Zhou Wengang,Chen Leiting,Dong Shi

DOI: https://doi.org/10.3724/sp.j.1187.2013.01114

2013-01-01

JOURNAL OF ELECTRONIC MEASUREMENT AND INSTRUMENT

Abstract:A number of network activities can benefit from accurate traffic classification and identification. However, the current classification methods, either port-based or payload-based, are becoming ineffective as many P2P applications use dynamic port numbers, masquerading techniques, and encryption to avoid detection. This paper discusses and explores a new method that is based on supervised machine learning mechanisms, which eliminate the inherent limitations of port-based or payload-based methods. A series of experiments show that, combined with a fast correlation-based feature selection filter, better performance and more accurate identification results can be obtained using the neural network method. Due to all the favorable features and satisfactory performance, the proposed methods are promising for internet traffic classification.

Xiaoyu Ma,Feiyan Chen

DOI: https://doi.org/10.4028/www.scientific.net/amr.433-440.5193

2012-01-01

Advanced Materials Research

Abstract:The P2P streaming media technology is popular and promising in recent years, to ensure the correctness of the identification method, and improve the identification rate and accuracy of the network traffic, this paper proposes a identification principle and algorithm of the P2P network traffic, and gives the overall structure of the system, Finally, puts up the system test environment. The experimental results show that the identification method of the network traffic proposed in this paper can effectively improve the identification rate and accuracy of the network traffic, the scheme has the value of further research and promotion.

ZHANG Yong,HE Guo-guang

DOI: https://doi.org/10.3969/j.issn.1674-599X.2007.02.008

2007-01-01

Abstract:The chaos and non-chaos traffic flow are multi-scale decomposed,the results indicate that different category sequence have different structure in high frequency coefficient.Using this difference one method of identification for the chaos traffic flow based history information is put forward.The experimental result indicates that the new identification method can use fewer samples than traditional method and the recognition rate is high.This method is also suitable for identification for chaos of other definite system.

Yi Yu,Yanlei Cui,Jiaqi Zeng,Chunguang He,Dianhai Wang

DOI: https://doi.org/10.1016/j.physa.2021.126750

IF: 3.778

2021-01-01

Physica A Statistical Mechanics and its Applications

Abstract:Monitoring traffic states of urban road networks is essential to relieving traffic burdens and designing traffic management strategies. However, most traffic state estimation methods are data-driven and barely consider the traffic network topology characteristics. In this paper, we propose a model-driven approach to partition the network into several traffic clusters, providing a macro-perspective for traffic state monitoring and potential support for perimeter controls. Traffic state and network topology information are both considered in the approach. We obtain the traffic state index of each segment with license plate recognition data and traffic network topology information, considering the heterogeneity and direction of segments. The road graph is constructed based on graph theory, and we modify the RatioCut algorithm and turn hyper-parameters automatically to identify traffic clusters in the road graph. We verified the proposed approach by a large-scale urban network in Hangzhou, China. The visualization and comparison results with conventional spectral clustering, DBSCAN, and K-means demonstrate the superiority and application value of the proposed approach.

Jing Yuan,Zhu Li,Ruixi Yuan

DOI: https://doi.org/10.1109/icc.2008.307

2008-01-01

Abstract:In this paper, we develop an unsupervised machine learning method for network traffic classification. First, the traffic flows from active hosts are separated into different clusters by sequentially applying the information entropy techniques. The clusters are then classified into broad-based application types by examining the parameters of the clusters, as well as the dynamic properties of the clusters during the clustering process. Experiment results from a campus backbone environment are presented, where the network traffic flows from the top 20 active hosts are identified. The results showed that the identification accuracy is approximately 93.81%. This compares to prior works using unsupervised machine learning methods, where the classification accuracy is generally lower, with the highest being 86.5%. We also show that our method can be combined with supervised learning method to further improve the classification accuracy and perform automatic training on the classification engine.

Arpit Jain,Tushar Mehrotra,Ankur Sisodia,Swati Vishnoi,Sachin Upadhyay,Ashok Kumar,Chaman Verma,Zoltán Illés

DOI: https://doi.org/10.1016/j.heliyon.2023.e17530

IF: 3.776

2023-06-28

Heliyon

Abstract:The process of examining the data flow over the internet to identify abnormalities in wireless network performance is known as network traffic analysis. When analyzing network traffic data, traffic classification becomes an important task. The traffic data classification is used to determine whether data in network traffic is in real-time or not. This analysis controls network traffic data in a network and allows for efficient network performance improvement. Real-time and non-real-time data are effectively classified from the given input data set using data mining clustering and classification algorithms. The proposed work focuses on the performance of traffic data classification with high clustering accuracy and low Classification Time (CT). This research work is carried out to fill the gap in the existing network traffic classification algorithms. However, the traffic data classification remained unaddressed for performing the network traffic analysis effectively. Then, we proposed an Enhanced Self-Learning-based Clustering Scheme (ESLCS) using an enhanced unsupervised algorithm and adaptive seeding approach to improve the classification accuracy while performing the real-time traffic data distribution in wireless networks. Test-bed results demonstrate that the proposed model enhances the clustering accuracy and True Positive Rate (TPR) effectively as well as reduces the CT time and Communication Overhead (CO) substantially to compare with the peer-existing routing techniques.

Zhu Li,Ruixi Yuan,Xiaohong Guan

DOI: https://doi.org/10.1007/978-3-540-73111-5_8

2007-01-01

Abstract:Timely traffic identification is critical in network security monitoring and traffic engineering. Traditional methods using well-known ports, protocols and precise signature matching are no longer accurate with the proliferation of new applications. Recently, applying pattern recognition methods to classify network application traffic based on the flow parameters (e.g. port, flow duration, etc.) has become increasing popular. However, many methods developed in the previous works are either too complex to be applied in real-time, or suffer from lower accuracy due to the insufficient knowledge of the application. In this paper, we first give an overview on the developments of pattern recognition methods as traffic classification tools. We then develop two separate pattern recognition methods: one with supervised learning, and one with un-supervised learning, and apply them to classify traffic captured from a campus backbone network. The supervised learning method (an optimized SVM method) yields approximately 99.41 % accuracy for the collected traffic. The un-supervised learning method (an entropy based clustering method) gets the average accuracy of 92.41% for the top 20 traffic generating hosts during the same time period. Performance test on a single PC with 3GHz Pentium 4 processors and 1 GB of memory show that both methods can handle more than 10000 network flows per second, close to real time requirements for many situations.

Tao Qin,Lei Wang,Zhaoli Liu,Xiaohong Guan

DOI: https://doi.org/10.1016/j.knosys.2015.03.002

IF: 8.139

2015-01-01

Knowledge-Based Systems

Abstract:Application identification plays an essential role in network management such as intrusion detection and security monitoring. But the continuous growth of bandwidth and massive amount of packets pose serious challenges for efficacious and accurate application identification. In this paper, we develop a new method to reduce the number of packets being processed while achieving the goal of accurate P2P and VoIP application identification. Firstly, we employ the Bi-flow model to aggregate traffic packets into Bi-flow, which can capture the exchange behavior characteristics between different terminals. Then we employ the signature of Packet Size Distribution (PSD) to capture flow dynamics, which is defined as the payload length distribution probability of the packets in one Bi-flow. Secondly, we collect PSD of several different P2P and VoIP applications and the analysis results show that PSD of different applications are different with each other, which can be used as features to perform traffic identification. We also find the PSD characteristics of one Bi-flow can be captured by its first few packets, which demonstrate our methods can identify the Bi-flow quickly after its establishment. We employ the Renyi cross entropy to perform identification by calculating the similarity between PSD of the Bi-flow being identified and that of specific application. If the similarity is higher than a selected threshold, the Bi-flow being identified is classified to the specific application. Finally, as the PSD is a type of probability feature which is not sensitive to packet lose, we integrate the Poisson sampling method into our framework to process the massive data in backbone networks. Experimental results using the artificial and actual traces collected from monitoring platform in the Northwest Center of CERNET (China Education and Research Network) verify the accuracy and robustness of our method.

Jun Li,Shunyi Zhang,Yanqing Lu,Junrong Yan

DOI: https://doi.org/10.1109/glocom.2008.ecp.475

2008-01-01

Abstract:Accurate and fast identification of network traffic is an important element of many network management tasks such as QoS provisioning and security monitoring. However, as many newly-emerged Peer-to-Peer (P2P) applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, the classical approaches based on port mapping and payload analysis are ineffective. An alternative approach is to classify traffic by distinguishing the behavior of an application within the first few packets of TCP connection. We pursue this approach and demonstrate that information of few packets is enough to effectively identify P2P traffic. In our work, C4.5 decision tree and REPTree are evaluated and compared with the previously used clustering method K-Means. Experimental results show that our approaches outperform K- Means algorithm in accuracy. In addition, the proposed approaches can accommodate known and unknown P2P traffic and even encrypted traffic in fast and accurate way, which ensures the real-time applications on the Internet traffic surveillance and QoS provisioning.

YU Han-Bing,WANG Ji-Long

2008-01-01

Periodical of Ocean University of China

Abstract:Abnormal traffic appears very different from normal traffic on the distribution of both destination IP address and time.This paper clusters the Netflow records of the traffic via the campus network based on the higher 16 bits of the outer IP address,finding that some clusters appear unusual on frequency of the emergence.This paper analyzes two kinds of typical cluster,proposes a method to detect anomaly sources insides the campus network using the clusters,and finds the differences of two kinds of anomaly source.Comparing with common anomaly detection methods,this method has fewer amounts of data required for dealing with,and therefore higher efficiency.

Li Qu,Jianming Hu,Yi Zhang

DOI: https://doi.org/10.1109/ITSC.2010.5625105

2010-01-01

Abstract:The detected traffic data for single point or link cannot satisfy the needs for network-level traffic status information with the rapid development of the traffic control and guidance systems. This paper proposed a modeling and clustering method for network-level urban traffic status based on the dynamic traffic flow assignment ratios. The traffic assignment ratio matrix model integrates traffic status, topology and relation between links, with the dynamic traffic assignment ratios estimated by Linear Programming. The network-level traffic status is clustered by Self-Organizing Map and the typical patterns are discovered. The experiment proves the efficiency and applicability of this method for network-level traffic status modeling and analyzing.

ZHANG Luo-shi,WANG Da-wei,XUE Yi-bo

DOI: https://doi.org/10.11959/j.issn.1000-436x.2015070

2015-01-01

Abstract:Traditional methods of protocol identification, which is mainly based on individual flow, lose their effective-ness as dealing with sophisticated network applications. A novel model of identifying sophisticated network applications, called flow-aware model, is addressed. This proposed model abstracts the characteristics of sophisticated network appli-cations from spatial dimension, time dimension and flow dimension, and provides the detailed analysis and deeply mining in characteristics of behaviors and states. Based on this model, a framework and method of sophisticated network appli-cations identification is proposed. The experimental results demonstrate that the proposed method can achieve the pur-pose of identifying sophisticated network applications effectively.

Guo-guang HE,Jing-gang LU,Fu-ping TANG,Yu-hong CHEN

DOI: https://doi.org/10.3969/j.issn.1674-599x.2007.01.012

2007-01-01

Abstract:There were many subjective factors in the fuzzification of traffic flow states of existed research about traffic fuzzy control.A hierarchical subtractive clustering algorithm based on modified fuzzy C-means is proposed.It finds that the cluster centers using modified fuzzy C-means clustering algorithm give the membership threshold of the centers adaptively,perform the clustering progressively and then the clustering for the data set with unknown number of clusters is completed.The improved algorithm is applied to the fuzzification of traffic flow states.It can give the number of categories of traffic flow states and the configuration of all kinds of membership functions more accurately.An example is given to show that the proposed algorithm clusters the Gaussian distributed data patterns without a prior information about the number of clusters with good effectiveness and fast clustering convergence.

Yu Chen,Xiayu Ping,Tao Wei

DOI: https://doi.org/10.1109/ICITIS.2010.5689522

2010-01-01

Abstract:The principal technique employed in application traffic classification, a task of identifying the applications underlying network traffic, has evolved from based on port number to deep packet inspection to payload-independent classification. We propose a novel approach in the last category. The principal idea of our method is that we associate an application with temporal patterns of the command exchange modes (subsequences of packets) of TCP flows generated by the application. Since these patterns are local by nature, our approach might be able to identify an application even if only a portion of a full flow is observable. We have applied such method to classify a number of popular P2P applications and to detect suspicious botnet traffic. To identify these kinds of traffic, we not only utilize flow patterns, but also incorporate some statistics on multi-flow and host levels. We have tested our algorithm on P2P traffic collected from our institute's computer network and on botnet traffic collected from a national-wide distributed honeynet. The early results are quite encouraging. © 2010 IEEE.

Qiliang Liu,Jie Yang,Min Deng,Ci Song,Wenkai Liu

DOI: https://doi.org/10.1080/13658816.2021.1899184

2021-03-16

International Journal of Geographical Information Science

Abstract:<span>Identifying clusters from individual origin–destination (OD) flows is vital for investigating spatial interactions and flow mapping. However, detecting arbitrarily-shaped and non-uniform flow clusters from network-constrained OD flows continues to be a challenge. This study proposes a shared nearest-neighbor-based clustering method (SNN_flow) for inhomogeneous OD flows constrained by a road network. To reveal clusters of varying shapes and densities, a normalized density for each OD flow is defined based on the concept of shared nearest-neighbor, and flow clusters are constructed using the density-connectivity mechanism. To handle large amounts of disaggregated OD flows, an efficient method for searching the network-constrained <i>k</i>-nearest flows is developed based on a local road node distance matrix. The parameters of SNN_flow are statistically determined: the density threshold is modeled as a significance level of a significance test, and the number of nearest neighbors is estimated based on the variance of the <i>k</i>th nearest distance. SNN_flow is compared with three state-of-the-art methods using taxicab trip data in Beijing. The results show that SNN_flow outperforms existing methods in identifying flow clusters with irregular shapes and inhomogeneous distributions. The clusters identified by SNN_flow can reveal human mobility patterns in Beijing.</span>

geography, physical,computer science, information systems,information science & library science

Guolou Ping,Shuo Feng,Yehao Li,Xiaojun Ye

DOI: https://doi.org/10.1109/iccc56324.2022.10065635

2022-01-01

Abstract:To address the challenge of lacking labeling information in network traffic anomaly detection, we propose an unsupervised anomaly detection algorithm based on cascading representation and multiple-clustering. First, this paper designs a cascading representation method to obtain discriminative traffic features. We create a residual auto-encoder that employs generative learning to capture generic statistical expressions. We augment the time-series features in various ways and leverage contrastive learning to capture discriminative representations. We develop a host identification task based on triplet loss, enhancing feature discrimination in addition to cascading two feature representations. Second, we design a multiple-clustering-based algorithm for anomalous traffic detection. By performing KMeans on the cascading feature representations, we obtained clustering centers to replace each cluster and avoid the problem of unbalanced abnormal traffic. By applying DBSACAN clustering with a tree structure to these clustering centers and using the height of the anomalies to calculate the traffic anomaly score, we can detect abnormal network traffic flexibly. Finally, we conducted experimental validation on several commonly used intrusion detection datasets. The experimental results show that the method proposed in this paper generally outperforms the comparison methods.

Chonghua Wang,Hao Zhou,Zhiqiang Hao,Shu Hu,Jun Li,Xueying Zhang,Bo Jiang,Xuehong Chen

DOI: https://doi.org/10.1016/j.comnet.2022.108760

IF: 5.493

2022-03-01

Computer Networks

Abstract:Due to the ever-growing presence of network traffic, there has been a considerable amount of research on anomaly detection in network traffic by clustering. Most of them have not considered the problem that collective anomaly detection in network traffic. Collective anomaly might scatter among multiple clusters when applying the clustering-based algorithms in the anomaly detection. In this paper, we propose a progressive exploration framework for collective anomaly detection on network traffic based on a clustering method, called CCAD. CCAD enables analysts to effectively explore collective anomaly in network traffic. This framework is different from the other anomaly detection methods. It is based on the analysis of the influence of collective anomaly on the clustering results in the network traffic stream data. CCAD framework efficiently supports the collective anomaly exploration. As demonstrated by our extensive experiments with real-world data, CCAD has high detection rate in comparison with other existing methods.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Weitao Weng,Kai Lei,Kuai Xu,Xiaoyou Liu,Tao Sun

DOI: https://doi.org/10.1007/978-3-319-39937-9_29

2016-01-01

Abstract:Campus networks consist of a rich diversity of end hosts including wired desktops, servers, and wireless BYOD devices such as laptops and smartphones, which are often compromised in insecure networks. Making sense of traffic behaviors of end hosts in campus networks is a daunting task due to the open nature of the network, heterogeneous devices, high mobility of end users, and a wide range of applications. To address these challenges, this paper applies a combination of graphical approaches and spectral clustering to group the Internet traffic of campus networks into distinctive traffic clusters in a divide-and-conquer manner. Specifically, we first model the data communication between a particular subnet of campus networks and the Internet on a specific application port via bipartite graphs, and subsequently use the one-mode projection to capture behavior similarity of end hosts in the same subnet for the same network applications. Finally we apply a spectral clustering algorithm to explore the behavior similarity to identify distinctive application clusters within each subnet. Our experimental results have demonstrated the benefits of our proposed method for analyzing Internet traffic of a large university town to discover anomalous behaviors and to uncover distinctive temporal and spatial traffic patterns.

Meng Qin,Kai Lei,Bo Bai,Gong Zhang

DOI: https://doi.org/10.1145/3341216.3342213

2019-01-01

Abstract:In this paper, we study the network traffic classification task. Different from existing supervised methods that rely heavily on the labeled statistic features in a long period (e.g., several hours or days), we adopt a novel view of unsupervised profiling to explore the flow features and link patterns in a short time window (e.g., several seconds), dealing with the zero-day traffic problem. Concretely, we formulate the traffic identification task as a graph co-clustering problem with topology and edge attributes, and proposed a novel Hybrid Flow Clustering (HFC) model. The model can potentially achieve high classification performance, since it comprehensively leverages the available information of both features and linkage. Moreover, the two information sources integrated in HFC can also be utilized to generate the profiling for each flow category, helping to reveal the deep knowledge and semantics of network traffic. The effectiveness of the model is verified in the extensive experiments on several real datasets of various scenarios, where HFC achieves impressive results and presents powerful application ability.

Xiaochun Wu,Fengyu Zhang,Chunming Wu,Qiang Yang

DOI: https://doi.org/10.1109/ISCIT.2011.6089745

2011-01-01

Abstract:Network virtualization, through building multiple virtual networks on top of a shared substrate, provides a potential strategy for addressing the ossification of the Internet and encourages network innovation. Traffic clustering is the base and key technology in network virtu-alization. This paper presents a two-layer traffic clustering algorithm. In the first layer, different types of user traffic are clustered into LDR and HDR according to their time characteristics, in the second layer, a revised K-means algorithm is introduced to further classify the traffic in HDR set, the result is used to match the user specified virtual network construction parameters to traffic clustering parameters which will provide finer bandwidth management capability for SPs. Numerical results obtained from experimental show that the result of clustering is dynamically and universally adaptive to the different types of traffic. The proposed two-layer traffic clustering scheme contributes to the constructing of virtual networks. © 2011 IEEE.