Yu Chen,Xiayu Ping,Tao Wei

DOI: https://doi.org/10.1109/ICITIS.2010.5689522

2010-01-01

Abstract:The principal technique employed in application traffic classification, a task of identifying the applications underlying network traffic, has evolved from based on port number to deep packet inspection to payload-independent classification. We propose a novel approach in the last category. The principal idea of our method is that we associate an application with temporal patterns of the command exchange modes (subsequences of packets) of TCP flows generated by the application. Since these patterns are local by nature, our approach might be able to identify an application even if only a portion of a full flow is observable. We have applied such method to classify a number of popular P2P applications and to detect suspicious botnet traffic. To identify these kinds of traffic, we not only utilize flow patterns, but also incorporate some statistics on multi-flow and host levels. We have tested our algorithm on P2P traffic collected from our institute's computer network and on botnet traffic collected from a national-wide distributed honeynet. The early results are quite encouraging. © 2010 IEEE.

Tao Qin,Lei Wang,Zhaoli Liu,Xiaohong Guan

DOI: https://doi.org/10.1016/j.knosys.2015.03.002

IF: 8.139

2015-01-01

Knowledge-Based Systems

Abstract:Application identification plays an essential role in network management such as intrusion detection and security monitoring. But the continuous growth of bandwidth and massive amount of packets pose serious challenges for efficacious and accurate application identification. In this paper, we develop a new method to reduce the number of packets being processed while achieving the goal of accurate P2P and VoIP application identification. Firstly, we employ the Bi-flow model to aggregate traffic packets into Bi-flow, which can capture the exchange behavior characteristics between different terminals. Then we employ the signature of Packet Size Distribution (PSD) to capture flow dynamics, which is defined as the payload length distribution probability of the packets in one Bi-flow. Secondly, we collect PSD of several different P2P and VoIP applications and the analysis results show that PSD of different applications are different with each other, which can be used as features to perform traffic identification. We also find the PSD characteristics of one Bi-flow can be captured by its first few packets, which demonstrate our methods can identify the Bi-flow quickly after its establishment. We employ the Renyi cross entropy to perform identification by calculating the similarity between PSD of the Bi-flow being identified and that of specific application. If the similarity is higher than a selected threshold, the Bi-flow being identified is classified to the specific application. Finally, as the PSD is a type of probability feature which is not sensitive to packet lose, we integrate the Poisson sampling method into our framework to process the massive data in backbone networks. Experimental results using the artificial and actual traces collected from monitoring platform in the Northwest Center of CERNET (China Education and Research Network) verify the accuracy and robustness of our method.

Mingjiang Ye,Jianping Wu,Ke Xu,Dah Ming Chiu

DOI: https://doi.org/10.1016/j.comcom.2010.01.005

2009-01-01

Abstract:Classifying network traffic according to its applications is important to a broad range of network areas. Since new applications, especially P2P applications, no longer use well-known fixed port numbers, the native port based traffic classification technique has become much less effective. In this paper, we propose a novel approach to identify P2P traffic by leveraging on the data transfer behaviour of P2P applications. The behaviour investigated in the paper is that downloaded data from a P2P host will be uploaded to other hosts later. To find the shared data of downloading flows and uploading flows online, the content based partitioning schema is used to partition the flows into data blocks. Flows sharing the same data blocks are identified as P2P flows. The effectiveness of this method is demonstrated by experiments on various P2P applications. The results show that the algorithm can identify P2P applications very accurately while only keeping a small set of data blocks. The method is generic and can be applied to most P2P applications.

Xiaoyu Ma,Feiyan Chen

DOI: https://doi.org/10.4028/www.scientific.net/amr.433-440.5193

2012-01-01

Advanced Materials Research

Abstract:The P2P streaming media technology is popular and promising in recent years, to ensure the correctness of the identification method, and improve the identification rate and accuracy of the network traffic, this paper proposes a identification principle and algorithm of the P2P network traffic, and gives the overall structure of the system, Finally, puts up the system test environment. The experimental results show that the identification method of the network traffic proposed in this paper can effectively improve the identification rate and accuracy of the network traffic, the scheme has the value of further research and promotion.

Paola Bermolen,Marco Mellia,Michela Meo,Dario Rossi,Silvio Valenti

DOI: https://doi.org/10.1016/j.comnet.2010.12.004

IF: 5.493

2011-04-01

Computer Networks

Abstract:Peer-to-Peer streaming (P2P-TV) applications offer the capability to watch real time video over the Internet at low cost. Some applications have started to become popular, raising the concern of Network Operators that fear the large amount of traffic they might generate. Unfortunately, most of P2P-TV applications are based on proprietary and unknown protocols, and this makes the detection of such traffic challenging per se. In this paper, we propose a novel methodology to accurately classify P2P-TV traffic and to identify the specific P2P-TV application which generated it. Our proposal relies only on the count of packets and bytes exchanged among peers during small time-windows: the rationale is that these two counts convey a wealth of useful information, concerning several aspects of the application and its inner workings, such as signaling activities and video chunk size.Our classification framework, which uses Support Vector Machines, accurately identifies P2P-TV traffic as well as traffic that is generated by other kinds of applications, so that the number of false classification events is negligible. By means of a large experimental campaign, which uses both testbed and real network traffic, we show that it is actually possible to reliably discriminate between different P2P-TV applications by simply counting packets.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Jun Li,Shunyi Zhang,Yanqing Lu,Junrong Yan

DOI: https://doi.org/10.1109/glocom.2008.ecp.475

2008-01-01

Abstract:Accurate and fast identification of network traffic is an important element of many network management tasks such as QoS provisioning and security monitoring. However, as many newly-emerged Peer-to-Peer (P2P) applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, the classical approaches based on port mapping and payload analysis are ineffective. An alternative approach is to classify traffic by distinguishing the behavior of an application within the first few packets of TCP connection. We pursue this approach and demonstrate that information of few packets is enough to effectively identify P2P traffic. In our work, C4.5 decision tree and REPTree are evaluated and compared with the previously used clustering method K-Means. Experimental results show that our approaches outperform K- Means algorithm in accuracy. In addition, the proposed approaches can accommodate known and unknown P2P traffic and even encrypted traffic in fast and accurate way, which ensures the real-time applications on the Internet traffic surveillance and QoS provisioning.

Lu Xing,Duan Haixin,Li Xing

DOI: https://doi.org/10.1109/ISCIT.2007.4392088

2007-01-01

Abstract:Identification of P2P traffic is very useful for many network management tasks such as application-specific traffic engineering, network planning and monitoring. However, this is a challenging issue because many P2P applications use dynamic port numbers, and deriving signatures that can he used for reliable detection manually is time consuming and difficult. In this paper, we propose a novel approach to detect P2P traffic without any application-specific signatures. It is based on the content redistribution characteristic of P2P protocol: every peer acts both as a server and a client, so it will redistribute the content received to other peers. To evaluate our approach, we use traces collected in our campus network and a signature-based classifier is also implemented. Experiment results show that the approach can be used to identify known and unknown P2P traffic with very low false positive rate, and achieves high accuracy when detecting P2P streaming traffic.

Zhu Li,Ruixi Yuan,Xiaohong Guan

DOI: https://doi.org/10.1007/978-3-540-73111-5_8

2007-01-01

Abstract:Timely traffic identification is critical in network security monitoring and traffic engineering. Traditional methods using well-known ports, protocols and precise signature matching are no longer accurate with the proliferation of new applications. Recently, applying pattern recognition methods to classify network application traffic based on the flow parameters (e.g. port, flow duration, etc.) has become increasing popular. However, many methods developed in the previous works are either too complex to be applied in real-time, or suffer from lower accuracy due to the insufficient knowledge of the application. In this paper, we first give an overview on the developments of pattern recognition methods as traffic classification tools. We then develop two separate pattern recognition methods: one with supervised learning, and one with un-supervised learning, and apply them to classify traffic captured from a campus backbone network. The supervised learning method (an optimized SVM method) yields approximately 99.41 % accuracy for the collected traffic. The un-supervised learning method (an entropy based clustering method) gets the average accuracy of 92.41% for the top 20 traffic generating hosts during the same time period. Performance test on a single PC with 3GHz Pentium 4 processors and 1 GB of memory show that both methods can handle more than 10000 network flows per second, close to real time requirements for many situations.

Jun Li,Shunyi Zhang,Cuilian Li,Junrong Yan

DOI: https://doi.org/10.1002/nem.735

2010-01-01

International Journal of Network Management

Abstract:Accurate and real-time classifi cation of network traffic is significant to a number of network operation and management tasks such as quality of service differentiation, traffic shaping and security surveillance. However, with emerging P2P applications using dynamic port numbers, IP masquerading techniques and payload encryption, accurate and intelligent traffic classification continues to be a big challenge despite a wide range of research work on the topic. Since each classification method has its disadvantages and hardly could meet the specific requirement of Internet traffic classification, this paper innovatively presents a composite traffic classification system. The proposed lightweight system can accurately and effectively identify Internet traffic with good scalability to accommodate both known and unknown/encrypted applications. Furthermore, It promises to satisfy various Internet uses and is feasible for use in real-time line speed applications. Our experimental results show the distinct advantages of the proposed classification system.

Jun Li,Shunyi Zhang,Yanqing Lu,Junrong Yan

DOI: https://doi.org/10.1007/s11767-007-0110-4

2009-01-01

Abstract:Accurate and real-time classification of network traffic is significant to network operation and management such as QoS differentiation, traffic shaping and security surveillance. However, with many newly emerged P2P applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, traditional classification approaches turn to be ineffective. In this paper, we present a layered hybrid system to classify current Internet traffic, motivated by variety of network activities and their requirements of traffic classification. The proposed method could achieve fast and accurate traffic classification with low overheads and robustness to accommodate both known and unknown/encrypted applications. Furthermore, it is feasible to be used in the context of real-time traffic classification. Our experimental results show the distinct advantages of the proposed classification system, compared with the one-step Machine Learning (ML) approach.

Tom Z. J. Fu,Yan Hu,Xingang Shi,Dah-Ming Chiu,John C. S. Lui

DOI: https://doi.org/10.1007/978-3-642-00975-4_16

2009-01-01

Abstract:Due to the significant increase of peer-to-peer (P2P) traffic in the past few years, more attentions are put on designing effective methodologies of monitoring and identifying P2P traffic. In this paper, we propose a novel approach to measure and discover the special characteristics of P2P applications, the periodic behaviors, from the packet traces. We call this the "periodic behavioral spectrum" (PBS) of P2P applications. This new finding, learning the characteristics of P2P traffic from a new angle, could enhance our understanding on P2P applications. To show the effectiveness of our approach, we not only provide justifications as to why P2P applications should have some inherent periodic behaviors, but also conduct hundreds of experiments of applying the approach on several popular P2P applications.

Dongyan Zhang,Chao Zheng,Hongli Zhang,Hongliang Yu

DOI: https://doi.org/10.1109/iciw.2010.36

2010-01-01

Abstract:More and more applications are adopting peer-to-peer (P2P) technology. Skype is a P2P based, popular VoIP software. The software works almost seamlessly across Network Address Translations (NATs) and firewalls and has better voice quality than most IM applications. The communication protocol and source code of Skype are undisclosed. It uses high strength encryption and random port number selection, which render the traditional flow identification solutions invalid. In this paper, we first obtain the Skype clients and super nodes by analyzing the process of login and calling in different network environments. Then we propose a method to identify Skype traffic based on Skype nodes and flow features. Our proposed method makes the previously hard-to-detect Skype traffic, especially voice service traffic, much easier to identify. We design an identification system utilizing the proposed method and implement the system in a LAN network. We also successfully identified Skype traffic in one of the largest Internet Providers over a period of 93 hours, during which over 30TB data were transmitted. Through experiments, we show that our proposed approach and implementations can indeed identify Skype traffic with higher accuracy and effectiveness.

Pinghui Wang,Xiaohong Guan,Tao Qin

DOI: https://doi.org/10.1109/camad.2009.5161471

2009-01-01

Abstract:Peer-to-Peer (P2P) protocol is widely used in many network applications and P2P traffic is becoming dominating in the current Internet and may cause serious congestion. Recently, P2P applications tend to intentionally disguise their traffic flows by using arbitrary ports, which leads the accurate identification of P2P traffic to become a very difficult job and hot research topic in network traffic control. In this paper, we employ the longest common subsequence to identify the key packets from the traffic flows, and present a new method to identify the P2P flows based on the signatures of key packets with only direction and payload length in the first few packets of a flow. We test the new method with four popular P2P applications in the actual network environment and the results show that the new method has high accuracy and efficiency since only a few packets in each flow needs to be analyzed. The new method is suitable for real time traffic management and monitoring.

Xiaoxian Chen,Zhenlong Yuan,Yibo Xue

DOI: https://doi.org/10.1109/iccnc.2014.6785437

2014-01-01

Abstract:Tencent QQ is the most popular instant message communication tool in China, which has more than 780 million users and thus generates huge traffic on the Internet. However, due to its proprietary protocol and encryption mechanism, it is very hard to identify QQ traffic at a fine-grained flow level. To solve this issue, this paper proposes a novel identification method, which uses a Payload and Behavior Combination (PBC) technology. PBC combines the packet payload characteristics with behavior characteristics existing in the QQ communication process. The experimental results show that PBC has a good identification accuracy in dealing with QQ traffic.

YU Hao,XU Mingwei

DOI: https://doi.org/10.3321/j.issn:1000-0054.2009.04.041

2009-01-01

Abstract:P2P flows occupy 60%-70% of the entire network traffic with transfers of non-licensed content and security problems affecting HTTP,EMAIL,and other traditional applications.ISP and network operators need to manage P2P traffic to ensure the performance of traditional applications.To accomplish this goal,the system must first identify the P2P traffic.Current identification technology can be generally divided into three categories as packet level methods,flow level methods,and node level methods.This paper surveys the advantages and disadvantages of the current P2P flow identification methods.A variety of methods are combined to more effectively detect P2P flow.The survey also indicates new directions in P2P detection.

Zhou Wengang,Chen Leiting,Dong Shi

DOI: https://doi.org/10.3724/sp.j.1187.2013.01114

2013-01-01

JOURNAL OF ELECTRONIC MEASUREMENT AND INSTRUMENT

Abstract:A number of network activities can benefit from accurate traffic classification and identification. However, the current classification methods, either port-based or payload-based, are becoming ineffective as many P2P applications use dynamic port numbers, masquerading techniques, and encryption to avoid detection. This paper discusses and explores a new method that is based on supervised machine learning mechanisms, which eliminate the inherent limitations of port-based or payload-based methods. A series of experiments show that, combined with a fast correlation-based feature selection filter, better performance and more accurate identification results can be obtained using the neural network method. Due to all the favorable features and satisfactory performance, the proposed methods are promising for internet traffic classification.

Zhenlong Yuan,Yibo Xue,Yingfei Dong

DOI: https://doi.org/10.1109/CNS.2013.6682724

2013-01-01

Abstract:Network traffic classification is critical to both network management and security. Identifying application traffic at the flow level with signature matching has been widely used as the most efficient method due to its reliability and robustness. However, due to the increasing number of applications and their frequent updates, we have to constantly regenerate application signatures, which is both resource intensive and time consuming. To address this issue, we propose to explore the unique characteristics in packet sequences and discovered two types of packet sequence signatures. We introduce our design and implementation of an automated packet-sequence signature construction (APSC) system, based on association rule mining and data clustering technologies. This system can not only automatically generate traditional signatures from individual packet payloads but also construct new packet sequence signatures based on payloads or features from packet sequences, even for encrypted flows. To the best of our knowledge, this is the first practical and efficient system that supports automated packet sequence signature construction. Our experimental results show that the proposed system can automatically construct high quality signatures for a variety of application with limited overhead.

Zhongqiang Chen,Alex Delis,Peter Wei

DOI: https://doi.org/10.1142/s0218843008001750

2008-01-01

International Journal of Cooperative Information Systems

Abstract:Sessions generated by Instant Messaging and Peer-to-Peer systems (IM/P2Ps) not only consume considerable bandwidth and computing resources but also dramatically change the characteristics of data flows affecting both the operation and performance of networks. Most IM/P2Ps have known security loopholes and vulnerabilities making them an ideal platform for the dissemination of viruses, worms, and other malware. The lack of access control and weak authentication on shared resources further exacerbates the situation. Should IM/P2Ps be deployed in production environments, performance of conventional applications may significantly deteriorate and enterprise data may be contaminated. It is therefore imperative to identify, monitor and finally manage IM/P2P traffic. Unfortunately, this task cannot be easily attained as IM/P2Ps resort to advanced techniques to hide their traces including multiple channels to deliver services, port hopping, message encapsulation and encryption. In this paper, we propose an extensible framework that not only helps to identify and classify IM/P2P-generated sessions in real time but also assists in the manipulation of such traffic. Consisting of four modules namely, session manager, traffic assembler, IM/P2P dissector, and traffic arbitrator, our proposed framework uses multiple techniques to improve its traffic classification accuracy and performance. Through fine-tuned splay and interval trees that help organize IM/P2P sessions and packets in data streams, we accomplish stateful inspection, traffic re-assembly, data stream correlation, and application layer analysis that combined will boost the framework's identification precision. More importantly, we introduce IM/P2Ps "plug-and-play" protocol analyzers that inspect data streams according to their syntax and semantics; these analyzers render our framework easily extensible. Identified IM/P2P sessions can be shaped, blocked, or disconnected, and corresponding traffic can be stored for forensic analysis and threat evaluation. Experiments with our prototype show high IM/P2Ps detection accuracy rates under diverse settings and excellent overall performance in both controlled and real-world environments.

Chen Yang,Zheyuan Gu,Yuhao Wei,Gang Xiong,Gaopeng Gou,Shan Yao,Yang Yu

DOI: https://doi.org/10.1109/ipec61310.2024.00125

2024-01-01

Abstract:Techniques for classifying encrypted traffic typically rely on learning the interaction patterns between communicating parties to determine the traffic category. However, with the widespread application of asymmetric routing mechanisms and link load balancing, a large volume of network equipment cannot observe the complete bidirectional traffic, posing challenges to the deployment of existing methods. In order to solve this problem, research into unidirectional encrypted traffic classification methods has gradually emerged. In this paper, we provide a comprehensive survey of existing unidirectional encrypted traffic classification methods and showcase the latest research progress in this field. Based on how to resolve the contradiction between unidirectional traffic data and model reliance on bidirectional interaction features, we categorize existing methods into three main types: 1) unidirectional feature separation-based methods, 2) unidirectional feature mining-based methods, and 3) pairwise feature prediction-based methods. This paper details the characteristics of each method and discusses their advantages and disadvantages. We hope our work will draw researchers’ attention to the real-world network environment, thereby better promoting the development of the encrypted traffic classification field.

Xiaodong Zang,Jian Gong,Maoli Wang,Peng Gao,Guowei Zhang

DOI: https://doi.org/10.1016/j.jnca.2023.103603

IF: 7.574

2023-04-01

Journal of Network and Computer Applications

Abstract:Discovering and describing IP traffic behavior is becoming more and more significant for efficient network management and security monitoring. Recently, many modeling techniques have been proposed, most of which focused on properties of a single dimension, such as volume-based or spatial-based. Characterizing IP traffic behavior with individual dimension features is often insufficient as they are spatiotemporally correlated. In this paper, we demonstrate that IP traffic behavior can be profiled from the perspective of end users’ access relationship. We find that groups of IPs have similar behavior traits, and with insights from the identified behavior profiles, we can discover malicious traffic behavior in the overwhelming measurement data. To this end, firstly, we extract a collection of features to profile traffic behavior from the dimension of temporal, spatial, category, and intensity. Then, we characterize and model the rhythmic behavior, the cyclical behavior, the access stable behavior, the service diversity behavior, and the hotspot behavior. Finally, we use the open-source dataset, synthetic data, and the real Internet Netflow data collected from the China Education Research Network backbone (CERNET) to empirically validate our proposal. Extensive results demonstrate that the applications of derived traffic patterns can achieve fine-grained traffic monitoring.

computer science, interdisciplinary applications, software engineering, hardware & architecture