Zhu Li,Ruixi Yuan,Xiaohong Guan

DOI: https://doi.org/10.1007/978-3-540-73111-5_8

2007-01-01

Abstract:Timely traffic identification is critical in network security monitoring and traffic engineering. Traditional methods using well-known ports, protocols and precise signature matching are no longer accurate with the proliferation of new applications. Recently, applying pattern recognition methods to classify network application traffic based on the flow parameters (e.g. port, flow duration, etc.) has become increasing popular. However, many methods developed in the previous works are either too complex to be applied in real-time, or suffer from lower accuracy due to the insufficient knowledge of the application. In this paper, we first give an overview on the developments of pattern recognition methods as traffic classification tools. We then develop two separate pattern recognition methods: one with supervised learning, and one with un-supervised learning, and apply them to classify traffic captured from a campus backbone network. The supervised learning method (an optimized SVM method) yields approximately 99.41 % accuracy for the collected traffic. The un-supervised learning method (an entropy based clustering method) gets the average accuracy of 92.41% for the top 20 traffic generating hosts during the same time period. Performance test on a single PC with 3GHz Pentium 4 processors and 1 GB of memory show that both methods can handle more than 10000 network flows per second, close to real time requirements for many situations.

Yu Chen,Xiayu Ping,Tao Wei

DOI: https://doi.org/10.1109/ICITIS.2010.5689522

2010-01-01

Abstract:The principal technique employed in application traffic classification, a task of identifying the applications underlying network traffic, has evolved from based on port number to deep packet inspection to payload-independent classification. We propose a novel approach in the last category. The principal idea of our method is that we associate an application with temporal patterns of the command exchange modes (subsequences of packets) of TCP flows generated by the application. Since these patterns are local by nature, our approach might be able to identify an application even if only a portion of a full flow is observable. We have applied such method to classify a number of popular P2P applications and to detect suspicious botnet traffic. To identify these kinds of traffic, we not only utilize flow patterns, but also incorporate some statistics on multi-flow and host levels. We have tested our algorithm on P2P traffic collected from our institute's computer network and on botnet traffic collected from a national-wide distributed honeynet. The early results are quite encouraging. © 2010 IEEE.

LIU Qiong,LIU Zhen,HUANG Min

DOI: https://doi.org/10.3969/j.issn.1002-137x.2010.12.008

2010-01-01

Computer Science

Abstract:To identify the traffic based on the application in a large network, the major part is traffic classification and it is useful to provide quality of service, lawful interception and intrusion detection. A number of limitations have been exhibited by older methods such as port-based and payload based classification. Hence Machine learning techniques are used by the research community to analyse the flow statistics for detecting network applications. The statistical based approach is used here for traffic identification and classification process. The statistical features are flow size, flow duration, TCP port, packet inter-arrival times statistics, total number of packets, mean packet length, protocol, number of bytes transferred. There are two types of machine learning algorithms such as supervised and unsupervised algorithms. These two machine learning algorithms are analysed with datasets respectively based on the set of algorithms. By evaluating the results of supervised and unsupervised algorithms respectively, best algorithm from each technique is combined together to yield

Heyi Tang,Yong Cui,Jianping Wu,Xiaowei Yang,Zhenjie Yang

DOI: https://doi.org/10.1145/3326285.3329050

2019-01-01

Abstract:Network traffic classification is important to network operators to ensure visibility of traffic. Network management, monitoring, and other services are built upon such classification results for improving quality of service. Compared with traffic classification in non-mobile setting, classification in mobile settings focuses on applications and has become increasingly important. Traditionally, a rule-based method is deployed in a deep packet inspector (DPI) engine for traffic classification. However, with the explosive growth in application usage, the complicated relationships including the use of content delivery networks (CDN) and sharing behaviors among applications make such methods less effective. The traffic may be identified wrongly when one application is connected to another application's server. In this work, we present TRAC: T rigger R elationship A ware traffic C lassification, a systematic framework for classifying mobile traffic accurately. In TRAC, we first propose Trigger Relationship Graph model to describe the relationships among applications. Then, we introduce a Trigger Relationship Analyzer to build the graph based on a modified frequent item set mining method. TRAC classifies the traffic based on the application labels identified by a DPI engine. An Application Label Corrector is designed to correct the application labels based on the graph. We evaluate TRAC with one-month data collected from an enterprise network. The evaluation shows that our method can achieve a 17.4% accuracy improvement, from 64.8% to 82.2%.

Tao Qin,Lei Wang,Zhaoli Liu,Xiaohong Guan

DOI: https://doi.org/10.1016/j.knosys.2015.03.002

IF: 8.139

2015-01-01

Knowledge-Based Systems

Abstract:Application identification plays an essential role in network management such as intrusion detection and security monitoring. But the continuous growth of bandwidth and massive amount of packets pose serious challenges for efficacious and accurate application identification. In this paper, we develop a new method to reduce the number of packets being processed while achieving the goal of accurate P2P and VoIP application identification. Firstly, we employ the Bi-flow model to aggregate traffic packets into Bi-flow, which can capture the exchange behavior characteristics between different terminals. Then we employ the signature of Packet Size Distribution (PSD) to capture flow dynamics, which is defined as the payload length distribution probability of the packets in one Bi-flow. Secondly, we collect PSD of several different P2P and VoIP applications and the analysis results show that PSD of different applications are different with each other, which can be used as features to perform traffic identification. We also find the PSD characteristics of one Bi-flow can be captured by its first few packets, which demonstrate our methods can identify the Bi-flow quickly after its establishment. We employ the Renyi cross entropy to perform identification by calculating the similarity between PSD of the Bi-flow being identified and that of specific application. If the similarity is higher than a selected threshold, the Bi-flow being identified is classified to the specific application. Finally, as the PSD is a type of probability feature which is not sensitive to packet lose, we integrate the Poisson sampling method into our framework to process the massive data in backbone networks. Experimental results using the artificial and actual traces collected from monitoring platform in the Northwest Center of CERNET (China Education and Research Network) verify the accuracy and robustness of our method.

Dawei Wang,Luoshi Zhang,Zhenlon Yuan,Yibo Xue,Yinfei Dong

DOI: https://doi.org/10.1109/iccnc.2014.6785298

2014-01-01

Abstract:Network traffic classification is critical to both network management and system security. However, existing traffic classification techniques become less effective as more P2P applications use proprietary protocols for delivery and encryption. Especially, current techniques usually focus on individual flows and do not consider all flows associated with an application together. To address this issue, this paper proposes a novel Application Behavior Characterization (ABC) technique. We design a novel application behavior feature extracting method and an effective classification algorithm, which explore the correlation of multiple flows of a specific application. We evaluate the proposed method with real network traffic. The experimental results show that it can correctly identify flows belonging to a set of known P2P applications (such as Skype, Thunder, and PPTV) with a probability over 90%. Moreover, it can further identify the particular application that a flow belongs to with a precision of 90% on average. More information about implementing and deploying ABC can be found in a technical report [10].

Jun Li,Shunyi Zhang,Cuilian Li,Junrong Yan

DOI: https://doi.org/10.1002/nem.735

2010-01-01

International Journal of Network Management

Abstract:Accurate and real-time classifi cation of network traffic is significant to a number of network operation and management tasks such as quality of service differentiation, traffic shaping and security surveillance. However, with emerging P2P applications using dynamic port numbers, IP masquerading techniques and payload encryption, accurate and intelligent traffic classification continues to be a big challenge despite a wide range of research work on the topic. Since each classification method has its disadvantages and hardly could meet the specific requirement of Internet traffic classification, this paper innovatively presents a composite traffic classification system. The proposed lightweight system can accurately and effectively identify Internet traffic with good scalability to accommodate both known and unknown/encrypted applications. Furthermore, It promises to satisfy various Internet uses and is feasible for use in real-time line speed applications. Our experimental results show the distinct advantages of the proposed classification system.

Hongtao Guan,Jianping Wu,Youjian Zhao,Zhenhua Liu,Xiaoping Zhang

DOI: https://doi.org/10.1049/cp:20080866

2008-01-01

Abstract:Packet classification is critical for applications such as traffic measurement, intrusion detection, and differentiated services. In most of existing methods, software has to participate in the procedure of classification information modification, which will degrade the performance of the system. In this paper, methods without software assistingare studied and a novel high speed packet classification method is proposed, which is especially suitable for traffic measurement systems. For the consideration of performance, TCAM and SRAM are widely used. Real link database from CAIDA is used to test the method and the results show that the system has the ability to process packets correctly when link speed is as high as 10Gbps. The method has been implemented at the T-Tester platform, which is capable of the measurement for OC192 link.

Guorui Xie,Qing Li,Yong Jiang,Tao Dai,Gengbiao Shen,Rui Li,Richard Sinnott,Shutao Xia

DOI: https://doi.org/10.1145/3405671.3405811

2020-01-01

Abstract:Network traffic classification categorizes traffic classes based on protocols (e.g., HTTP or DNS) or applications (e.g., Facebook or Gmail). Its accuracy is a key foundation of some network management tasks like Quality-of-Service (QoS) control, anomaly detection, etc. To further improve the accuracy of traffic classification, recent researches have introduced deep learning based methods. However, most of them utilize the privacy-concerned payload (user data). Besides, they generally do not consider the dependency of bytes in a packet, which we believe can be exploited for the more accurate classification. In this work, we treat the initial bytes of a network packet as a language and propose a novel Self-Attention based Method (SAM) for traffic classification. The average F1-scores of SAM on protocol and application classification are 98.62% and 98.93%. With the higher accuracy of SAM, better QoS and anomaly detection can be met.

Muhammad Shafiq,Xiangzhan Yu,Asif Ali Laghari,Lu Yao,Abin Kumar Karn,Oudil Abdessamia

DOI: https://doi.org/10.1109/compcomm.2016.7925139

2016-01-01

Abstract:Network Traffic Classification is a central topic nowadays in the field of computer science. It is a very essential task for Internet service providers (ISPs) to know which types of network applications flow in a network. Network Traffic Classification is the first step to analyze and identify different types of applications flowing in a network. Through this technique, internet service providers or network operators can manage the overall performance of a network. There are many methods traditional technique to classify internet traffic like Port Based, Pay Load Based and Machine Learning Based technique. The most common technique used these days is Machine Learning (ML) technique. Which is used by many researchers and got very effective accuracy results. In this paper, we discuss network traffic classification techniques step by step and real time internet data set is develop using network traffic capture tool, after that feature extraction tool is use to extract features from the capture traffic and then four machine learning classifiers Support Vector Machine, C4.5 decision tree, Naïve Bays and Bayes Net classifiers are applied. Experimental analysis shows that C4.5 classifiers gives very good accuracy result as compare to other classifies.

Jun Li,Shunyi Zhang,Yanqing Lu,Junrong Yan

DOI: https://doi.org/10.1007/s11767-007-0110-4

2009-01-01

Abstract:Accurate and real-time classification of network traffic is significant to network operation and management such as QoS differentiation, traffic shaping and security surveillance. However, with many newly emerged P2P applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, traditional classification approaches turn to be ineffective. In this paper, we present a layered hybrid system to classify current Internet traffic, motivated by variety of network activities and their requirements of traffic classification. The proposed method could achieve fast and accurate traffic classification with low overheads and robustness to accommodate both known and unknown/encrypted applications. Furthermore, it is feasible to be used in the context of real-time traffic classification. Our experimental results show the distinct advantages of the proposed classification system, compared with the one-step Machine Learning (ML) approach.

Zhen Liu,Ruoyu Wang,Deyu Tang

DOI: https://doi.org/10.1016/j.future.2018.05.079

IF: 7.307

2018-11-01

Future Generation Computer Systems

Abstract:Mobile traffic classification is critically important for the decision-making of network management such as traffic shaping and traffic pricing. Labeled traffic data are the requisite of classification performance evaluation. However, existing works mostly acquired labeled traffic on a simulation environment such as individually running a specific app on mobile devices to collect its traffic. This way is slow and not scalable. This paper devises a scheme to automatically link the ground truth to mobile traffic. A set of labeled traffic data are firstly collected by our previously presented mobilegt (a system to collect mobile traffic and build the ground truth) on the monitored mobile devices. But these traffic are limited to the monitored nodes. Therefore, we present a method named ELD (Extending Labeled Data) to identify the label of newly unknown mobile traffic, so as to extend the labeled mobile traffic data. ELD proceeds traffic identification into packet header, packet payload and flow statistic levels. The three levels’ traffic identification tasks are implemented by ServerTag, payload distribution inspection and Random Forest respectively. ELD is able to identify the mobile traffic with encrypted payload. The cross validation results show that ELD achieves 99% flow accuracy and 95.4% byte accuracy on average when the flow and byte completeness are respectively 86.5% and 65.5%. The results also prove that ELD outperforms existing works, nDPI and Libprotoident, on labeling mobile network traffic.

Shijun Huang,Kai Chen,Chao Liu,Alei Liang,Haibing Guan

DOI: https://doi.org/10.1109/icumt.2009.5345539

2009-01-01

Abstract:This Internet traffic classification using Machine Learning is an emerging research field since 1990's, and now it is widely used in numerous network activities. The classification technique focuses on modeling attributes and features of data flows to accomplish the identification of applications. In the paper we design and implement the classification model based on header-derived flow statistical features. Compared with the traditional methods, the model designed here, which is totally insensitive to port numbers and contents of payload on application level, overcomes difficulty in operation caused by unreliable port numbers and complexity of payload interpretation. Rather than relatively complex ML algorithms or even in mixture, supervised k-Nearest Neighbor estimator is adopted for the sake of computational efficiency, along with the effective and easy-to-calculate statistical features selected according to the operational background. Our results indicate that about 90% accuracy on per-flow classification can be achieved, which is a vast improvement over traditional techniques that achieve 50-70%.

WU Fei,ZENG Fan-ping,XIONG Neng,DENG Chao-qiang,DONG Qi-xing

DOI: https://doi.org/10.3969/j.issn.1000-1220.2012.10.007

2012-01-01

Abstract:The accuracy of IP flow classification based on the characteristics of the application layer is relatively high,but it will cost a lot of time to match the feature library when the feature library is huge.To solve this problem,this paper proposes an approach of traffic classification that combines the characteristics of the application layer with heuristic search.First,we extract the common features from the packets generated by a variety of applications to establish the heuristic rules.Second,we divide the feature library into several feature subsets according to heuristic rules.Then in the process of traffic classification,we only need to match a specific feature subset according to heuristic rules,so the matching of irrelevant features can be greatly reduced,the feature subset is more targeted to be matched and the time performance is improved.For some applications we use DNS as a guide in traffic classification,overcoming the drawback that the encrypted data can not be identified based on the characteristics of the application layer.This paper realizes the algorithm with C language and compares it with l7-filter.The experiments show that the offline classification speed of the method presented in this paper is as 6-10 times as l7-filter,and the accuracy of identifying traffic of various application in our method can reach more than 98%.

Donghong Qin,Jiahai Yang,Jiamian Wang,Bin Zhang

DOI: https://doi.org/10.1109/icct.2011.6158005

2011-01-01

Abstract:With the rapid development of Internet, many network applications (e.g., P2P) use dynamic ports and encryption technology, which makes the traditional port and payload-based classification methods ineffective. Hence, it is important and necessary to find the more effective ones. Currently the machine learning (ML) techniques provide a promising alternative one for IP traffic classification. In this work, we use the ML-based classification method to identify the classes of the unknown flows using the payload-independent statistical features such as packet-length and arrival-interval. In order to improve the efficiency of the classification methods, the feature reduction techniques are further adopted to refine the selected features for attaining a best group of features. Finally we compare and evaluate the ML classification algorithms based on the BRASIL data source in terms of the three metrics such as overall accuracy, average precision and average recall. Our experiments show that the decision-tree algorithm is the best ML one for IP traffic classification and is able to construct the real-time classification system.

Wei Li

2007-01-01

Abstract:This report documents my work in the first year as a research st uden . I devised a classification method for accurate online network ap plication classification. It does not rely on port numbers, works without inspect ion of packet payload but collects statistical features, using information from the headers of first several packets. I used a semi-automatic supervised machine learni ng approach to build the feature set and to tune the parameters, in order to train t he final classifier. I codesigned a prototype feature-capture and classification in frastructure and carried out experiments to evaluate the method based on two real pack et traces. Finally, only 12 features are collected from 5 packets at the start of e ach connection flow. The resulting classifier recognised different types of appl ications with up to 99.8% total accuracy.

Xin Wang,Shuhui Chen,Jinshu Su

DOI: https://doi.org/10.1155/2020/4707909

2020-02-19

Wireless Communications and Mobile Computing

Abstract:The proliferation of mobile devices over recent years has led to a dramatic increase in mobile traffic. Demand for enabling accurate mobile app identification is coming as it is an essential step to improve a multitude of network services: accounting, security monitoring, traffic forecasting, and quality-of-service. However, traditional traffic classification techniques do not work well for mobile traffic. Besides, multiple machine learning solutions developed in this field are severely restricted by their handcrafted features as well as unreliable datasets. In this paper, we propose a framework for real network traffic collection and labeling in a scalable way. A dedicated Android traffic capture tool is developed to build datasets with perfect ground truth. Using our established dataset, we make an empirical exploration on deep learning methods for the task of mobile app identification, which can automate the feature engineering process in an end-to-end fashion. We introduce three of the most representative deep learning models and design and evaluate our dedicated classifiers, namely, a SDAE, a 1D CNN, and a bidirectional LSTM network, respectively. In comparison with two other baseline solutions, our CNN and RNN models with raw traffic inputs are capable of achieving state-of-the-art results regardless of TLS encryption. Specifically, the 1D CNN classifier obtains the best performance with an accuracy of 91.8% and macroaverage F -measure of 90.1%. To further understand the trained model, sample-specific interpretations are performed, showing how it can automatically learn important and advanced features from the uppermost bytes of an app’s raw flows.

computer science, information systems,telecommunications,engineering, electrical & electronic

Shahbaz Rezaei,Xin Liu

DOI: https://doi.org/10.1109/ICCCN49398.2020.9209652

2020-05-09

Abstract:Traffic classification has various applications in today's Internet, from resource allocation, billing and QoS purposes in ISPs to firewall and malware detection in clients. Classical machine learning algorithms and deep learning models have been widely used to solve the traffic classification task. However, training such models requires a large amount of labeled data. Labeling data is often the most difficult and time-consuming process in building a classifier. To solve this challenge, we reformulate the traffic classification into a multi-task learning framework where bandwidth requirement and duration of a flow are predicted along with the traffic class. The motivation of this approach is twofold: First, bandwidth requirement and duration are useful in many applications, including routing, resource allocation, and QoS provisioning. Second, these two values can be obtained from each flow easily without the need for human labeling or capturing flows in a controlled and isolated environment. We show that with a large amount of easily obtainable data samples for bandwidth and duration prediction tasks, and only a few data samples for the traffic classification task, one can achieve high accuracy. We conduct two experiment with ISCX and QUIC public datasets and show the efficacy of our approach.

Machine Learning

Qiuping Zhu,Dong Li,Yi Xin,Xiangzhan Yu,Guocai Mu

DOI: https://doi.org/10.1007/978-3-030-24268-8_9

2019-01-01

Abstract:With the rapid development of the Internet, the scale of Internet users has been expanding. At the same time, various mobile phone applications have emerged in an endless stream. While providing users with a variety of services, it also leads to the difficulty of user identification. All those things bring new challenges to traffic identification. Based on the importance of Internet traffic identification for Internet management and security, this paper describes the classification methods and problems faced by Internet traffic identification. Moreover, current work about user-related and application-related traffic identification methods is summarized and analyzed. At the end of this article, we will discuss the future research prospects of traffic identification and summarize the content of the article.

Runyuan Sun,Bo Yang,Lizhi Peng,Zhenxiang Chen,Lei Zhang,Shan Jing

DOI: https://doi.org/10.1109/icnc.2010.5584648

2010-01-01

Abstract:Traffic classification, a branch of passive network measurement, becomes more and more important for network management. As traditional traffic classification techniques like port-based and payload-based techniques become ineffective for complicated internet applications which use dynamic port number and encryption techniques to avoid detection, machine learning based techniques gained more and more attentions in the past few years. But there are few studies that focus on applying neural computation techniques for traffic classification. In this paper, we use a distributed host based traffic collection platform (DHTCP) to gather traffic samples with accurate application information on user hosts. Then probabilistic neural network was used to traffic classification. Web and P2P traffics were studied since they are the most predominant internet traffic types. experimental results show that probabilistic neural network is an effective machine learning technique for traffic identification.