Changsheng Miao,Lu Meng,Changqing Yuan,Xingwei Wang,Guiran Chang

DOI: https://doi.org/10.1504/ijwmc.2013.057575

2013-01-01

International Journal of Wireless and Mobile Computing

Abstract:Traffic classification has wide applications in network measurements, network security and quality of service. Recent research tends to apply machine learning methods based on flow statistical features to improve traffic classification performance. In this paper, we propose a novel non-parametric approach for traffic classification, which can improve the classification performance effectively by incorporating correlated information into the classification process. Meanwhile, our system employs a lightweight modular architecture, which combines a series of simple linear binary classifiers, each of which can be efficiently implemented and trained on vast amounts of flow data in parallel, to achieve scalability while attaining high accuracy. A large number of experiments are carried out on real traffic data to validate the proposed approach. The results show that the traffic classification performance can be improved significantly while meeting the scalability and stability requirements of large networks.

Changyu Wang,Xiaohong Guan,Tao Qin,Pinghui Wang,Jing Tao,Yongwei Meng,Jingyuan Liu

DOI: https://doi.org/10.1016/j.knosys.2020.106192

IF: 8.139

2020-01-01

Knowledge-Based Systems

Abstract:Previous machine learning-based network traffic classification approaches hold the assumption that training and testing network environment are of the same. This assumption is invalid in most real cases due to the changes in traffic features and leads to the train-test gap issue: the model trained in the training environment performs poorly in the testing environment. In this paper, to address the gap, we propose CSA: a traffic classification approach based on packet-wise segmentation and aggregation. Firstly, we observe that some specific fragments of network flows - subflows - are robust against the gap. Therefore, we are motivated to segment the traffic flows into different subflows. Afterward, with the justification of our feature selection, 26 statistical features are extracted from each subflow and input into its corresponding sub-classifier. Secondly, with the results from sub-classifiers, we develop an aggregation method based on their classification accuracy to increase the overall classification performance. We experiment on five real datasets, including three collected from the Northwest Center of CERNET (China Education and Research Network) and two from public traces. By comparing with state-of-the-art baselines, the experiment results demonstrate the effectiveness of our CSA against the gap. (C) 2020 Published by Elsevier B.V.

Yu Wang,Shun-Zheng Yu

DOI: https://doi.org/10.4304/jnw.4.7.622-629

2009-01-01

Journal of Networks

Abstract:Network traffic classification plays an important role in various network activities. Due to the ineffectiveness of traditional port-based and payload-based methods, recent works proposed using machine learning methods to classify flows based on statistical characteristics. In this study, we present a comprehensive evaluation of the effectiveness of these statistical methods for real-time traffic classification problem. We evaluate three different flow feature sets that are used to capture distinct properties of each application, two of them consist of features generated from full flows and the third is made up of early sub-flow statistics derived from the first few packets of each flow. We compare various supervised machine learning schemes to identify the one most suitable for traffic classification. We also apply feature selection to identify the most significant features. The results indicate that statistical characteristics of traffic flows are capable to distinguish applications; in particular it’s feasible to use the features derived from early sub-flows for realtime traffic classification. The results also indicate that classifiers based on decision tree outperform others, as they obtain highest accuracy and fastest classifying speed.

Phuylai Oeung,Fuke Shen

DOI: https://doi.org/10.1109/icoin.2019.8717977

2019-01-01

Abstract:Machine learning (ML)-based traffic classification has been gaining increasing importance due to the declining port-based and payload-based approaches. However, the packet-level method is the most common measure used in the previous works, which requires additional hardware device to manage and monitor, increasing cost as well as extra works of the network personnel. In this paper, we propose a methodology to build an efficient classifier from NetFlow which is the widely applied monitoring solution among network operators in the form of flow-level. First, we analyze the per-application performance through the C4.5 decision tree with the features derived from the NetFlow records. The result shows that the accuracy obtained is as good as the packet-level method. We further propose the ensemble feature selection (FS) method to improve the classification accuracy and to reduce the computational complexity. Lastly, we present the clustering-based under-sampling combining with synthetic minority over-sampling technique (SMOTE) approach to solving the problem of the concept drift and the imbalanced dataset, and we extract insights and recommendation for practical application. With the combination of proposed methods, the experiment result reports high F-measure over two traces containing the wide range of applications with low computational complexity.

Qiang,Li Jian Ping,Shui Gang,Wei Zi Hui

DOI: https://doi.org/10.1109/iccwamtip53232.2021.9674165

2021-01-01

Abstract:With the rapid development of computer network technology, the Internet has covered all aspects of social life. Nowadays, network technology is widely used in various social fields such as economy, military, education, etc. It promotes the rapid development of society and economy, and at the same time brings unprecedented challenges. The security of information transmission and interaction in cyberspace takes network traffic as the carrier, and network traffic contains a large amount of valuable information. How to perceive the current network status through the analysis of network traffic, discover network abnormalities in time is of great significance for maintaining network security. With the rapid development of deep learning in the field of artificial intelligence, researchers have tried to transfer deep learning methods that shine in computer vision processing, natural language recognition and other fields to the field of network flow detection. This paper proposes an ensemble model based on a convolutional neural network, which is integrated on the basis of the CNN model, which reduces the deviation of each basic model and improves the accuracy of the network stream classification results. The main tasks of this paper are as follows: (1) Experiments on the basic model and the integrated model were carried out on the USTC-TFC2016 data set. (2) The experimental results show that the ensemble model reduces the deviation of the basic model and improves the classification accuracy.

Yu Wang,Shun-Zheng Yu

DOI: https://doi.org/10.1109/iita.2008.536

2008-01-01

Abstract:Network traffic classification plays an important role in various network activities. Due to the ineffectiveness of traditional port-based and payload-based methods, recent works proposed using machine learning methods to classify flows based on statistical characteristics. In this study, we evaluate the effectiveness of machine learning techniques on the real-time traffic classification problem. We identify the most suitable ML, classifier for network traffic classification by comparing various ML schemes, including both supervised and unsupervised methods. We also apply feature selection to identify significant features. Finally, we simulate real-time classification by using features derived from the first few packets of each flow. The results show that classifiers based on decision tree outperform others on both accuracy and performance; and that classifiers based on early flow properties can achieve high accuracy while reducing the computational complexity.

Shuyuan Zhao,Yongzheng Zhang,Peng Chang

DOI: https://doi.org/10.1109/trustcom/bigdatase/icess.2017.254

2017-01-01

Abstract:Network traffic classification technique is currently a key part of network security systems. In recent years, some network traffic classification algorithms using machine learning based on packet and flow level features have been proposed, yet the results are frequently disappointing. On the one hand, obtaining a large, representative, training data set that is fully labeled to train a classifier is difficult, time-consuming, and expensive. On the other hand, the classification performance is affected by the new protocols and applications which can produce unknown traffic that existing classification systems cannot identify. To achieve effective and inexpensive classification, we propose a framework based on unsupervised methods and the tri-training method. By two independent clusterings, the proposed method can precisely detect unknown applications and extend labeled flows from a few labeled and many unlabeled flows. Meanwhile, tri-training method can effectively exploit unlabeled flows to enhance the proposed method performance. We implement our approach and evaluate it on two real-world Internet traffic traces. The experimental results demonstrate that the proposed method has more excellent performance in terms of Precision and Recall in comparison with the state-of-the-art approaches and can better handle different data sets.

Jian Zhang,ZongJue Qian,Guochu Shou,Yihong Hu

DOI: https://doi.org/10.1109/ICEMI.2009.5274334

2009-01-01

Abstract:Recently traffic classifications based on statistics methods and machine learning techniques have attracted a great deal of interest. Some challenging issues for these methods are that most of them need prior analysis to detect traffic applications and training data sets to generate classification model offline; some require a high amount computation and memory resource. These are infeasible to cope with the fast growing number of new applications and online traffic classifications. We propose an online automatic traffic classification architecture using unsupervised machine learning technique, in which flows are automatically clustered based on sub-flow statistical features instead of full flows. We select best-first features algorithm to find an optimal feature-sets which is suited for access network, then map the traffic flows to applications based on maximized probabilities applications in the clusters. The experiment results demonstrate the efficiency and capability of the proposed automated classification architecture.

Renjie Jin,Guangtao Xue,Feng Lyu,Hao Sheng,Gongshen Liu,Minglu Li

DOI: https://doi.org/10.1109/PADSW.2018.8644617

2018-01-01

Abstract:Classifying traffic flows into source applications is of great value for intelligent network management, which can help to detect malicious attacks, monitor the network, optimize network behaviors and then improve user experience, etc. However, to achieve high-accuracy traffic classification, especially in real time, is very challenging due to very complicated behaviors of traffic flows where network applications could often transmit traffics with encryption at randomized port numbers under highly dynamic network conditions. In this paper, by collecting extensive application traffic flows at the exit router of Shanghai Maritime University (the traffic rate can reach up to 7 GB/s at peak time), we identify that there is a very distinct characteristic in inner-connection of message (grouped by single or multiple consecutive TCP packets) sequence for different application flows. We then propose our traffic classification algorithm, which essentially adopts a Long Short-Term Memory (LSTM) neural network to output a classifier with message sequence vector (not necessarily covering all messages) of a traffic flow as the training input, to conduct online traffic flow classification. Extensive simulations are conduced considering varied training data size and diverse source applications, and an average about 97 % accuracy on per-flow classification can be achieved.

Zhen Liu,Ruoyu Wang,Ming Tao

DOI: https://doi.org/10.1007/s12652-015-0310-y

IF: 3.662

2015-01-01

Journal of Ambient Intelligence and Humanized Computing

Abstract:Machine learning based network traffic classification is a critical technique for network management, and has attracted much attention. Recently, most of the researchers focus on achieving high flow classification accuracy (FCA). However the amount of “mice” flows is more than that of “elephant” flows in the Internet, these classifiers hence are more suitable for “mice” flows, but have low byte classification accuracy (BCA). To address this issue, the notion of byte misclassification is firstly explored. According to the exploration that most misclassified bytes belong to the minority class, a novel method of network traffic classification is proposed by combining the data re-sampling and ensemble learning algorithms. To enhance the classification accuracy of the minority class, the data re-sampling algorithm is employed to increase the number of minority class flows. The data re-sampling however will change the data distribution and degrade the generalization of a classifier. A boosting-style ensemble learning algorithm with the consideration of ensemble diversity hence is employed to improve the generalization. The experiments conducted on the real-world traffic datasets show that the proposed method achieves over 90 % BCA and 96 % FCA on average, and improves about 7.15 % BCA by comparing with the existing methods.

Jun Zhang,Chao Chen,Yang Xiang,Wanlei Zhou,Athanasios V. Vasilakos

DOI: https://doi.org/10.1109/TNSM.2013.022713.120250

2013-01-01

IEEE Transactions on Network and Service Management

Abstract:Traffic classification technique is an essential tool for network and system security in the complex environments such as cloud computing based environment. The state-of-the-art traffic classification methods aim to take the advantages of flow statistical features and machine learning techniques, however the classification performance is severely affected by limited supervised information and unknown applications. To achieve effective network traffic classification, we propose a new method to tackle the problem of unknown applications in the crucial situation of a small supervised training set. The proposed method possesses the superior capability of detecting unknown flows generated by unknown applications and utilizing the correlation information among real-world network traffic to boost the classification performance. A theoretical analysis is provided to confirm performance benefit of the proposed method. Moreover, the comprehensive performance evaluation conducted on two real-world network traffic datasets shows that the proposed scheme outperforms the existing methods in the critical network environment.

Jun Zhang,Chao Chen,Yang Xiang,Wanlei Zhou,Yong Xiang

DOI: https://doi.org/10.1109/tifs.2012.2223675

IF: 7.231

2013-01-01

IEEE Transactions on Information Forensics and Security

Abstract:This paper presents a novel traffic classification scheme to improve classification performance when few training data are available. In the proposed scheme, traffic flows are described using the discretized statistical features and flow correlation information is modeled by bag-of-flow (BoF). We solve the BoF-based traffic classification in a classifier combination framework and theoretically analyze the performance benefit. Furthermore, a new BoF-based traffic classification method is proposed to aggregate the naive Bayes (NB) predictions of the correlated flows. We also present an analysis on prediction error sensitivity of the aggregation strategies. Finally, a large number of experiments are carried out on two large-scale real-world traffic datasets to evaluate the proposed scheme. The experimental results show that the proposed scheme can achieve much better classification performance than existing state-of-the-art traffic classification methods.

Qiong Liu,Zhen Liu,Ruoyu Wang,Changqiao Xu

DOI: https://doi.org/10.1109/ICCW.2014.6881259

2014-01-01

Abstract:To Ensure QoE (quality of experience) to the users when they access so many Internet applications every day, ISPs are faced with challenge and opportunity in bandwidth management. They need some ways to identify each application's flows generated by user hosts, especially the application classes with large flows because of the higher bandwidth occupation comparing with the other classes with small flows. A novel method is presented to modularize flow size using information gain ratio. The origin dataset is properly partitioned into large flow and small flow subsets by a threshold that is achieved when the data complexity of large flow subset is minimized. The searching algorithm of the partitioned threshold is independent of classification performance. The specific classifiers can be trained to identify large flows and small flows properly on each subset in generalization. Experimental results on real world traffic datasets show that byte accuracy increased 30% averagely when our method is compared with original.

Luming Wang,Mao Yang,Bo Li,Zhongjiang Yan

2023-04-04

Abstract:With the increasing number of service types of wireless network and the increasingly obvious differentiation of quality of service (QoS) requirements, the traffic flow classification and traffic prediction technology are of great significance for wireless network to provide differentiated QoS guarantee. At present, the machine learning methods attract widespread attentions in the tuples based traffic flow classification as well as the time series based traffic flow prediction. However, most of the existing studies divide the traffic flow classification and traffic prediction into two independent processes, which leads to inaccurate classification and prediction results. Therefore, this paper proposes a method of joint wireless network traffic classification and traffic prediction based on machine learning. First, building different predictors based on traffic categories, so that different types of classified traffic can use more appropriate predictors for traffic prediction according to their categories. Secondly, the prediction results of different types of predictors, as a posteriori feature, are fed back to the classifiers as input features to improve the accuracy of the classifiers. The experimental results show that the proposed method has improves both the accuracy of traffic classification and traffic prediction in wireless networks.

Networking and Internet Architecture

Zhu Li,Ruixi Yuan,Xiaohong Guan

DOI: https://doi.org/10.1007/978-3-540-73111-5_8

2007-01-01

Abstract:Timely traffic identification is critical in network security monitoring and traffic engineering. Traditional methods using well-known ports, protocols and precise signature matching are no longer accurate with the proliferation of new applications. Recently, applying pattern recognition methods to classify network application traffic based on the flow parameters (e.g. port, flow duration, etc.) has become increasing popular. However, many methods developed in the previous works are either too complex to be applied in real-time, or suffer from lower accuracy due to the insufficient knowledge of the application. In this paper, we first give an overview on the developments of pattern recognition methods as traffic classification tools. We then develop two separate pattern recognition methods: one with supervised learning, and one with un-supervised learning, and apply them to classify traffic captured from a campus backbone network. The supervised learning method (an optimized SVM method) yields approximately 99.41 % accuracy for the collected traffic. The un-supervised learning method (an entropy based clustering method) gets the average accuracy of 92.41% for the top 20 traffic generating hosts during the same time period. Performance test on a single PC with 3GHz Pentium 4 processors and 1 GB of memory show that both methods can handle more than 10000 network flows per second, close to real time requirements for many situations.

LI Wei,BIAN Jiang,WANG Ying

DOI: https://doi.org/10.3969/j.issn.1001-0548.2007.06.041

2007-01-01

Abstract:Dividing the aggregate network volume into connections between host-pairs, we get a connection-oriented model in micro perspective—the dynamic network flow model. Analysis on a great amount of traffic shows that there is no one-to-one relationship between single flows and application protocols, but the single flow is able to reflect the characteristics of user network behaviors. By studying the data transportation features, a classification scheme of the single flow is provided from the perspective of the volume, frequency, and mode of the data interaction of network flows. Moreover, this classification scheme is tested in experimental network environment. And the experimental results show that the method proposed in this paper can capture the users' behavior exactly.

Chengjie Gu,Shunyi Zhang,Xudong Chen,Anyuan Du

2011-01-01

Journal of Computational Information Systems

Abstract:Since many Peer-to-Peer applications use dynamic port numbers, masquerading techniques and encryption, network traffic classification using traditional methods such as ports-based or payload-based analysis is becoming increasing difficult. An alternative approach is using machine learning methodology to classify network applications based on flow statistics. We propose realtime traffic classification based on semi-supervised learning in this paper. Experiment results illustrate 1) high classification accuracy can be achieved using dataset that consists of a small number of labeled and a large number of unlabeled flows. 2) It is extremely suitable to realize realtime traffic classification. 3) Our approach is robust and can handle both previously unseen applications and changed behaviour of existing applications. Copyright © 2011 Binary Information Press.

Yu Chen,Xiayu Ping,Tao Wei

DOI: https://doi.org/10.1109/ICITIS.2010.5689522

2010-01-01

Abstract:The principal technique employed in application traffic classification, a task of identifying the applications underlying network traffic, has evolved from based on port number to deep packet inspection to payload-independent classification. We propose a novel approach in the last category. The principal idea of our method is that we associate an application with temporal patterns of the command exchange modes (subsequences of packets) of TCP flows generated by the application. Since these patterns are local by nature, our approach might be able to identify an application even if only a portion of a full flow is observable. We have applied such method to classify a number of popular P2P applications and to detect suspicious botnet traffic. To identify these kinds of traffic, we not only utilize flow patterns, but also incorporate some statistics on multi-flow and host levels. We have tested our algorithm on P2P traffic collected from our institute's computer network and on botnet traffic collected from a national-wide distributed honeynet. The early results are quite encouraging. © 2010 IEEE.

Jun Zhang,Chao Chen,Yang Xiang,Wanlei Zhou

DOI: https://doi.org/10.1109/trustcom.2012.105

2012-01-01

Abstract:A critical problem for Internet traffic classification is how to obtain a high-performance statistical feature based classifier using a small set of training data. The solutions to this problem are essential to deal with the encrypted applications and the new emerging applications. In this paper, we propose a new Naive Bayes (NB) based classification scheme to tackle this problem, which utilizes two recent research findings, feature discretization and flow correlation. A new bag-of-flow (BoF) model is firstly introduced to describe the correlated flows and it leads to a new BoF-based traffic classification problem. We cast the BoF-based traffic classification as a specific classifier combination problem and theoretically analyze the classification benefit from flow aggregation. A number of combination methods are also formulated and used to aggregate the NB predictions of the correlated flows. Finally, we carry out a number of experiments on a large scale real-world network dataset. The experimental results show that the proposed scheme can achieve significantly higher classification accuracy and much faster classification speed with comparison to the state-of-the-art traffic classification methods.

王兆霞,孙雨耕,张强,郝庭柱,孙小薇,秦娟,沈花玉

DOI: https://doi.org/10.3969/j.issn.0493-2137.2006.z1.023

2006-01-01

Abstract:An algorithm of classifying network traffic based on ensemble neural networks is proposed in this pa- per.Ensemble neural networks(ENN)is used to study the feature extraction and classifying of the network traffic.Bagging and back-propagation algorithms are used for the training of ensemble neural networks.Com- pared with the non-ensemble neural networks(NN)and fuzzy neural networks(FNN),the simulation result demonstrates that ENN not only can be well applicable for classifying the network traffic,but also is superior to NN and FNN.This paper supplies the fundamental research to solve the problem of classifying network traffic.