Yu Chen,Xiayu Ping,Tao Wei

DOI: https://doi.org/10.1109/ICITIS.2010.5689522

2010-01-01

Abstract:The principal technique employed in application traffic classification, a task of identifying the applications underlying network traffic, has evolved from based on port number to deep packet inspection to payload-independent classification. We propose a novel approach in the last category. The principal idea of our method is that we associate an application with temporal patterns of the command exchange modes (subsequences of packets) of TCP flows generated by the application. Since these patterns are local by nature, our approach might be able to identify an application even if only a portion of a full flow is observable. We have applied such method to classify a number of popular P2P applications and to detect suspicious botnet traffic. To identify these kinds of traffic, we not only utilize flow patterns, but also incorporate some statistics on multi-flow and host levels. We have tested our algorithm on P2P traffic collected from our institute's computer network and on botnet traffic collected from a national-wide distributed honeynet. The early results are quite encouraging. © 2010 IEEE.

Li Wenwei,Zhang Dafang,Yang Jinmin,Xie Gaogang

DOI: https://doi.org/10.1016/j.comcom.2006.09.015

IF: 5.047

2007-01-01

Computer Communications

Abstract:Network measurement is an important approach to understand network behaviors, which has been widely studied. Both TCP and ICMP are applied in network measurement, while investigating the differences between the measured results of these two protocols is an important topic that has been less addressed. In this paper, to compare the differences between TCP and ICMP when they are used in measuring host connectivity, RTT, and packet loss rate, we designed two groups of comparison programs, and after careful evaluating of the program parameters, we executed a lot of comparison experiments on the Internet. The experimental results show that, there are significant differences between the host connectivity measured using TCP or ICMP; in general, the accuracy of connectivity measured using TCP is 20–30% higher than that measured using ICMP. The case of RTT and packet loss rate is complicated, which are related to path loads and destination host loads. While commonly, the RTT and packet loss rate measured using TCP or ICMP are very close. According to the experimental results, we also give some advices on protocol selection for conducting accurate connectivity, RTT and packet loss rate measurements.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zhu Li,Ruixi Yuan,Xiaohong Guan

DOI: https://doi.org/10.1007/978-3-540-73111-5_8

2007-01-01

Abstract:Timely traffic identification is critical in network security monitoring and traffic engineering. Traditional methods using well-known ports, protocols and precise signature matching are no longer accurate with the proliferation of new applications. Recently, applying pattern recognition methods to classify network application traffic based on the flow parameters (e.g. port, flow duration, etc.) has become increasing popular. However, many methods developed in the previous works are either too complex to be applied in real-time, or suffer from lower accuracy due to the insufficient knowledge of the application. In this paper, we first give an overview on the developments of pattern recognition methods as traffic classification tools. We then develop two separate pattern recognition methods: one with supervised learning, and one with un-supervised learning, and apply them to classify traffic captured from a campus backbone network. The supervised learning method (an optimized SVM method) yields approximately 99.41 % accuracy for the collected traffic. The un-supervised learning method (an entropy based clustering method) gets the average accuracy of 92.41% for the top 20 traffic generating hosts during the same time period. Performance test on a single PC with 3GHz Pentium 4 processors and 1 GB of memory show that both methods can handle more than 10000 network flows per second, close to real time requirements for many situations.

D Lee,DL Chen,RB Hao,RE Miller,JP Wu,X Yin

DOI: https://doi.org/10.1109/tnet.2006.872572

2006-01-01

Abstract:We study network protocol system monitoring for fault detection using a formal technique of passive testing that is a process of detecting system faults by passively observing its input/output behaviors without interrupting its normal operations. After describing a formal model of event-driven extended finite state machines, we present two algorithms for passive testing of protocol system control and data portions. Experimental results on OSPF and TCP are reported.

Yu Jiang,Ren Jian,Yuhong Zhao,Fang Binxing

DOI: https://doi.org/10.1109/PDCAT.2009.58

2009-01-01

Abstract:Traceroute-like method is of foundation for inferring forward IP paths that in succession are often used for generating different level Internet topologies. Based on Paris traceroute method of avoiding traceroute anomalies, this paper examines the practical feasibility of inferring forward IP paths by sending mixed TCP packets with other control bit(s) instead of SYN to a set of well-known websites. We also provide two kinds of novel evaluation metrics to evaluate the effectiveness of probe methods. Finally, we present a novel kind of methods termed as hybrid TCP probe method, for inferring forward IP paths. We hope this case study broadening ways of forward IP path inference.

Qianli Zhang,Yunlong Ma,Jilong Wang,Xing Li

DOI: https://doi.org/10.1109/apnoms.2014.6996569

2014-01-01

Abstract:Comparing to TCP traffic, the composition of UDP traffic is still unclear. Although it is observed that a large fraction of UDP traffic appears to be P2P applications, application level classification of UDP traffic is still very hard since most of these applications are private protocols based. In this paper, a novel method is proposed to classify UDP traffic. Based on the assumption that traffic from two communicating half-tuples identified by the <; IP address, portnumber > is from the same application, all half-tuples can be grouped into several connected subgraphs. The port numbers which are adopted by most links or half-tuples in each subgroup can thus be used to characterize the application types of the whole subgroup. Experiment results show that this approach is feasible and can classify UDP traffic only using flow level information. The port numbers adopted by most links or half-tuples are surprisingly stable among different time periods, for example, for Youku application remain the same for more than 90% of periods in all the 1429 periods.

Peng Liu,Ming Cai,Jian Pan,Jinxiang Dong

2007-01-01

Journal of Computational Information Systems

Abstract:In ubiquitous computing environments, intelligent devices may have multiple network connections. It is usually left to applications to choose suitable network connections. The applications must face the problem of adapting to the dynamic network environments, they have to select the most suitable network, switch to another one when the current one couldn't work anymore, re-establishment failed connections, etc. Although some systems and middle wares are brought forward to solve these problems, they can only solve part of them. In this paper, a novel approach is proposed to make the network-scheduling operation as fundamental part of the OS. In that OS, new network programming interface is provided, and users could use abstract network interface or a special one. Like task-scheduling, the new OS will switch among networks instead of applications when necessary and the switching operation is almost transparent. This paper also presents the design and implementation of the architecture.

Qiang Li,Tao Qin,Xiaohong Guan,Qinghua Zheng

DOI: https://doi.org/10.3837/tiis.2014.04.009

2014-01-01

KSII Transactions on Internet and Information Systems

Abstract:With the exhaustion of global IPv4 addresses, IPv6 technologies have attracted increasing attentions, and have been deployed widely. Meanwhile, new applications running over IPv6 networks will change the traditional traffic characteristics obtained from IPv4 networks. Traditional models obtained from IPv4 cannot be used for IPv6 network monitoring directly and there is a need to investigate those changes. In this paper, we explore the flow features of IPv6 traffic and compare its difference with that of IPv4 traffic from flow level. Firstly, we analyze the differences of the general flow statistical characteristics and users' behavior between IPv4 and IPv6 networks. We find that there are more elephant flows in IPv6, which is critical for traffic engineering. Secondly, we find that there exist many one-way flows both in the IPv4 and IPv6 traffic, which are important information sources for abnormal behavior detection. Finally, in light of the challenges of analyzing massive data of large-scale network monitoring, we propose a group flow model which can greatly reduce the number of flows while capturing the primary traffic features, and perform a comparative measurement analysis of group users' behavior dynamic characteristics. We find there are less sharp changes caused by abnormity compared with IPv4, which shows there are less large-scale malicious activities in IPv6 currently. All the evaluation experiments are carried out based on the traffic traces collected from the Northwest Regional Center of CERNET (China Education and Research Network), and the results reveal the detailed flow characteristics of IPv6, which are useful for traffic management and anomaly detection in IPv6.

Yun Mao,Kang Chen,Dongsheng Wang,Weimin Zheng

DOI: https://doi.org/10.1145/502932.502942

2001-01-01

Abstract:Web traffic has been increasing and evolving rapidly in recent years. It is important to measure the volume and characteristic of such dominant traffic to understand large-scale user access pattern and analyze performance of Web applications. Among the common methods of Web measurements, the passive way using packet monitoring is more advantageous since it provides comprehensive information and is transparent to end-users. However, the throughput of current packet monitoring system is limited by the bandwidth of network adapters. Computational capacity and buffer size are also potential performance bottlenecks for monitoring high-speed links. This paper proposes a cluster-based online monitoring system, which generates rich logs by packet sniffing for Web analysis in a cluster environment. Powered by cluster computing technologies, the system achieves high performance and availability. Other techniques, such as online reconstruction in memory and kernel packet filter, are also adopted to improve the system performance. The experimental results indicate that it is feasible to trace in high-speed links with the cluster-based system.

Chenhuan Liu,Qiankun Liu,Shanshan Hao,CongXiao Bao,Xing Li

DOI: https://doi.org/10.1007/978-3-030-78612-0_19

2021-01-01

Abstract:The state of the network can be reflected by the background traffic. Negative network measurements can be a very important way to understand the Internet. I would like to express appreciation to CERNET, who provided us with an IPv6 address space allocated but not a fully used network. By announcing a large /20 covering prefixes on this address, we have published routing information on China's domestic education network, business network, and foreign education network. Based on the honeypot method, we collect relative traffic at the last hop router of the experiment network. Thus, we make our experiment environment a network telescope. We discover that background radiation traffic grew more rapidly than it was years ago under the current ipv6 network situation. Moreover, suspicious IPv6 address scanning traffic shows up. We classify and analyze the traffic and classify all the source addresses and destination addresses. We found that the source addresses are mainly from Asian countries. In particular, we conduct further detection and monitor on the suspicious source addresses. We analyze the time when it appears and what it scans, including the destination address and the port type. The most interesting destination ports to the outside world are mainly 80, 8080, 443, 53, 21, 22, 23, and 25, which are related to web services and host system applications. We explain most of the data and highlight the significant attributes of the data. We found several special addresses scanning our address segment periodically. Our work reveals the situation and the problem under the current IPv6 network situation.

Jun Li,Shunyi Zhang,Cuilian Li,Junrong Yan

DOI: https://doi.org/10.1002/nem.735

2010-01-01

International Journal of Network Management

Abstract:Accurate and real-time classifi cation of network traffic is significant to a number of network operation and management tasks such as quality of service differentiation, traffic shaping and security surveillance. However, with emerging P2P applications using dynamic port numbers, IP masquerading techniques and payload encryption, accurate and intelligent traffic classification continues to be a big challenge despite a wide range of research work on the topic. Since each classification method has its disadvantages and hardly could meet the specific requirement of Internet traffic classification, this paper innovatively presents a composite traffic classification system. The proposed lightweight system can accurately and effectively identify Internet traffic with good scalability to accommodate both known and unknown/encrypted applications. Furthermore, It promises to satisfy various Internet uses and is feasible for use in real-time line speed applications. Our experimental results show the distinct advantages of the proposed classification system.

Qiang Li,Tao Qin,Xiaohong Guan,Qinghua Zheng

DOI: https://doi.org/10.1109/ICON.2012.6506590

2012-01-01

Abstract:With the exhaustion of global IPv4 address, IPv6 technologies have attracted increasing attention and have been deployed widely. Meanwhile, new applications running over IPv6 networks will change the traditional traffic characteristics of IPv4 networks. In this paper, we present a measurement study on the traffic features and behaviors of the users over IPv4 and IPv6 in the campus network of XJTU. We shall investigate the differences between IPv4 and IPv6 traffic features in terms of the distribution of the average packet size, flow size, flow duration, and self-similarity of the packet size and traffic volume. As to the user's behaviors, we employ the connection degree to capture the behavior characteristics and Renyi entropy to measure behavior dynamics. The experimental results based on the traffic traces collected from the Northwest Regional Center of CERNET (China Education and Research Network) indicate that there exists distinct differences between IPv4 and IPv6 traffic due to the newly-emerged applications. The analysis results provide strategic guidance for traffic management and exhibit great potential in abnormal behavior detection in next generation network.

LIANG Yong,CHEN Zhen,SHI Xi,LI Jun

DOI: https://doi.org/10.3969/j.issn.1671-1122.2012.07.003

2012-01-01

Abstract:With the increase of Internet users and the needs of the user change constantly,the type of application on the Internet is also undergoing rapid changes.Various types of traffic are growing,and the burden of the network becomes worse and worse,so the difficulties of network management have increased.In order to coordinate the relations between application and security,bandwidth growth and business gains,network expansion and user experience,there is a key challenge to the network managers and operators that how to use the appropriate traffic management techniques,such as network application protocol identification and bandwidth management technology.This paper was focus on this,and introduced the basic concepts and key technologies of network traffic management first.Then it introduced the mainstream open source traffic management systems and commercial traffic management systems.Finally,it proposed a collaborative distributed traffic management system,which deployed the traffic management subsystems dispersedly,detected and managed the traffic collaboratively through the analysis and operation center.It could effectively improve the efficiency of network traffic management and the recognition rate of unknown network protocol,and it also could effectively detect and prevent DDoS attacks.

Chieh-Jan Mike Liang,Kaifei Chen,Jie Liu,Nissanka Bodhi Priyantha,Feng Zhao

DOI: https://doi.org/10.1109/ipsn.2012.6920965

2012-01-01

Abstract:The maturity and availability of network protocols have enabled wireless sensor networks (WSN) designers to build heterogeneous applications by composing different protocols. A common heterogeneous application combines data collection and dissemination for environmental monitoring with node retasking. While these co-located protocols on the same node have different goals, many of them share requirements and characteristics. Examples of commonalities include the use of bi-directional traffic for reliable transmissions and tree for packet routing. This work explores how the MAC layer can reduce the network transmission overhead of heterogeneous applications by taking advantage of protocol commonalities to aggregate outgoing packets. In other words, this aggregation creates a train of packets destined to the same receiver. Finally, we discuss a strawman implementation of packet train and how our data center monitoring deployment leverages it.

Tao Qin,Xiaohong Guan,Wei Li,Pinghui Wang,Qiuzhen Huang

DOI: https://doi.org/10.1016/j.jnca.2011.06.006

IF: 7.574

2011-01-01

Journal of Network and Computer Applications

Abstract:The randomness in network behaviors poses serious challenges for discovering abnormal patterns in network traffic flows. This paper presents a systematic approach for monitoring abnormal network traffic. The DFlow model is proposed to reduce the flow records and extract four features to capture the traffic patterns. The blind source separation method is applied to obtain the routine and abnormal behaviors from those features. A scale space filter is applied to filter the randomness in the traffic flows without affecting the behavior patterns. A threshold is selected based on a systematic criterion to evaluate the degree of abnormality. The contributions of different traffic features to the abnormal behavior detection are analyzed. It is found that the number of connection degree is the most important feature for traffic monitoring. A salient feature of this method is that it is effective for detecting the abnormal behaviors not associated with significant changes in traffic volumes. Another advantage of the new method is that no supervised learning process is needed. This is very important since high quality labeled samples are very difficult to acquire in actual networks especially the data traces associated with attacks. The experimental results based on the actual network data show that the method presented in the paper is effective for monitoring abnormal traffic flows in the gigabytes traffic environment and the accuracy is above 95%.

Yahui Hu,Ziqian Zeng,Junping Song,Luyang Xu,Xu Zhou

DOI: https://doi.org/10.1016/j.comnet.2024.110656

IF: 5.493

2024-10-01

Computer Networks

Abstract:Network traffic classification is an important part of network monitoring and network management. Three traditional methods for network traffic classification are flow-based, session-based, and packet-based, while flow-based and session-based methods cannot meet the real-time requirements and existing packet-based methods will violate user’s privacy. To solve the above problems, we propose a network traffic classification method only by the IP packet header, which satisfies the requirements of both the user’s privacy protection and online classification performances. Through statistical analyses, we find that IP packet header information is effective on the network traffic classification tasks and this conclusion is also demonstrated by experiments. Furthermore, we propose a novel external attention and convolution mixed (ECM) model for online network traffic classification. This model adopts both low-computational complexity external attention and convolution to respectively extract the byte-level and packet-level characteristics for traffic classification. Therefore, it can achieve high classification accuracy and low time consumption. The experiments show that ECM can reach over 96% classification accuracy on four datasets and the classification time is 0.36 ms per packet which can meet the real-time requirements. The code is available at https://github.com/CNZZQ1030/ECM-for-Network-Traffic-Classification.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Wang Jun-Song,Yuan Jing,Li Qiang,Yuan Rui-Xi

DOI: https://doi.org/10.1088/1674-1056/20/5/050506

2011-01-01

Chinese Physics B

Abstract:This paper uses a correlation dimension based nonlinear analysis approach to analyse the dynamics of network traffics with three different application protocols-HTTP, FTP and SMTP. First, the phase space is reconstructed and the embedding parameters are obtained by the mutual information method. Secondly, the correlation dimensions of three different traffics are calculated and the results of analysis have demonstrated that the dynamics of the three different application protocol traffics is different from each other in nature, i.e. HTTP and FTP traffics are chaotic, furthermore, the former is more complex than the later; on the other hand, SMTP traffic is stochastic. It is shown that correlation dimension approach is an efficient method to understand and to characterize the nonlinear dynamics of HTTP, FTP and SMTP protocol network traffics. This analysis provided insight into and a more accurate understanding of nonlinear dynamics of internet traffics which have a complex mixture of chaotic and stochastic components.

Guodong Fang,Zhihong Deng,Hao Ma

DOI: https://doi.org/10.1109/FSKD.2009.444

2009-01-01

Abstract:To keep the network secure, it is necessary to monitor network traffic timely and effectively. The traditional methods for detecting network anomalies were mainly based on such ways as sampling, counting and aggregating, but they can not solve the problem of getting accurate and effective results well. In this paper we propose a new method that is based on the basic properties of frequent pattern mining problem and makes use of the vertical mining methods to mine frequent patterns from network traffic. Based on this algorithm, we build a prototype system to evaluate our algorithm on huge netflow data of campus network. The experimental result shows that this algorithm can detect network anomalies timely and effectively and can help network administrators achieve more effective monitoring on network.

Z. Y. You

2004-01-01

Abstract:SNMP is often adopted to probe the states of network devices in monitor and control system. In different OS,however,the implementations of SNMP are different and the programming interfaces are dissimilar. This paper introduces a method to avoid the disadvantages above,which can be used in different OS,that is,it is cross-platforms. Firstly,the paper states the basic concepts about SNMP,and describes the usage of SNMP in different platforms. Secondly,the paper details the research and implementation of SNMP in ATC(Air Traffic Control) automation system cross platforms.

Qiang Li,Tao Qin,Xiaohong Guan,Qinghua Zheng

DOI: https://doi.org/10.7652/xjtuxb201308004

2013-01-01

Abstract:Measurement methods based on bi-directional flow model are proposed to investigate the symmetric characteristic of the non-business network traffics. The features of protocol, port distribution and flow size are extracted from host-level aggregated traffic to characterize users' interactive behavior and to find the origins of traffic symmetry. The analysis results using actual traffic traces collected from the campus network of Xi'an Jiaotong University show that 1% of the total hosts bear more than 90% of the forward UDP traffic, which results in the symmetry of total traffic. Compared with the traditional flow model, the proposed methods can quickly locate the hosts that are responsible for traffic symmetry, and are more suitable for traffic control and management in non-business networks.