Jun Li,Shunyi Zhang,Yanqing Lu,Junrong Yan

DOI: https://doi.org/10.1007/s11767-007-0110-4

2009-01-01

Abstract:Accurate and real-time classification of network traffic is significant to network operation and management such as QoS differentiation, traffic shaping and security surveillance. However, with many newly emerged P2P applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, traditional classification approaches turn to be ineffective. In this paper, we present a layered hybrid system to classify current Internet traffic, motivated by variety of network activities and their requirements of traffic classification. The proposed method could achieve fast and accurate traffic classification with low overheads and robustness to accommodate both known and unknown/encrypted applications. Furthermore, it is feasible to be used in the context of real-time traffic classification. Our experimental results show the distinct advantages of the proposed classification system, compared with the one-step Machine Learning (ML) approach.

Ayodeji Olalekan Salau,Melesew Mossie Beyene

DOI: https://doi.org/10.1038/s41598-024-70983-6

IF: 4.6

2024-09-02

Scientific Reports

Abstract:The classification of network traffic has become increasingly crucial due to the rapid growth in the number of internet users. Conventional approaches, such as identifying traffic based on port numbers and payload inspection are becoming ineffective due to the dynamic and encrypted nature of modern network traffic. A number of researchers have implemented Software Defined Networking (SDN) based traffic classification using Machine Learning (ML) and Deep Learning (DL) models. However, the studies had various limitations such as encrypted traffic detection, payload inspection, poor detection accuracy, and challenges with testing models both in offline and real-time traffic modes. ML models together with SDN are adopted nowadays to enhance classification performance. In this paper, both supervised (Logistic Regression, Decision Tree, Random Forest, AdaBoost, and Support Vector Machine) and unsupervised (K-means clustering) ML models were used to classify Domain Name System (DNS), Telnet, Ping, and Voice traffic flows simulated using the Distributed Internet Traffic Generator (D-ITG) tool. The use of this tool effectively manages and classifies traffic types based on their application. The study discussed the dataset used, model selection, implementation of the model, and implementation techniques (such as pre-processing, feature extraction, ML algorithm, and model evaluation metrics). The proposed model in SDN was implemented in Mininet for designing the network architecture and generating network traffic. Anaconda Python environment was utilized for traffic classification using various ML techniques. Among the models tested, the Decision Tree supervised learning achieved the highest accuracy of 99.81%, outperforming other supervised and unsupervised learning algorithms. These results indicate that the integration of ML with SDN provides an efficient classification method for identifying and accurately classifying both offline and real-time network traffic, enhanced quality of service (QoS), detection of encrypted packets, deep packet inspection and management.

multidisciplinary sciences

Zhu Li,Ruixi Yuan,Xiaohong Guan

DOI: https://doi.org/10.1007/978-3-540-73111-5_8

2007-01-01

Abstract:Timely traffic identification is critical in network security monitoring and traffic engineering. Traditional methods using well-known ports, protocols and precise signature matching are no longer accurate with the proliferation of new applications. Recently, applying pattern recognition methods to classify network application traffic based on the flow parameters (e.g. port, flow duration, etc.) has become increasing popular. However, many methods developed in the previous works are either too complex to be applied in real-time, or suffer from lower accuracy due to the insufficient knowledge of the application. In this paper, we first give an overview on the developments of pattern recognition methods as traffic classification tools. We then develop two separate pattern recognition methods: one with supervised learning, and one with un-supervised learning, and apply them to classify traffic captured from a campus backbone network. The supervised learning method (an optimized SVM method) yields approximately 99.41 % accuracy for the collected traffic. The un-supervised learning method (an entropy based clustering method) gets the average accuracy of 92.41% for the top 20 traffic generating hosts during the same time period. Performance test on a single PC with 3GHz Pentium 4 processors and 1 GB of memory show that both methods can handle more than 10000 network flows per second, close to real time requirements for many situations.

Shahbaz Rezaei,Xin Liu

DOI: https://doi.org/10.1109/ICCCN49398.2020.9209652

2020-05-09

Abstract:Traffic classification has various applications in today's Internet, from resource allocation, billing and QoS purposes in ISPs to firewall and malware detection in clients. Classical machine learning algorithms and deep learning models have been widely used to solve the traffic classification task. However, training such models requires a large amount of labeled data. Labeling data is often the most difficult and time-consuming process in building a classifier. To solve this challenge, we reformulate the traffic classification into a multi-task learning framework where bandwidth requirement and duration of a flow are predicted along with the traffic class. The motivation of this approach is twofold: First, bandwidth requirement and duration are useful in many applications, including routing, resource allocation, and QoS provisioning. Second, these two values can be obtained from each flow easily without the need for human labeling or capturing flows in a controlled and isolated environment. We show that with a large amount of easily obtainable data samples for bandwidth and duration prediction tasks, and only a few data samples for the traffic classification task, one can achieve high accuracy. We conduct two experiment with ISCX and QUIC public datasets and show the efficacy of our approach.

Machine Learning

Jun Li,Shunyi Zhang,Cuilian Li,Junrong Yan

DOI: https://doi.org/10.1002/nem.735

2010-01-01

International Journal of Network Management

Abstract:Accurate and real-time classifi cation of network traffic is significant to a number of network operation and management tasks such as quality of service differentiation, traffic shaping and security surveillance. However, with emerging P2P applications using dynamic port numbers, IP masquerading techniques and payload encryption, accurate and intelligent traffic classification continues to be a big challenge despite a wide range of research work on the topic. Since each classification method has its disadvantages and hardly could meet the specific requirement of Internet traffic classification, this paper innovatively presents a composite traffic classification system. The proposed lightweight system can accurately and effectively identify Internet traffic with good scalability to accommodate both known and unknown/encrypted applications. Furthermore, It promises to satisfy various Internet uses and is feasible for use in real-time line speed applications. Our experimental results show the distinct advantages of the proposed classification system.

Ruixi Yuan,Zhu Li,Xiaohong Guan,Li Xu

DOI: https://doi.org/10.1007/s10796-008-9131-2

2008-01-01

Information Systems Frontiers

Abstract:Accurate and timely traffic classification is critical in network security monitoring and traffic engineering. Traditional methods based on port numbers and protocols have proven to be ineffective in terms of dynamic port allocation and packet encapsulation. The signature matching methods, on the other hand, require a known signature set and processing of packet payload, can only handle the signatures of a limited number of IP packets in real-time. A machine learning method based on SVM (supporting vector machine) is proposed in this paper for accurate Internet traffic classification. The method classifies the Internet traffic into broad application categories according to the network flow parameters obtained from the packet headers. An optimized feature set is obtained via multiple classifier selection methods. Experimental results using traffic from campus backbone show that an accuracy of 99.42% is achieved with the regular biased training and testing samples. An accuracy of 97.17% is achieved when un-biased training and testing samples are used with the same feature set. Furthermore, as all the feature parameters are computable from the packet headers, the proposed method is also applicable to encrypted network traffic.

Xi Xiao,Rui Li,Hai-Tao Zheng,Runguo Ye,Arun KumarSangaiah,Shutao Xia

DOI: https://doi.org/10.1016/j.ins.2018.10.039

IF: 8.1

2018-01-01

Information Sciences

Abstract:Traffic classification has been widely used in networking and security issues. Previous works have involved many different techniques for mapping traffic to the application. However, little attention has been paid to traffic classification for dynamic network stream. In this paper, we propose a Dynamic Multiple Traffic Classification System (DMTCS). We first introduce the time-based distribution of the traffic protocol information to the traffic classification problem, as the traffic data is a data stream with time continuity. The packets are treated as documents and protocols are seen as topics. Thus, we can apply topic models to cluster packets. In our system, after initialization, packets arrived at a time point are classified as of some protocols. Then, these packets are assembled to clusters according to the protocol distribution at the last time point. Finally, we use these clusters to classify packets arrived at the next time point. Our method has several advantages: 1) does not require the prior knowledge of target applications: 2) tolerant with both TCP and UDP protocols; 3) support multiple classification; 4) preserve high accuracy for the traffic stream with dynamic and imbalanced traffic distribution. Evaluations on DMTCS are carried on two different datasets, and the experimental results demonstrate that DMTCS has an impressive performance in classification on the real-world network stream and the dynamic simulation stream. Whats more, DMTCS outperforms other state-of-the-art models in our experiment. (C) 2018 Published by Elsevier Inc.

Zhou Wengang,Chen Leiting,Dong Shi

DOI: https://doi.org/10.3724/sp.j.1187.2013.01114

2013-01-01

JOURNAL OF ELECTRONIC MEASUREMENT AND INSTRUMENT

Abstract:A number of network activities can benefit from accurate traffic classification and identification. However, the current classification methods, either port-based or payload-based, are becoming ineffective as many P2P applications use dynamic port numbers, masquerading techniques, and encryption to avoid detection. This paper discusses and explores a new method that is based on supervised machine learning mechanisms, which eliminate the inherent limitations of port-based or payload-based methods. A series of experiments show that, combined with a fast correlation-based feature selection filter, better performance and more accurate identification results can be obtained using the neural network method. Due to all the favorable features and satisfactory performance, the proposed methods are promising for internet traffic classification.

Jiahui Chen,Joe Breen,Jeff M. Phillips,Jacobus Van der Merwe

DOI: https://doi.org/10.1007/s10586-021-03393-2

2021-07-10

Abstract:Network traffic classification that is widely applicable and highly accurate is valuable for many network security and management tasks. A flexible and easily configurable classification framework is ideal, as it can be customized for use in a wide variety of networks. In this paper, we propose a highly configurable and flexible machine learning traffic classification method that relies only on statistics of sequences of packets to distinguish known, or approved, traffic from unknown traffic. Our method is based on likelihood estimation, provides a measure of certainty for classification decisions, and can classify traffic at adjustable certainty levels. Our classification method can also be applied in different classification scenarios, each prioritizing a different classification goal. We demonstrate how our classification scheme and all its configurations perform well on real-world traffic from a high performance computing network environment.

Machine Learning,Networking and Internet Architecture

Jie Cao,Da Wang,Zhaoyang Qu,Hongyu Sun,Bin Li,Chin-Ling Chen

DOI: https://doi.org/10.3390/sym12020301

2020-02-20

Symmetry

Abstract:Network traffic classification based on machine learning is an important branch of pattern recognition in computer science. It is a key technology for dynamic intelligent network management and enhanced network controllability. However, the traffic classification methods still facing severe challenges: The optimal set of features is difficult to determine. The classification method is highly dependent on the effective characteristic combination. Meanwhile, it is also important to balance the experience risk and generalization ability of the classifier. In this paper, an improved network traffic classification model based on a support vector machine is proposed. First, a filter-wrapper hybrid feature selection method is proposed to solve the false deletion of combined features caused by a traditional feature selection method. Second, to balance the empirical risk and generalization ability of support vector machine (SVM) traffic classification model, an improved parameter optimization algorithm is proposed. The algorithm can dynamically adjust the quadratic search area, reduce the density of quadratic mesh generation, improve the search efficiency of the algorithm, and prevent the over-fitting while optimizing the parameters. The experiments show that the improved traffic classification model achieves higher classification accuracy, lower dimension and shorter elapsed time and performs significantly better than traditional SVM and the other three typical supervised ML algorithms.

María Rodríguez,Álvaro Alesanco,Lorena Mehavilla,José García

DOI: https://doi.org/10.3390/s22239326

IF: 3.9

2022-12-01

Sensors

Abstract:Cybersecurity is one of the great challenges of today's world. Rapid technological development has allowed society to prosper and improve the quality of life and the world is more dependent on new technologies. Managing security risks quickly and effectively, preventing, identifying, or mitigating them is a great challenge. The appearance of new attacks, and with more frequency, requires a constant update of threat detection methods. Traditional signature-based techniques are effective for known attacks, but they are not able to detect a new attack. For this reason, intrusion detection systems (IDS) that apply machine learning (ML) techniques represent an alternative that is gaining importance today. In this work, we have analyzed different machine learning techniques to determine which ones permit to obtain the best traffic classification results based on classification performance measurements and execution times, which is decisive for further real-time deployments. The CICIDS2017 dataset was selected in this work since it contains bidirectional traffic flows (derived from traffic captures) that include benign traffic and different types of up-to-date attacks. Each traffic flow is characterized by a set of connection-related attributes that can be used to model the traffic and distinguish between attacks and normal flows. The CICIDS2017 also contains the raw network traffic captures collected during the dataset creation in a packet-based format, thus permitting to extract the traffic flows from them. Various classification techniques have been evaluated using the Weka software: naive Bayes, logistic, multilayer perceptron, sequential minimal optimization, k-nearest neighbors, adaptive boosting, OneR, J48, PART, and random forest. As a general result, methods based on decision trees (PART, J48, and random forest) have turned out to be the most efficient with F1 values above 0.999 (average obtained in the complete dataset). Moreover, multiclass classification (distinguishing between different types of attack) and binary classification (distinguishing only between normal traffic and attack) have been compared, and the effect of reducing the number of attributes using the correlation-based feature selection (CFS) technique has been evaluated. By reducing the complexity in binary classification, better results can be obtained, and by selecting a reduced set of the most relevant attributes, less time is required (above 30% of decrease in the time required to test the model) at the cost of a small performance loss. The tree-based techniques with CFS attribute selection (six attributes selected) reached F1 values above 0.990 in the complete dataset. Finally, a conventional tool like Zeek has been used to process the raw traffic captures to identify the traffic flows and to obtain a reduced set of attributes from these flows. The classification results obtained using tree-based techniques (with 14 Zeek-based attributes) were also very high, with F1 above 0.997 (average obtained in the complete dataset) and low execution times (allowing several hundred thousand flows/s to be processed). These classification results obtained on the CICIDS2017 dataset allow us to affirm that the tree-based machine learning techniques may be appropriate in the flow-based intrusion detection problem and that algorithms, such as PART or J48, may offer a faster alternative solution to the RF technique.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Rehab H. Serag,Mohamed S. Abdalzaher,Hussein Abd El Atty Elsayed,M. Sobh,Moez Krichen,Mahmoud M. Salim

DOI: https://doi.org/10.3390/electronics13061108

IF: 2.9

2024-03-18

Electronics

Abstract:Many research efforts have gone into upgrading antiquated communication network infrastructures with better ones to support contemporary services and applications. Smart networks can adapt to new technologies and traffic trends on their own. Software-defined networking (SDN) separates the control plane from the data plane and runs programs in one place, changing network management. New technologies like SDN and machine learning (ML) could improve network performance and QoS. This paper presents a comprehensive research study on integrating SDN with ML to improve network performance and quality-of-service (QoS). The study primarily investigates ML classification methods, highlighting their significance in the context of traffic classification (TC). Additionally, traditional methods are discussed to clarify the ML outperformance observed throughout our investigation, underscoring the superiority of ML algorithms in SDN TC. The study describes how labeled traffic data can be used to train ML models for appropriately classifying SDN TC flows. It examines the pros and downsides of dynamic and adaptive TC using ML algorithms. The research also examines how ML may improve SDN security. It explores using ML for anomaly detection, intrusion detection, and attack mitigation in SDN networks, stressing the proactive threat-detection and response benefits. Finally, we discuss the SDN-ML QoS integration problems and research gaps. Furthermore, scalability and performance issues in large-scale SDN implementations are identified as potential issues and areas for additional research.

engineering, electrical & electronic,computer science, information systems,physics, applied

Muhammad Basit Umair,Zeshan Iqbal,Muhammad Bilal,Tarik Adnan Almohamad,Jamel Nebhen,Raja Majid Mehmood

DOI: https://doi.org/10.32604/cmc.2022.020727

2021-07-26

Abstract:Internet of Things (IoT) defines a network of devices connected to the internet and sharing a massive amount of data between each other and a central location. These IoT devices are connected to a network therefore prone to attacks. Various management tasks and network operations such as security, intrusion detection, Quality-of-Service provisioning, performance monitoring, resource provisioning, and traffic engineering require traffic classification. Due to the ineffectiveness of traditional classification schemes, such as port-based and payload-based methods, researchers proposed machine learning-based traffic classification systems based on shallow neural networks. Furthermore, machine learning-based models incline to misclassify internet traffic due to improper feature selection. In this research, an efficient multilayer deep learning based classification system is presented to overcome these challenges that can classify internet traffic. To examine the performance of the proposed technique, Moore-dataset is used for training the classifier. The proposed scheme takes the pre-processed data and extracts the flow features using a deep neural network (DNN). In particular, the maximum entropy classifier is used to classify the internet traffic. The experimental results show that the proposed hybrid deep learning algorithm is effective and achieved high accuracy for internet traffic classification, i.e., 99.23%. Furthermore, the proposed algorithm achieved the highest accuracy compared to the support vector machine (SVM) based classification technique and k-nearest neighbours (KNNs) based classification technique.

Networking and Internet Architecture

GU Yue,LI Dan,GAO Kaihui

DOI: https://doi.org/10.11959/j.issn.1000-0801.2021052

2021-01-01

Abstract:With the continuous development of Internet technology and the continuous expansion of network scale, there are many different types of applications , and various new applications have endlessly emerged.In order to ensure the quality of service (QoS) and ensure network security, accurate and fast traffic classification is an urgent problem for both operators and network managers.Firstly, the problem definition and performance metrics of network traffic classification were given.Then, the traffic classification methods based on machine learning and deep learning were introduced respectively, the advantages and disadvantages of these methods were analyzed, and the existing problems were expounded.Next, the related work by focusing on the three problems encountered elaborated and analyzed in traffic classification when considering online deployment: dataset, zero-day application identification and the cost of online deployment, and further discusses the challenges faced by the current network traffic classification researches.Finally, the next research direction of network traffic classification was prospected.

Wengang Zhou,Leiting Dong,Bic, L.,Mingtian Zhou

DOI: https://doi.org/10.1109/iccps.2011.6092257

2011-01-01

Abstract:Many network activities can benefit from accurate traffic classification and categorization, such as QOS control, network security monitoring, and traffic accounting. In this paper, a new approach based on feed-forward neural network is proposed for accurate traffic classification, which eliminates the disadvantages of port-based or payload-based classification methods. Extensive experimentation and comparison have been carried out to explore this new approach; it has been found out that, combined with a fast correlation-based feature selection filter, better performance and more accurate classification results can be obtained using neural network method compared to other techniques. For its good performance and elimination of accessing the contents of the packets, the proposed technique is expected to have a promising application prospect in internet traffic classification.

Yu Chen,Xiayu Ping,Tao Wei

DOI: https://doi.org/10.1109/ICITIS.2010.5689522

2010-01-01

Abstract:The principal technique employed in application traffic classification, a task of identifying the applications underlying network traffic, has evolved from based on port number to deep packet inspection to payload-independent classification. We propose a novel approach in the last category. The principal idea of our method is that we associate an application with temporal patterns of the command exchange modes (subsequences of packets) of TCP flows generated by the application. Since these patterns are local by nature, our approach might be able to identify an application even if only a portion of a full flow is observable. We have applied such method to classify a number of popular P2P applications and to detect suspicious botnet traffic. To identify these kinds of traffic, we not only utilize flow patterns, but also incorporate some statistics on multi-flow and host levels. We have tested our algorithm on P2P traffic collected from our institute's computer network and on botnet traffic collected from a national-wide distributed honeynet. The early results are quite encouraging. © 2010 IEEE.

Luming Wang,Mao Yang,Bo Li,Zhongjiang Yan

2023-04-04

Abstract:With the increasing number of service types of wireless network and the increasingly obvious differentiation of quality of service (QoS) requirements, the traffic flow classification and traffic prediction technology are of great significance for wireless network to provide differentiated QoS guarantee. At present, the machine learning methods attract widespread attentions in the tuples based traffic flow classification as well as the time series based traffic flow prediction. However, most of the existing studies divide the traffic flow classification and traffic prediction into two independent processes, which leads to inaccurate classification and prediction results. Therefore, this paper proposes a method of joint wireless network traffic classification and traffic prediction based on machine learning. First, building different predictors based on traffic categories, so that different types of classified traffic can use more appropriate predictors for traffic prediction according to their categories. Secondly, the prediction results of different types of predictors, as a posteriori feature, are fed back to the classifiers as input features to improve the accuracy of the classifiers. The experimental results show that the proposed method has improves both the accuracy of traffic classification and traffic prediction in wireless networks.

Networking and Internet Architecture

GUI Fei,CHENG Yang,LI Dan,HONG Sihong

DOI: https://doi.org/10.11959/j.issn.1000-0801.2020285

2020-01-01

Abstract:Traffic bursts are common in networks, which have a significant impact on quality of user experience. In the case of traffic bursts, huge volumes of packets can overwhelm the physical links in a short time duration(i.e., milliseconds), resulting in congestion and frequent packet loss. However, traditional routing schemes are either traffic oblivious such as OSPF, which can’t adapt to real-time traffic changes, or centralized control such as linear programming, which can’t efficiently react to traffic bursts due to slow computation. To address this problem in a practical and efficient approach, a novel intelligent routing algorithm based on machine learning (ML) was proposed. On the one hand, the proposed algorithm can leverage the promising modelling ability of machine learning to learn the implicit clue of routing decision. On the other hand, the proposed algorithm enjoys the ultralow processing latency benefited from the fast inference of ML, thus speeding up the reaction to traffic bursts. Experiments on two open-source datasets demonstrate that the proposed scheme can reduce utilization of bottleneck link by 13%～70%, compared with the baselines.

Yiyang Shao,Luoshi Zhang,Xiaoxian Chen,Yibo Xue

DOI: https://doi.org/10.1109/cns.2014.6997530

2014-01-01

Abstract:Many important network security areas, such as Intrusion Detection System and Next-Generation Firewall, leverage Traffic Classification techniques to reveal application-level protocols. Machine Learning algorithms give us the ability to identify encrypted or complicated traffic. However, classification accuracies of Machine Learning algorithms are always facing challenges and doubts in practical usage. In this paper, we propose a time-varying Logistic Regression model embedded with traffic pattern. The comparison between original Logistic Regression model and time-varying one shows an effective improvement in accuracy. We hope to exploit a new way to implement Machine Learning algorithms in network traffic analysis areas by considering the characteristics of traffic changes in time domain.

Yanpei Hua

DOI: https://doi.org/10.1109/ictc49638.2020.9123302

2020-05-01

Abstract:Machine Learning (ML) techniques have been widely used in anomaly-based Intrusion Detection System (IDS) in the big data era. Although many advanced approaches are proposed recently, there are still several key limitations that should not be ignored. Firstly, data pre-processing methods have not gained sufficient attention, and they are vital to efficiency of model training especially with massive volume of collected samples. Secondly, in spite that deep learning is able to acquire more hidden interrelations from input data, it usually suffers from high complexity with numerous parameters tuned and much training time consumed. Thirdly, KDD99 data sets and their variants are leveraged by most of the literature for traffic classification, but they are proved to be outdated and inadequate for IDS evaluation. Therefore, to cope with these challenges, in this paper, we firstly propose a data pre-processing approach with under-sampling and embedded feature selection, in order to relieve the imbalance of traffic samples and extract dominant features of incoming flows. Then, we utilize LightGBM to build an traffic classification approach for IDS with better accuracy and efficiency. Finally, we evaluate our proposed approaches based on CIC-IDS2018, the data set issued in 2018 that contains comprehensive real network traffic. Extensive experiments are performed, and related results have confirmed the advantages of our proposed approaches over several other comparisons.