Zhu Li,Ruixi Yuan,Xiaohong Guan

DOI: https://doi.org/10.1007/978-3-540-73111-5_8

2007-01-01

Abstract:Timely traffic identification is critical in network security monitoring and traffic engineering. Traditional methods using well-known ports, protocols and precise signature matching are no longer accurate with the proliferation of new applications. Recently, applying pattern recognition methods to classify network application traffic based on the flow parameters (e.g. port, flow duration, etc.) has become increasing popular. However, many methods developed in the previous works are either too complex to be applied in real-time, or suffer from lower accuracy due to the insufficient knowledge of the application. In this paper, we first give an overview on the developments of pattern recognition methods as traffic classification tools. We then develop two separate pattern recognition methods: one with supervised learning, and one with un-supervised learning, and apply them to classify traffic captured from a campus backbone network. The supervised learning method (an optimized SVM method) yields approximately 99.41 % accuracy for the collected traffic. The un-supervised learning method (an entropy based clustering method) gets the average accuracy of 92.41% for the top 20 traffic generating hosts during the same time period. Performance test on a single PC with 3GHz Pentium 4 processors and 1 GB of memory show that both methods can handle more than 10000 network flows per second, close to real time requirements for many situations.

Shijun Huang,Kai Chen,Chao Liu,Alei Liang,Haibing Guan

DOI: https://doi.org/10.1109/icumt.2009.5345539

2009-01-01

Abstract:This Internet traffic classification using Machine Learning is an emerging research field since 1990's, and now it is widely used in numerous network activities. The classification technique focuses on modeling attributes and features of data flows to accomplish the identification of applications. In the paper we design and implement the classification model based on header-derived flow statistical features. Compared with the traditional methods, the model designed here, which is totally insensitive to port numbers and contents of payload on application level, overcomes difficulty in operation caused by unreliable port numbers and complexity of payload interpretation. Rather than relatively complex ML algorithms or even in mixture, supervised k-Nearest Neighbor estimator is adopted for the sake of computational efficiency, along with the effective and easy-to-calculate statistical features selected according to the operational background. Our results indicate that about 90% accuracy on per-flow classification can be achieved, which is a vast improvement over traditional techniques that achieve 50-70%.

LIU Qiong,LIU Zhen,HUANG Min

DOI: https://doi.org/10.3969/j.issn.1002-137x.2010.12.008

2010-01-01

Computer Science

Abstract:To identify the traffic based on the application in a large network, the major part is traffic classification and it is useful to provide quality of service, lawful interception and intrusion detection. A number of limitations have been exhibited by older methods such as port-based and payload based classification. Hence Machine learning techniques are used by the research community to analyse the flow statistics for detecting network applications. The statistical based approach is used here for traffic identification and classification process. The statistical features are flow size, flow duration, TCP port, packet inter-arrival times statistics, total number of packets, mean packet length, protocol, number of bytes transferred. There are two types of machine learning algorithms such as supervised and unsupervised algorithms. These two machine learning algorithms are analysed with datasets respectively based on the set of algorithms. By evaluating the results of supervised and unsupervised algorithms respectively, best algorithm from each technique is combined together to yield

Zhihan Li,Rui Yuan,Xiaohong Guan

DOI: https://doi.org/10.1109/icc.2007.231

2007-01-01

Abstract:The need to quickly and accurately classify Internet traffic for security and QoS control has been increasing significantly with the growing Internet traffic and applications over the past decade. Pattern recognition by learning the features in the training samples to classify the unknown flows is one of the main methods. However, many methods developed in the previous works are too complicated to be applied in real-time, and the prior probabilities based on the training samples are severely biased. This paper uses the SVM (support vector machine) method to train 7 classes of applications of different characteristics, captured from a campus network backbone. A discriminator selection algorithm is developed to obtain the best combination of the features for classification. Our optimized method yields approximately 96.9% accuracy for un-biased training and testing samples. For regular biased samples, the accuracy is about 99.4%. Furthermore, all the feature parameters are computable in real time from captured packet headers, suggesting real time network traffic classification with high accuracy is achievable.

Ruixi Yuan,Zhu Li,Xiaohong Guan,Li Xu

DOI: https://doi.org/10.1007/s10796-008-9131-2

2008-01-01

Information Systems Frontiers

Abstract:Accurate and timely traffic classification is critical in network security monitoring and traffic engineering. Traditional methods based on port numbers and protocols have proven to be ineffective in terms of dynamic port allocation and packet encapsulation. The signature matching methods, on the other hand, require a known signature set and processing of packet payload, can only handle the signatures of a limited number of IP packets in real-time. A machine learning method based on SVM (supporting vector machine) is proposed in this paper for accurate Internet traffic classification. The method classifies the Internet traffic into broad application categories according to the network flow parameters obtained from the packet headers. An optimized feature set is obtained via multiple classifier selection methods. Experimental results using traffic from campus backbone show that an accuracy of 99.42% is achieved with the regular biased training and testing samples. An accuracy of 97.17% is achieved when un-biased training and testing samples are used with the same feature set. Furthermore, as all the feature parameters are computable from the packet headers, the proposed method is also applicable to encrypted network traffic.

Jun Li,Shunyi Zhang,Cuilian Li,Junrong Yan

DOI: https://doi.org/10.1002/nem.735

2010-01-01

International Journal of Network Management

Abstract:Accurate and real-time classifi cation of network traffic is significant to a number of network operation and management tasks such as quality of service differentiation, traffic shaping and security surveillance. However, with emerging P2P applications using dynamic port numbers, IP masquerading techniques and payload encryption, accurate and intelligent traffic classification continues to be a big challenge despite a wide range of research work on the topic. Since each classification method has its disadvantages and hardly could meet the specific requirement of Internet traffic classification, this paper innovatively presents a composite traffic classification system. The proposed lightweight system can accurately and effectively identify Internet traffic with good scalability to accommodate both known and unknown/encrypted applications. Furthermore, It promises to satisfy various Internet uses and is feasible for use in real-time line speed applications. Our experimental results show the distinct advantages of the proposed classification system.

Baohua Yang,Guangdong Hou,Lingyun Ruan,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/ANCS.2011.34

2011-01-01

Abstract:Network traffic classification is extremely important in numerous network functions today. However, most of the current approaches based on port number or payload detection are becoming increasingly impractical with the appearance of dynamic or encrypted applications. Even though some supervised learning based work were proposed, it is difficult to collect sufficient flow-labeled traces for training. On the other hand, online classification needs an early identification, which is still challenging for most well-known approaches. In this paper, we propose a semi-supervised learning based traffic classification approach named SMILER, which supports an early classification from the sizes of the first few packets (empirically 5 packets) of a flow. Experiments in real networks demonstrate that SMILER achieves 94% precision and 96% recall on average for all tested applications, even with disordered packets SMILER still works well. With a hybrid scheme, the performance is further improved. Meanwhile, SMILER performs fast in both classification and updating. All experimental results show that SMILER is practical for fast and accurate online traffic classification.

Tao Qin,Lei Wang,Zhaoli Liu,Xiaohong Guan

DOI: https://doi.org/10.1016/j.knosys.2015.03.002

IF: 8.139

2015-01-01

Knowledge-Based Systems

Abstract:Application identification plays an essential role in network management such as intrusion detection and security monitoring. But the continuous growth of bandwidth and massive amount of packets pose serious challenges for efficacious and accurate application identification. In this paper, we develop a new method to reduce the number of packets being processed while achieving the goal of accurate P2P and VoIP application identification. Firstly, we employ the Bi-flow model to aggregate traffic packets into Bi-flow, which can capture the exchange behavior characteristics between different terminals. Then we employ the signature of Packet Size Distribution (PSD) to capture flow dynamics, which is defined as the payload length distribution probability of the packets in one Bi-flow. Secondly, we collect PSD of several different P2P and VoIP applications and the analysis results show that PSD of different applications are different with each other, which can be used as features to perform traffic identification. We also find the PSD characteristics of one Bi-flow can be captured by its first few packets, which demonstrate our methods can identify the Bi-flow quickly after its establishment. We employ the Renyi cross entropy to perform identification by calculating the similarity between PSD of the Bi-flow being identified and that of specific application. If the similarity is higher than a selected threshold, the Bi-flow being identified is classified to the specific application. Finally, as the PSD is a type of probability feature which is not sensitive to packet lose, we integrate the Poisson sampling method into our framework to process the massive data in backbone networks. Experimental results using the artificial and actual traces collected from monitoring platform in the Northwest Center of CERNET (China Education and Research Network) verify the accuracy and robustness of our method.

GU Yue,LI Dan,GAO Kaihui

DOI: https://doi.org/10.11959/j.issn.1000-0801.2021052

2021-01-01

Abstract:With the continuous development of Internet technology and the continuous expansion of network scale, there are many different types of applications , and various new applications have endlessly emerged.In order to ensure the quality of service (QoS) and ensure network security, accurate and fast traffic classification is an urgent problem for both operators and network managers.Firstly, the problem definition and performance metrics of network traffic classification were given.Then, the traffic classification methods based on machine learning and deep learning were introduced respectively, the advantages and disadvantages of these methods were analyzed, and the existing problems were expounded.Next, the related work by focusing on the three problems encountered elaborated and analyzed in traffic classification when considering online deployment: dataset, zero-day application identification and the cost of online deployment, and further discusses the challenges faced by the current network traffic classification researches.Finally, the next research direction of network traffic classification was prospected.

Yu Chen,Xiayu Ping,Tao Wei

DOI: https://doi.org/10.1109/ICITIS.2010.5689522

2010-01-01

Abstract:The principal technique employed in application traffic classification, a task of identifying the applications underlying network traffic, has evolved from based on port number to deep packet inspection to payload-independent classification. We propose a novel approach in the last category. The principal idea of our method is that we associate an application with temporal patterns of the command exchange modes (subsequences of packets) of TCP flows generated by the application. Since these patterns are local by nature, our approach might be able to identify an application even if only a portion of a full flow is observable. We have applied such method to classify a number of popular P2P applications and to detect suspicious botnet traffic. To identify these kinds of traffic, we not only utilize flow patterns, but also incorporate some statistics on multi-flow and host levels. We have tested our algorithm on P2P traffic collected from our institute's computer network and on botnet traffic collected from a national-wide distributed honeynet. The early results are quite encouraging. © 2010 IEEE.

Dawei Wang,Luoshi Zhang,Zhenlon Yuan,Yibo Xue,Yinfei Dong

DOI: https://doi.org/10.1109/iccnc.2014.6785298

2014-01-01

Abstract:Network traffic classification is critical to both network management and system security. However, existing traffic classification techniques become less effective as more P2P applications use proprietary protocols for delivery and encryption. Especially, current techniques usually focus on individual flows and do not consider all flows associated with an application together. To address this issue, this paper proposes a novel Application Behavior Characterization (ABC) technique. We design a novel application behavior feature extracting method and an effective classification algorithm, which explore the correlation of multiple flows of a specific application. We evaluate the proposed method with real network traffic. The experimental results show that it can correctly identify flows belonging to a set of known P2P applications (such as Skype, Thunder, and PPTV) with a probability over 90%. Moreover, it can further identify the particular application that a flow belongs to with a precision of 90% on average. More information about implementing and deploying ABC can be found in a technical report [10].

Wengang Zhou,Leiting Dong,Bic, L.,Mingtian Zhou

DOI: https://doi.org/10.1109/iccps.2011.6092257

2011-01-01

Abstract:Many network activities can benefit from accurate traffic classification and categorization, such as QOS control, network security monitoring, and traffic accounting. In this paper, a new approach based on feed-forward neural network is proposed for accurate traffic classification, which eliminates the disadvantages of port-based or payload-based classification methods. Extensive experimentation and comparison have been carried out to explore this new approach; it has been found out that, combined with a fast correlation-based feature selection filter, better performance and more accurate classification results can be obtained using neural network method compared to other techniques. For its good performance and elimination of accessing the contents of the packets, the proposed technique is expected to have a promising application prospect in internet traffic classification.

Yue Gu,Dan Li,Kaihui Gao,Yang Cheng

DOI: https://doi.org/10.1109/globecom46510.2021.9685631

2021-01-01

Abstract:Online traffic classification is a fundamental toolkit in network management, such as QoS and network security. The speed and generalization ability of online classification are two requirements that need to be satisfied simultaneously. However, existing methods may suffer from generalization degradation on the traffic with unseen applications which are constantly emerging in the network, due to the feature distribution drift (FDD) caused by their non-robust feature engineering approaches. Based on Deep Metric Learning which can restrict the distances between samples explicitly and clustering algorithm which can learn multiple clusters within each category, this paper presents Robot, a fast and robust online traffic classification system. At its core, Robot leverages two building blocks to classify high-speed traffic flows: 1) For fast classification, Fast model classifies traffic and detects FDD samples simultaneously based on only one packet. 2) For robust classification, once FDD samples are detected, a flow collector will be triggered to collect flows and then Robust model, a multi-center model, will further identify them based on the hybrid of packet-level and flow-level features. Our comprehensive experiments demonstrate that Robot can achieve comparative classification speed and better generalization ability on the mixed traffic datasets with seen and unseen applications (with the FDD detection accuracy of up to 85.8% and with nearly 10% improvement in classification accuracy), compared with the state-of-the-art methods.

Yahui Hu,Ziqian Zeng,Junping Song,Luyang Xu,Xu Zhou

DOI: https://doi.org/10.1016/j.comnet.2024.110656

IF: 5.493

2024-10-01

Computer Networks

Abstract:Network traffic classification is an important part of network monitoring and network management. Three traditional methods for network traffic classification are flow-based, session-based, and packet-based, while flow-based and session-based methods cannot meet the real-time requirements and existing packet-based methods will violate user’s privacy. To solve the above problems, we propose a network traffic classification method only by the IP packet header, which satisfies the requirements of both the user’s privacy protection and online classification performances. Through statistical analyses, we find that IP packet header information is effective on the network traffic classification tasks and this conclusion is also demonstrated by experiments. Furthermore, we propose a novel external attention and convolution mixed (ECM) model for online network traffic classification. This model adopts both low-computational complexity external attention and convolution to respectively extract the byte-level and packet-level characteristics for traffic classification. Therefore, it can achieve high classification accuracy and low time consumption. The experiments show that ECM can reach over 96% classification accuracy on four datasets and the classification time is 0.36 ms per packet which can meet the real-time requirements. The code is available at https://github.com/CNZZQ1030/ECM-for-Network-Traffic-Classification.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Guorui Xie,Qing Li,Yong Jiang,Tao Dai,Gengbiao Shen,Rui Li,Richard Sinnott,Shutao Xia

DOI: https://doi.org/10.1145/3405671.3405811

2020-01-01

Abstract:Network traffic classification categorizes traffic classes based on protocols (e.g., HTTP or DNS) or applications (e.g., Facebook or Gmail). Its accuracy is a key foundation of some network management tasks like Quality-of-Service (QoS) control, anomaly detection, etc. To further improve the accuracy of traffic classification, recent researches have introduced deep learning based methods. However, most of them utilize the privacy-concerned payload (user data). Besides, they generally do not consider the dependency of bytes in a packet, which we believe can be exploited for the more accurate classification. In this work, we treat the initial bytes of a network packet as a language and propose a novel Self-Attention based Method (SAM) for traffic classification. The average F1-scores of SAM on protocol and application classification are 98.62% and 98.93%. With the higher accuracy of SAM, better QoS and anomaly detection can be met.

Wenxiong Chen,Feng Lyu,Fan Wu,Peng Yang,Guangtao Xue,Minglu Li

DOI: https://doi.org/10.1109/tvt.2021.3063738

IF: 6.8

2021-01-01

IEEE Transactions on Vehicular Technology

Abstract:Classifying Internet traffic is critical to many network management tasks, including malicious attack detection, usage monitoring, load balancing, etc. As current traffic packets are often transmitted with encryption, at randomized port numbers, and under highly dynamic network conditions, traditional approaches such as port mapping, deep packet inspection, and statistical analysis are no longer effective. In this paper, we first collect extensive traffic flows at the exit router of a university and label them into various source applications. After extracting the message (consisting of multiple consecutive TCP packets) sequence for all collected traffic flows, we find that each application type has distinct sequential message features. By leveraging the message sequential feature, we develop a system, named SMC (Sequential Message Characterization), which can perform online traffic classification with the sequential size information of a few message segments. In SMC, after confirming the long-term dependency among message segments, we create a Long Short-Term Memory (LSTM) neural network to conduct deep learning on message size sequence, and then build a multi-classifier to classify traffic types based on the probability profiles output by deep LSTM models. Extensive experiments are conducted and results demonstrate that the proposed SMC can achieve 97% of classification accuracy on average. Meanwhile, with as few as 6 pieces of message size information as input, SMC enables early online traffic classification especially for heavy-traffic flows with over 35 message segments in median.

Renjie Jin,Guangtao Xue,Feng Lyu,Hao Sheng,Gongshen Liu,Minglu Li

DOI: https://doi.org/10.1109/PADSW.2018.8644617

2018-01-01

Abstract:Classifying traffic flows into source applications is of great value for intelligent network management, which can help to detect malicious attacks, monitor the network, optimize network behaviors and then improve user experience, etc. However, to achieve high-accuracy traffic classification, especially in real time, is very challenging due to very complicated behaviors of traffic flows where network applications could often transmit traffics with encryption at randomized port numbers under highly dynamic network conditions. In this paper, by collecting extensive application traffic flows at the exit router of Shanghai Maritime University (the traffic rate can reach up to 7 GB/s at peak time), we identify that there is a very distinct characteristic in inner-connection of message (grouped by single or multiple consecutive TCP packets) sequence for different application flows. We then propose our traffic classification algorithm, which essentially adopts a Long Short-Term Memory (LSTM) neural network to output a classifier with message sequence vector (not necessarily covering all messages) of a traffic flow as the training input, to conduct online traffic flow classification. Extensive simulations are conduced considering varied training data size and diverse source applications, and an average about 97 % accuracy on per-flow classification can be achieved.

Jun Li,Shunyi Zhang,Yanqing Lu,Junrong Yan

DOI: https://doi.org/10.1007/s11767-007-0110-4

2009-01-01

Abstract:Accurate and real-time classification of network traffic is significant to network operation and management such as QoS differentiation, traffic shaping and security surveillance. However, with many newly emerged P2P applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, traditional classification approaches turn to be ineffective. In this paper, we present a layered hybrid system to classify current Internet traffic, motivated by variety of network activities and their requirements of traffic classification. The proposed method could achieve fast and accurate traffic classification with low overheads and robustness to accommodate both known and unknown/encrypted applications. Furthermore, it is feasible to be used in the context of real-time traffic classification. Our experimental results show the distinct advantages of the proposed classification system, compared with the one-step Machine Learning (ML) approach.

Zhou Wengang,Chen Leiting,Dong Shi

DOI: https://doi.org/10.3724/sp.j.1187.2013.01114

2013-01-01

JOURNAL OF ELECTRONIC MEASUREMENT AND INSTRUMENT

Abstract:A number of network activities can benefit from accurate traffic classification and identification. However, the current classification methods, either port-based or payload-based, are becoming ineffective as many P2P applications use dynamic port numbers, masquerading techniques, and encryption to avoid detection. This paper discusses and explores a new method that is based on supervised machine learning mechanisms, which eliminate the inherent limitations of port-based or payload-based methods. A series of experiments show that, combined with a fast correlation-based feature selection filter, better performance and more accurate identification results can be obtained using the neural network method. Due to all the favorable features and satisfactory performance, the proposed methods are promising for internet traffic classification.

Lizhi Peng,Hongli Zhang,Bo Yang,Yuehui Chen

DOI: https://doi.org/10.1007/s10766-014-0337-2

2015-01-01

International Journal of Parallel Programming

Abstract:Identifying network traffic at their early stages accurately is very important for the application of traffic identification. In recent years, more and more studies have tried to build effective machine learning models to identify traffic with the few packets at the early stage. Packet sizes and statistical features have been proved to be effective features which are widely used in early stage traffic identification. However, an important issue is still unconcerned, that is whether there exists essential effectiveness differences between the two kinds of features. In this paper, we set out to evaluate the effectiveness of statistical features in comparing with packet sizes. We firstly extract the packet sizes and their statistical features of the first six packets on three traffic data sets. Then the mutual information between each feature and the corresponding traffic type label is computed to show the effectiveness of the feature. And then we execute crossover identification experiments with different feature sets using ten well-known machine learning classifiers. Our experimental results show that most classifiers get almost the same performances using packet sizes and statistical features for early stage traffic identification. And most classifiers can achieve high identification accuracies using only two statistical features.