Recognizing the Content Types of Network Traffic Based on a Hybrid DNN-HMM Model

Xincheng Tan,Yi Xie,Haishou Ma,Shunzheng Yu,Jiankun Hu
DOI: https://doi.org/10.1016/j.jnca.2019.06.004
IF: 7.574
2019-01-01
Journal of Network and Computer Applications
Abstract:Protocol identification and application classification for network traffic have been well studied in the past two decades, due to their importance for network management and security defense. One of the challenges to most of existing work comes from the onion-like characteristics of modern network traffic, which enables the actual transmission content or service to be disguised by the external protocols or applications and to be unrecognizable. In some scenarios, unrecognizable traffic may lead to incorrect network management policies and create favorable conditions for cyber attacks. In contrast to most of the existing research that merely focuses on the identification of external protocols and applications, in this work we explore a new scheme for content types recognition by traffic behavior, in which it does not need to inspect the external protocols or applications. The proposed scheme is based on three mature technologies, including Gaussian mixture model (GMM), hidden Markov model (HMM) and deep neural network (DNN). The GMM-HMMs are used to capture the underlying time-varying behavior patterns for the network traffic carrying a specific type of content. To eliminate the instability and limitations caused by the general GMM-HMMs, a shared DNN is derived and combined with the trained HMMs to implement the final recognition of the content types for network traffic. We introduce the architecture and rationale of the proposed scheme in details, derive the algorithms for content recognition, and evaluate its performance with multiple baseline methods via real network traffic. The experiment results not only demonstrate that the proposed scheme is able to accurately and stably recognize the content types of network traffic, but also verify the performance of the proposed scheme on the discrimination for similar and short traffic.
What problem does this paper attempt to address?