Yu Chen,Xiayu Ping,Tao Wei

DOI: https://doi.org/10.1109/ICITIS.2010.5689522

2010-01-01

Abstract:The principal technique employed in application traffic classification, a task of identifying the applications underlying network traffic, has evolved from based on port number to deep packet inspection to payload-independent classification. We propose a novel approach in the last category. The principal idea of our method is that we associate an application with temporal patterns of the command exchange modes (subsequences of packets) of TCP flows generated by the application. Since these patterns are local by nature, our approach might be able to identify an application even if only a portion of a full flow is observable. We have applied such method to classify a number of popular P2P applications and to detect suspicious botnet traffic. To identify these kinds of traffic, we not only utilize flow patterns, but also incorporate some statistics on multi-flow and host levels. We have tested our algorithm on P2P traffic collected from our institute's computer network and on botnet traffic collected from a national-wide distributed honeynet. The early results are quite encouraging. © 2010 IEEE.

Qianli Zhang,Yunlong Ma,Pei Zhang,Jilong Wang,Xing Li

DOI: https://doi.org/10.1109/icicip.2014.7010349

2014-01-01

Abstract:Though it is commonly assumed that Internet traffic is dominated by TCP, there has been an increasing demand for UDP based P2P applications. UDP is widely used in new P2P networks because it can provides better support for NAT traversal. Since many of these applications use private protocols, UDP traffic is often hard to analyze, especially if the available data is only netflow records. In this paper, a component based method is proposed to analyze UDP traffic. Since flows in each component share the same application, P2P traffic can be identified without packet level information.

Mingjiang Ye,Jianping Wu,Ke Xu,Dah Ming Chiu

DOI: https://doi.org/10.1016/j.comcom.2010.01.005

2009-01-01

Abstract:Classifying network traffic according to its applications is important to a broad range of network areas. Since new applications, especially P2P applications, no longer use well-known fixed port numbers, the native port based traffic classification technique has become much less effective. In this paper, we propose a novel approach to identify P2P traffic by leveraging on the data transfer behaviour of P2P applications. The behaviour investigated in the paper is that downloaded data from a P2P host will be uploaded to other hosts later. To find the shared data of downloading flows and uploading flows online, the content based partitioning schema is used to partition the flows into data blocks. Flows sharing the same data blocks are identified as P2P flows. The effectiveness of this method is demonstrated by experiments on various P2P applications. The results show that the algorithm can identify P2P applications very accurately while only keeping a small set of data blocks. The method is generic and can be applied to most P2P applications.

Jun Li,Shunyi Zhang,Yanqing Lu,Junrong Yan

DOI: https://doi.org/10.1109/glocom.2008.ecp.475

2008-01-01

Abstract:Accurate and fast identification of network traffic is an important element of many network management tasks such as QoS provisioning and security monitoring. However, as many newly-emerged Peer-to-Peer (P2P) applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, the classical approaches based on port mapping and payload analysis are ineffective. An alternative approach is to classify traffic by distinguishing the behavior of an application within the first few packets of TCP connection. We pursue this approach and demonstrate that information of few packets is enough to effectively identify P2P traffic. In our work, C4.5 decision tree and REPTree are evaluated and compared with the previously used clustering method K-Means. Experimental results show that our approaches outperform K- Means algorithm in accuracy. In addition, the proposed approaches can accommodate known and unknown P2P traffic and even encrypted traffic in fast and accurate way, which ensures the real-time applications on the Internet traffic surveillance and QoS provisioning.

Lin Wang,Bo Yang,Zhenxiang Chen,Yuehui Chen

2007-01-01

Abstract:Classification of network traffic using port-based or payload-based analysis is becoming increasingly difficult with many applications using dynamic port numbers, masquerading techniques, and encryption to avoid detection. An alternative approach is to classify traffic by exploiting the distinctive characteristics of applications when they communicate on a network. We pursue this latter approach and demonstrate how Further Division of Partition Space (FDPS)can be used to effectively identify groups of traffic that are similar using only transport layer statistics. FDPS which is a novel improvement in neural networks classification is proposed in our previous work.We evaluate FDPS and compare it to the traditional neural networks classification, using empirical Internet traces.The experimental results show that FDPS works very well and more quickly than traditional. Our results indicate that FDPS has higher performance than traditional neural networks classification.

Zhu Li,Ruixi Yuan,Xiaohong Guan

DOI: https://doi.org/10.1007/978-3-540-73111-5_8

2007-01-01

Abstract:Timely traffic identification is critical in network security monitoring and traffic engineering. Traditional methods using well-known ports, protocols and precise signature matching are no longer accurate with the proliferation of new applications. Recently, applying pattern recognition methods to classify network application traffic based on the flow parameters (e.g. port, flow duration, etc.) has become increasing popular. However, many methods developed in the previous works are either too complex to be applied in real-time, or suffer from lower accuracy due to the insufficient knowledge of the application. In this paper, we first give an overview on the developments of pattern recognition methods as traffic classification tools. We then develop two separate pattern recognition methods: one with supervised learning, and one with un-supervised learning, and apply them to classify traffic captured from a campus backbone network. The supervised learning method (an optimized SVM method) yields approximately 99.41 % accuracy for the collected traffic. The un-supervised learning method (an entropy based clustering method) gets the average accuracy of 92.41% for the top 20 traffic generating hosts during the same time period. Performance test on a single PC with 3GHz Pentium 4 processors and 1 GB of memory show that both methods can handle more than 10000 network flows per second, close to real time requirements for many situations.

Dawei Wang,Luoshi Zhang,Zhenlon Yuan,Yibo Xue,Yinfei Dong

DOI: https://doi.org/10.1109/iccnc.2014.6785298

2014-01-01

Abstract:Network traffic classification is critical to both network management and system security. However, existing traffic classification techniques become less effective as more P2P applications use proprietary protocols for delivery and encryption. Especially, current techniques usually focus on individual flows and do not consider all flows associated with an application together. To address this issue, this paper proposes a novel Application Behavior Characterization (ABC) technique. We design a novel application behavior feature extracting method and an effective classification algorithm, which explore the correlation of multiple flows of a specific application. We evaluate the proposed method with real network traffic. The experimental results show that it can correctly identify flows belonging to a set of known P2P applications (such as Skype, Thunder, and PPTV) with a probability over 90%. Moreover, it can further identify the particular application that a flow belongs to with a precision of 90% on average. More information about implementing and deploying ABC can be found in a technical report [10].

Tao Qin,Lei Wang,Zhaoli Liu,Xiaohong Guan

DOI: https://doi.org/10.1016/j.knosys.2015.03.002

IF: 8.139

2015-01-01

Knowledge-Based Systems

Abstract:Application identification plays an essential role in network management such as intrusion detection and security monitoring. But the continuous growth of bandwidth and massive amount of packets pose serious challenges for efficacious and accurate application identification. In this paper, we develop a new method to reduce the number of packets being processed while achieving the goal of accurate P2P and VoIP application identification. Firstly, we employ the Bi-flow model to aggregate traffic packets into Bi-flow, which can capture the exchange behavior characteristics between different terminals. Then we employ the signature of Packet Size Distribution (PSD) to capture flow dynamics, which is defined as the payload length distribution probability of the packets in one Bi-flow. Secondly, we collect PSD of several different P2P and VoIP applications and the analysis results show that PSD of different applications are different with each other, which can be used as features to perform traffic identification. We also find the PSD characteristics of one Bi-flow can be captured by its first few packets, which demonstrate our methods can identify the Bi-flow quickly after its establishment. We employ the Renyi cross entropy to perform identification by calculating the similarity between PSD of the Bi-flow being identified and that of specific application. If the similarity is higher than a selected threshold, the Bi-flow being identified is classified to the specific application. Finally, as the PSD is a type of probability feature which is not sensitive to packet lose, we integrate the Poisson sampling method into our framework to process the massive data in backbone networks. Experimental results using the artificial and actual traces collected from monitoring platform in the Northwest Center of CERNET (China Education and Research Network) verify the accuracy and robustness of our method.

Feng Liu,Zhitang Li,Qingbin Nie

DOI: https://doi.org/10.1109/ITCS.2009.257

2009-01-01

Abstract:These years, P2P applications have multiplied, evolved and take a big part of Internet traffic workload. Identifying the P2P traffic and understanding their behavior is an important field. Some port, payload and transport layer feature based methods were proposed. P2P traffic identification methods by examining user payload or well-defined port numbers no longer adapt to current P2P applications. In recent years, some scholars do researches on traffic classification by using Machine Learning. However, previous researches are almost on the flow level. In this paper, we develop a new method of P2P traffic identification based on Support Vector Machine by analyzing packet length, remote hosts’ discreteness, connection responded success rate and the ratio of IP and port at the host level without relying on the port numbers and packet payload. Finally, the experiment results indicate that this approach can effectively identify P2P applications.

Pinghui Wang,Xiaohong Guan,Tao Qin

DOI: https://doi.org/10.1109/camad.2009.5161471

2009-01-01

Abstract:Peer-to-Peer (P2P) protocol is widely used in many network applications and P2P traffic is becoming dominating in the current Internet and may cause serious congestion. Recently, P2P applications tend to intentionally disguise their traffic flows by using arbitrary ports, which leads the accurate identification of P2P traffic to become a very difficult job and hot research topic in network traffic control. In this paper, we employ the longest common subsequence to identify the key packets from the traffic flows, and present a new method to identify the P2P flows based on the signatures of key packets with only direction and payload length in the first few packets of a flow. We test the new method with four popular P2P applications in the actual network environment and the results show that the new method has high accuracy and efficiency since only a few packets in each flow needs to be analyzed. The new method is suitable for real time traffic management and monitoring.

Gang Lu,Hongli Zhang,Mahmoud Qassrawi,Xiangzhan Yu

DOI: https://doi.org/10.1109/iccve.2012.58

2012-01-01

Abstract:Recently, flow features at the packet level for traffic classification have been paid more attention to since they are simple and observable even if encrypted tunnels are applied in the network, such as SSL tunnel. However, how to use flow features at the packet level for effective classification of traffic flows is still a significant issue to be solved. The objective of this paper is to compare and analyze three typical flow features at the packet level: packet size combined with packet direction, packet size combined with inter-arrival time, and protocol fingerprint. The amount of information carried by each feature is presented with mutual information measurement. Based on the traffic traces captured from two different network environments, our experimental results indicate that when C4.5 algorithm classifies traffic flows with the first two packets of each flow, packet size combined with packet inter-arrival time, which is generated from the client-to-server direction of a TCP connection, is more accurate and stable across space and time.

Li-Juan Zhou,Zhi-Tang Li,Hao Tu

DOI: https://doi.org/10.1007/978-3-540-71701-0_130

2007-01-01

Abstract:Over the last years, the wide use of the P2P application has lead to the rapid growth of network traffic. Thus, the accurate classification of P2P traffic becomes a challenging problem. This paper proposes some new fundamental characteristics of TCP traffic to achieve its discrimination. To prove the universality of the values of our proposed features, we also present some analytic estimates of them using Pareto as the distribution of user lifetime in real P2P systems. Finally, we apply SVM to the discrimination of these features in order to automate the processing of the discrimination, and its accuracy is demonstrated as a result of some experiments.

Jun Li,Shunyi Zhang,Yanqing Lu,Junrong Yan

DOI: https://doi.org/10.1007/s11767-007-0110-4

2009-01-01

Abstract:Accurate and real-time classification of network traffic is significant to network operation and management such as QoS differentiation, traffic shaping and security surveillance. However, with many newly emerged P2P applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, traditional classification approaches turn to be ineffective. In this paper, we present a layered hybrid system to classify current Internet traffic, motivated by variety of network activities and their requirements of traffic classification. The proposed method could achieve fast and accurate traffic classification with low overheads and robustness to accommodate both known and unknown/encrypted applications. Furthermore, it is feasible to be used in the context of real-time traffic classification. Our experimental results show the distinct advantages of the proposed classification system, compared with the one-step Machine Learning (ML) approach.

Lu Xing,Duan Haixin,Li Xing

DOI: https://doi.org/10.1109/ISCIT.2007.4392088

2007-01-01

Abstract:Identification of P2P traffic is very useful for many network management tasks such as application-specific traffic engineering, network planning and monitoring. However, this is a challenging issue because many P2P applications use dynamic port numbers, and deriving signatures that can he used for reliable detection manually is time consuming and difficult. In this paper, we propose a novel approach to detect P2P traffic without any application-specific signatures. It is based on the content redistribution characteristic of P2P protocol: every peer acts both as a server and a client, so it will redistribute the content received to other peers. To evaluate our approach, we use traces collected in our campus network and a signature-based classifier is also implemented. Experiment results show that the approach can be used to identify known and unknown P2P traffic with very low false positive rate, and achieves high accuracy when detecting P2P streaming traffic.

LIU Qiong,LIU Zhen,HUANG Min

DOI: https://doi.org/10.3969/j.issn.1002-137x.2010.12.008

2010-01-01

Computer Science

Abstract:To identify the traffic based on the application in a large network, the major part is traffic classification and it is useful to provide quality of service, lawful interception and intrusion detection. A number of limitations have been exhibited by older methods such as port-based and payload based classification. Hence Machine learning techniques are used by the research community to analyse the flow statistics for detecting network applications. The statistical based approach is used here for traffic identification and classification process. The statistical features are flow size, flow duration, TCP port, packet inter-arrival times statistics, total number of packets, mean packet length, protocol, number of bytes transferred. There are two types of machine learning algorithms such as supervised and unsupervised algorithms. These two machine learning algorithms are analysed with datasets respectively based on the set of algorithms. By evaluating the results of supervised and unsupervised algorithms respectively, best algorithm from each technique is combined together to yield

Li-Juan Zhou,Zhi-Tang Li,Tu Hao

DOI: https://doi.org/10.1109/CHINACOM.2007.4469328

2007-01-01

Abstract:Over the last years, the large number of filesharing applications has resulted in a significant increase of P2P traffic. The P2P (Peer-to-Peer) technology is characterized by no utilization of any servers with centralized functions and the presence of many hosts acting both as servers and clients. The wide use of the P2P application has lead to the rapid growth of network traffic. Thus, the accurate classification of P2P traffic becomes a challenging problem,and becomes even more challenging. This paper proposes some new essential characteristics of TCP traffic to achieve its discrimination. To prove the universality of the values of our proposed features, we also present some analytic estimates of them using Pareto as the distribution of user lifetime in real P2P systems. Finally, we apply SVM (Support-Vector-Machine) to the discrimination of these features in order to automate the processing of the discrimination, and its accuracy is demonstrated as a result of some experiments.

WU Fei,ZENG Fan-ping,XIONG Neng,DENG Chao-qiang,DONG Qi-xing

DOI: https://doi.org/10.3969/j.issn.1000-1220.2012.10.007

2012-01-01

Abstract:The accuracy of IP flow classification based on the characteristics of the application layer is relatively high,but it will cost a lot of time to match the feature library when the feature library is huge.To solve this problem,this paper proposes an approach of traffic classification that combines the characteristics of the application layer with heuristic search.First,we extract the common features from the packets generated by a variety of applications to establish the heuristic rules.Second,we divide the feature library into several feature subsets according to heuristic rules.Then in the process of traffic classification,we only need to match a specific feature subset according to heuristic rules,so the matching of irrelevant features can be greatly reduced,the feature subset is more targeted to be matched and the time performance is improved.For some applications we use DNS as a guide in traffic classification,overcoming the drawback that the encrypted data can not be identified based on the characteristics of the application layer.This paper realizes the algorithm with C language and compares it with l7-filter.The experiments show that the offline classification speed of the method presented in this paper is as 6-10 times as l7-filter,and the accuracy of identifying traffic of various application in our method can reach more than 98%.

Feng Liu,Zhitang Li,Junfeng Yu

DOI: https://doi.org/10.1109/ieec.2009.38

2009-01-01

Abstract:These years, P2P applications are very popular on the Internet and take a big part of the Internet traffic workload. Identifying the P2P traffic and understanding their behavior is an important field. However, previous P2P traffic identification methods by examining user payload or well-defined port numbers no longer adapt to current P2P applications. In this paper, we develop a statistical methodology by analyzing packet length and the P2P basic characteristic, P2P nodes can serve as a server and client at the same time, to identify P2P flows at the transport layer without relying on the port numbers and packet payload.

Jun Li,Shunyi Zhang,Cuilian Li,Junrong Yan

DOI: https://doi.org/10.1002/nem.735

2010-01-01

International Journal of Network Management

Abstract:Accurate and real-time classifi cation of network traffic is significant to a number of network operation and management tasks such as quality of service differentiation, traffic shaping and security surveillance. However, with emerging P2P applications using dynamic port numbers, IP masquerading techniques and payload encryption, accurate and intelligent traffic classification continues to be a big challenge despite a wide range of research work on the topic. Since each classification method has its disadvantages and hardly could meet the specific requirement of Internet traffic classification, this paper innovatively presents a composite traffic classification system. The proposed lightweight system can accurately and effectively identify Internet traffic with good scalability to accommodate both known and unknown/encrypted applications. Furthermore, It promises to satisfy various Internet uses and is feasible for use in real-time line speed applications. Our experimental results show the distinct advantages of the proposed classification system.

Meng Qin,Kai Lei,Bo Bai,Gong Zhang

DOI: https://doi.org/10.1145/3341216.3342213

2019-01-01

Abstract:In this paper, we study the network traffic classification task. Different from existing supervised methods that rely heavily on the labeled statistic features in a long period (e.g., several hours or days), we adopt a novel view of unsupervised profiling to explore the flow features and link patterns in a short time window (e.g., several seconds), dealing with the zero-day traffic problem. Concretely, we formulate the traffic identification task as a graph co-clustering problem with topology and edge attributes, and proposed a novel Hybrid Flow Clustering (HFC) model. The model can potentially achieve high classification performance, since it comprehensively leverages the available information of both features and linkage. Moreover, the two information sources integrated in HFC can also be utilized to generate the profiling for each flow category, helping to reveal the deep knowledge and semantics of network traffic. The effectiveness of the model is verified in the extensive experiments on several real datasets of various scenarios, where HFC achieves impressive results and presents powerful application ability.