynamically adding the centers and iterative semi-supervised k-means to choose optimal system parameter and achieve high accuracy. Experiment results derived from real-world traffic are presented to show the effectiveness of the system.

Zhang Luoshi,Xue Yibo,Bao Yuanyuan

DOI: https://doi.org/10.14257/ijgdc.2015.8.3.29

2015-01-01

International Journal of Grid and Distributed Computing

Abstract:With development of scale, diversity and complexity of network traffic, the drawbacks of traditional machine learning methods on traffic classification is gradually exposed, especially the false positive problem in large-scale real network traffic classification is particularly serious. In this paper, aiming at reducing the false positive rate of network traffic classification, an effective network traffic classification method --- CMM method. CMM method contains three steps, including dividing the training set into clusters, forming sub-classifiers, and classifier integration in accordance with the principle of minimization and maximization. In this paper, we firstly demonstrate the effectiveness of this method in reducing the false positive rate. Secondly, we conduct experiments in large-scale national backbone network, such as the SSL protocol classification and experimental results verify the effectiveness of this method in large-scale the actual network traffic classification.

徐庆伶,汪西莉

DOI: https://doi.org/10.3969/j.issn.1673-629x.2010.10.029

2010-01-01

Abstract:One of the important assignment in machine learning is how to use large-scale data effectively,the traditional SVM is a kind of supervised learning approach,it needs a number of labeled samples for training,but the labeled samples are limited and very difficult to obtain.A semi-supervised SVM for classification is proposed by binding the thoughts of Co-training and Tri-training together.This method uses two SVM classifiers with different parameters to label the unlabeled samples,then chooses the samples with high confidence level to extend the labeled sample-set.Both theoretical analysis and simulation results indicatethat this method can use a lot of unlabeled samples effectively, and the addition of unlabeled samples can improve classification accuracy availably.

Jinghua Yan,Xiaochun Yun,Zhigang Wu,Hao Luo,Shuzhuang Zhang,Shuyuan Jin,Zhibin Zhang

DOI: https://doi.org/10.1109/PDCAT.2012.105

2012-01-01

Abstract:Online traffic classification has been widely used in quality of service measurements, network management and security monitoring. Currently, more and more research works tend to apply machine learning techniques to online traffic classification, and most of them are based on supervised learning and unsupervised learning techniques. Although supervised learning method has exhibited good classification performance, it needs lots of labeled training samples which are difficult to collect. The co-training method is a semi-supervised learning method, which can use little labeled samples and plenty of unlabeled samples to enhance the performance of supervised learning method. In this paper, we investigate the co-training algorithm for online traffic classification. The co-training algorithm needs two separate features which are sufficient to train a good classifier. We choose packet size and inter-packet time of the first packets of a traffic flow as two features. However, the inter-packet time is dependent to network conditions and will be impacted by network jitter. This paper constructs a robust inter-packet time feature named "Netipt" which is resilient to network jitter, and we integrate Netipt feature to co-training algorithm. We test our co-training algorithm based on two real-world traffic datasets. The results show that the co-training algorithm can enhance the accuracy of traffic classification drastically even when there are very few training samples.

PEI Yang,WANG Yong,TAO Xiao-ling,LI Ping-hong

DOI: https://doi.org/10.3969/j.issn.1000-7024.2013.08.002

2013-01-01

Abstract:In order to solve high complexity and slow training speed of SVM(support vector machine) algorithm on large network classification dataset,a parallel SVM network traffic classification method is presented,which is based on cloud computing platform to improve the training speed of SVM algorithm on large dataset.This method uses cloud computing platform to build multistage SVM and MapReduce model.The dataset is splited into some sub-datasets,and then trains the sub-datasets parallel to get support vectors set for traffic classification model.Compared with traditional SVM algorithms,experimental results show that parallel SVM network traffic classification method maintains high classification accuracy,reduces training time effectively and improves the speed of classification for large scale of network traffic data.

Shengnan Hao,Jing Hu,Songyin Liu,Tiecheng Song,Jinghong Guo,Shidong Liu

DOI: https://doi.org/10.1109/ComManTel.2015.7394298

2015-01-01

Abstract:Network traffic classification plays a fundamental role in network management and services. Given error accumulation in traditional DAGSVM (Directed Acyclic Graph-Support Vector Machine) algorithm, we propose an improved DAGSVM classification method using two different possibility metrics in this paper. Differing from traditional DAG-SVM, the improved DAG-SVM algorithm eliminates one class only under the condition of that classification error probability is less than threshold. The experiment results show that compared with traditional DAG-SVM, the methods proposed in this paper both have higher classification accuracy with acceptable time cost and improved DAG-SVM based on distance has a better performance than improved DAG-SVM based on decision function.

Ruixi Yuan,Zhu Li,Xiaohong Guan,Li Xu

DOI: https://doi.org/10.1007/s10796-008-9131-2

2008-01-01

Information Systems Frontiers

Abstract:Accurate and timely traffic classification is critical in network security monitoring and traffic engineering. Traditional methods based on port numbers and protocols have proven to be ineffective in terms of dynamic port allocation and packet encapsulation. The signature matching methods, on the other hand, require a known signature set and processing of packet payload, can only handle the signatures of a limited number of IP packets in real-time. A machine learning method based on SVM (supporting vector machine) is proposed in this paper for accurate Internet traffic classification. The method classifies the Internet traffic into broad application categories according to the network flow parameters obtained from the packet headers. An optimized feature set is obtained via multiple classifier selection methods. Experimental results using traffic from campus backbone show that an accuracy of 99.42% is achieved with the regular biased training and testing samples. An accuracy of 97.17% is achieved when un-biased training and testing samples are used with the same feature set. Furthermore, as all the feature parameters are computable from the packet headers, the proposed method is also applicable to encrypted network traffic.

Rui-ying DU,Yong YANG,Jing CHEN,Chi-heng WANG

DOI: https://doi.org/10.6040/j.issn.1671-9352.2.2014.106

2014-01-01

Abstract:Support Vector Machine is a classification algorithm that combines high efficiency,high accuracy and real time.Theres a problem when SVM makes its decision for an un-labeled instance because uninvolved classifierspartici-pate in that affects SVMs real time performance and reliability.Thus,a method utilized Efficient SVM based on Simi-larity (ESVMS)for traffic classification was proposed.ESVMS estimates the classes that an un-labeled instances may belongs to as to kick out the uninvolved classifiers.Experimental results show that ESVMS holds the accuracy of SVMs and improves its real time performance.

Tan Li,Shuangwu Chen,Zhen Yao,Xiang Chen,Jian Yang

DOI: https://doi.org/10.1109/FSKD.2018.8686880

2018-01-01

Abstract:Network traffic classification plays a fundamental role in area of network management and security. Recent days, machine learning techniques have been used to classify network traffic. In particular, semi-supervised learning is very fit for practical scenarios, where pre-labelled training flows are hard to obtain. In this paper, a semi-supervised classification scheme is proposed for network traffic classification by using deep generative models. Specifically, the feature extractor module aims to automatically find representation features of raw traffic data in a lower dimensional feature space. Subsequently, using these representation features, a separated classifier is trained by the semi-supervised classification module. The method is verified with three different levels of datasets: Anomaly detection-level, protocol-level and application-level. The results show that our scheme can not only detect malware traffic, but also classify the traffic according to their protocol, application, and attack types. Using less than 20% labelled flows of the whole dataset, we can achieve the accuracy of over 95% which is a satisfying value compared with supervised learning method.