Feilong Tang,Lu Li,Leonard Barolli,Can Tang

DOI: https://doi.org/10.1109/AINA.2017.125

2017-01-01

Abstract:Software defined networking (SDN) provides flexible management for datacenter networks with the flow-level control. Such the fine-grained management, however, consumes large amount of bandwidth between data and control planes, which results in the bottleneck in the scalability of SDN-based datacenters. "The elephant and mouse phenomenon" suggests that there are only very few elephant flows that carry the majority of bytes in datacenters so that it can improve management efficiency to detect and reroute elephant flows while leaving mice flows in data plane leveraging wildcard flow table in OpenFlow. Unfortunately, existing mechanisms for elephant flow detection suffer from high bandwidth consumption and long detection time. In this paper, we propose an efficient sampling and classification approach (ESCA) with the two-phase elephant flow detection. In the first phase, ESCA improves sampling efficiency by estimating the arrival interval of elephant flows and filtering out redundant samples using a filtering flow table. In the second phase, ESCA classifies samples with a new supervised classification algorithm based on correlation among data flows. The mathematical analysis proofs our ESCA outperforms related schemes. Extensive experiment results on real public datacenter traces further demonstrate that our ESCA can provide accurate detection with less sampled packets and shorter detection time.

Xinyue Jiang,Risheng Deng,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/iThings-GreenCom-CPSCom-SmartData-Cybermatics53846.2021.00035

2021-01-01

Abstract:The large-scale distributed network has exposed increasing attack surfaces to cyber attackers. In this paper, we present a refined network measurement mechanism, called DDoS Collaborative Mitigation Mechanism (DDoSCCM). Based on former achievements in the programmable network, our work aims at capturing the characters of abnormal traffic and presenting an antedating reaction, constrained by limited resources of the switching ASIC. In-band Network Telemetry (INT) technique achieves real-time monitoring of the network by utilizing the device data acquisition on the data plane. Our work helps the network operator not only to learn the status of the network but also to issue an appropriate mitigation strategy faster and more accurately. DDoSCCM aims at delegating both detection and mitigation processes to the programmable switch. Consequently, the theoretical analysis and experimental results show that DDoSCCM can meet practical requirements and have a certain application value.

Yu Chen,Xiayu Ping,Tao Wei

DOI: https://doi.org/10.1109/ICITIS.2010.5689522

2010-01-01

Abstract:The principal technique employed in application traffic classification, a task of identifying the applications underlying network traffic, has evolved from based on port number to deep packet inspection to payload-independent classification. We propose a novel approach in the last category. The principal idea of our method is that we associate an application with temporal patterns of the command exchange modes (subsequences of packets) of TCP flows generated by the application. Since these patterns are local by nature, our approach might be able to identify an application even if only a portion of a full flow is observable. We have applied such method to classify a number of popular P2P applications and to detect suspicious botnet traffic. To identify these kinds of traffic, we not only utilize flow patterns, but also incorporate some statistics on multi-flow and host levels. We have tested our algorithm on P2P traffic collected from our institute's computer network and on botnet traffic collected from a national-wide distributed honeynet. The early results are quite encouraging. © 2010 IEEE.

Dawei Wang,Luoshi Zhang,Zhenlon Yuan,Yibo Xue,Yinfei Dong

DOI: https://doi.org/10.1109/iccnc.2014.6785298

2014-01-01

Abstract:Network traffic classification is critical to both network management and system security. However, existing traffic classification techniques become less effective as more P2P applications use proprietary protocols for delivery and encryption. Especially, current techniques usually focus on individual flows and do not consider all flows associated with an application together. To address this issue, this paper proposes a novel Application Behavior Characterization (ABC) technique. We design a novel application behavior feature extracting method and an effective classification algorithm, which explore the correlation of multiple flows of a specific application. We evaluate the proposed method with real network traffic. The experimental results show that it can correctly identify flows belonging to a set of known P2P applications (such as Skype, Thunder, and PPTV) with a probability over 90%. Moreover, it can further identify the particular application that a flow belongs to with a precision of 90% on average. More information about implementing and deploying ABC can be found in a technical report [10].

ZHANG Luo-shi,WANG Da-wei,XUE Yi-bo

DOI: https://doi.org/10.11959/j.issn.1000-436x.2015070

2015-01-01

Abstract:Traditional methods of protocol identification, which is mainly based on individual flow, lose their effective-ness as dealing with sophisticated network applications. A novel model of identifying sophisticated network applications, called flow-aware model, is addressed. This proposed model abstracts the characteristics of sophisticated network appli-cations from spatial dimension, time dimension and flow dimension, and provides the detailed analysis and deeply mining in characteristics of behaviors and states. Based on this model, a framework and method of sophisticated network appli-cations identification is proposed. The experimental results demonstrate that the proposed method can achieve the pur-pose of identifying sophisticated network applications effectively.

Zhu Li,Ruixi Yuan,Xiaohong Guan

DOI: https://doi.org/10.1007/978-3-540-73111-5_8

2007-01-01

Abstract:Timely traffic identification is critical in network security monitoring and traffic engineering. Traditional methods using well-known ports, protocols and precise signature matching are no longer accurate with the proliferation of new applications. Recently, applying pattern recognition methods to classify network application traffic based on the flow parameters (e.g. port, flow duration, etc.) has become increasing popular. However, many methods developed in the previous works are either too complex to be applied in real-time, or suffer from lower accuracy due to the insufficient knowledge of the application. In this paper, we first give an overview on the developments of pattern recognition methods as traffic classification tools. We then develop two separate pattern recognition methods: one with supervised learning, and one with un-supervised learning, and apply them to classify traffic captured from a campus backbone network. The supervised learning method (an optimized SVM method) yields approximately 99.41 % accuracy for the collected traffic. The un-supervised learning method (an entropy based clustering method) gets the average accuracy of 92.41% for the top 20 traffic generating hosts during the same time period. Performance test on a single PC with 3GHz Pentium 4 processors and 1 GB of memory show that both methods can handle more than 10000 network flows per second, close to real time requirements for many situations.

Yibo XUE,Dawei WANG,Luoshi ZHANG

DOI: https://doi.org/10.3778/j.issn.1673-9418.1306030

2014-01-01

Abstract:Along with the rapid development of Internet, the Internet service providers (ISPs) and network manage-ment departments are urgent to analyze the operating state of Internet, in order to guarantee the usability, stability and security of Internet. However, due to the rapidly growing user number, the ever increasing Internet bandwidth, the continuous change of traffic characteristics and the more and more complexity of the new emerging applications, it is facing with more and more challenges for network analysis. Therefore, in order to solve these issues, this paper proposes a novel analysis theory and method, named as network flow field. Network flow field not only concerns the“solid”metrics such as network packets and flows, but also pays more attention to the distribution and trend of network traffic, so it can reveal the traffic distribution and the relationship among network hosts, thus can reflect the social attributes of Internet. Based on the qualitative and quantitative analysis, network flow field theory and method can analyze the network deeply by using a new kind of view, it can not only obtain the basic statistical information of network traffic, bus also dig out its secret and implication information, such as timing relationship, state transition relationship, private network topology, key paths and key nodes, etc. The experimental results show that network flow field theory and method can achieve a good performance. Therefore, network flow field theory can provide the efficient framework and model for network traffic analysis, so as to guide the further research of network manage-ment, analysis and measurement field.

Tao Qin,Xiaohong Guan,Yi Long,Wei Li

DOI: https://doi.org/10.1109/icis.2009.104

2009-01-01

Abstract:Users' character analysis and control are important for enterprise network management and security. In this paper, we propose a novel method to classify the users' behaviors into different security levels and control their behaviors with corresponding strategies. Firstly, Dflow model and several traffic features, including the number of packets, number of flows, flow durations, etc., are proposed to capture the users' characters. They are obtained from different layers of the OSI communication model, such as the network layer and transport layer. Secondly, we define scores for users' behaviors according to their traffic patterns using a flexible method with adjustable weight factors, and different monitoring aims can be achieved by adjusting the weight factors. Based on the behavior score, the users' behaviors are classified into three security levels: low-dangerous, mid-dangerous and high-dangerous levels. Finally, the mid (high)-dangerous users' behaviors are controlled by a dynamic quarantine method based on the principle of "assume guilty before proven innocent". We quarantine a user whenever its behavior is classified into the mid (high)-dangerous levels by blocking its traffic. Then the quarantine is released after a short time, even if the users have not been inspected by security managers yet. In this way, we can remove the potential threats from the monitoring network without interfering the users' normal activities severely. The experimental results based on actual traffic data show that the methods proposed in this paper are simple, flexible and of high accuracy, which can be used for real-time enterprise network monitoring and management.

Changyu Wang,Xiaohong Guan,Tao Qin

DOI: https://doi.org/10.23919/INM.2017.7987336

2017-01-01

Abstract:Recently, network traffic classification has attracted a great deal of attention among researchers. In this paper, we proposed a traffic classification approach based on characteristics of subflows and ensemble learning. Aiming at neutralization of unstable network environment as well as taking advantage of ensemble learning, we divided the traffic flows into different subflows in order to reduce the affection of time. Moreover, we develop truncation method on flows for real-time processing and an aggregation machine learning method based on accuracy of each classifier to different applications. Finally, the experimental results based on actual traffic traces collected from the campus network of Xian Jiaotong University verify the effectiveness of our methods.

Yuanyuan Qiao,Zhizhuang Xing,Zubair Md. Fadlullah,Jie Yang,Nei Kato

DOI: https://doi.org/10.1109/mwc.2018.1700186

IF: 12.777

2018-02-01

IEEE Wireless Communications

Abstract:The recent explosion of data traffic calls for specialized systems to monitor the status of networks. Traditionally, Internet service providers collect and analyze IP flow data as they present an aggregated view of traffic. In the era of mobile big data, new approaches are required to address new challenges regarding the flow characterization in the next generation wireless networks. In this article, we propose a framework for mobile big data, referred to as FMBO, which provides massive data traffic collection, storage, processing, analysis, and management functions, to cope with the tremendous amount of data traffic. In particular, by analyzing the specific characteristics of the mobile big data from flow, application, and user behavior, such as high volume, diversity of applications, and spatio-temporal distribution, our proposed FMBD demonstrates its capability to offer real data-based advice to address new challenges for future wireless networks from the viewpoints of both operators and individuals. Tested by real mobile big data, FMBD has been operational for more than five years, and can be generalized to other environments with massive data traffic or big data.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Lu Zhou,Ye Zhu,Tianrui Zong,Yong Xiang

DOI: https://doi.org/10.1016/j.future.2022.02.006

IF: 7.307

2022-07-01

Future Generation Computer Systems

Abstract:Distributed Denial of Service (DDoS) attacks still be a great threat to the availability of online servers. To defend against attacks, the challenge is not only detecting DDoS attacks as they occur but also identifying, and thus blocking the attack flows. However, existing classification methods cannot accurately and efficiently differentiate between attack flows and benign flows. In this paper, we propose a DDoS attack flow classification system, named SAFE, to accurately and quickly identify attack flows in network layer. First, SAFE chooses the optimal features by removing the redundant features and selecting the most informative features. Second, a threshold tuning method is proposed to identify the best threshold for each feature. Finally, an aggregated feature-based linear classifier is proposed to weight the selected features for classification. Since the proposed method monitors the flows in network layer, it can detect the traditional DDoS attack flows as well as the attack flows launched by Internet of Thing (IoT) devices. Comprehensive experiments are carried out on one IoT and two sophisticated DDoS attacks to evaluate the classification performance of the proposed method. The comparison results show that SAFE can achieve better classification performance than the state-of-the-art methods in terms of classification accuracy and efficiency.

Shahbaz Rezaei,Xin Liu

DOI: https://doi.org/10.1109/ICCCN49398.2020.9209652

2020-05-09

Abstract:Traffic classification has various applications in today's Internet, from resource allocation, billing and QoS purposes in ISPs to firewall and malware detection in clients. Classical machine learning algorithms and deep learning models have been widely used to solve the traffic classification task. However, training such models requires a large amount of labeled data. Labeling data is often the most difficult and time-consuming process in building a classifier. To solve this challenge, we reformulate the traffic classification into a multi-task learning framework where bandwidth requirement and duration of a flow are predicted along with the traffic class. The motivation of this approach is twofold: First, bandwidth requirement and duration are useful in many applications, including routing, resource allocation, and QoS provisioning. Second, these two values can be obtained from each flow easily without the need for human labeling or capturing flows in a controlled and isolated environment. We show that with a large amount of easily obtainable data samples for bandwidth and duration prediction tasks, and only a few data samples for the traffic classification task, one can achieve high accuracy. We conduct two experiment with ISCX and QUIC public datasets and show the efficacy of our approach.

Machine Learning

Tao Qin,Lei Wang,Zhaoli Liu,Xiaohong Guan

DOI: https://doi.org/10.1016/j.knosys.2015.03.002

IF: 8.139

2015-01-01

Knowledge-Based Systems

Abstract:Application identification plays an essential role in network management such as intrusion detection and security monitoring. But the continuous growth of bandwidth and massive amount of packets pose serious challenges for efficacious and accurate application identification. In this paper, we develop a new method to reduce the number of packets being processed while achieving the goal of accurate P2P and VoIP application identification. Firstly, we employ the Bi-flow model to aggregate traffic packets into Bi-flow, which can capture the exchange behavior characteristics between different terminals. Then we employ the signature of Packet Size Distribution (PSD) to capture flow dynamics, which is defined as the payload length distribution probability of the packets in one Bi-flow. Secondly, we collect PSD of several different P2P and VoIP applications and the analysis results show that PSD of different applications are different with each other, which can be used as features to perform traffic identification. We also find the PSD characteristics of one Bi-flow can be captured by its first few packets, which demonstrate our methods can identify the Bi-flow quickly after its establishment. We employ the Renyi cross entropy to perform identification by calculating the similarity between PSD of the Bi-flow being identified and that of specific application. If the similarity is higher than a selected threshold, the Bi-flow being identified is classified to the specific application. Finally, as the PSD is a type of probability feature which is not sensitive to packet lose, we integrate the Poisson sampling method into our framework to process the massive data in backbone networks. Experimental results using the artificial and actual traces collected from monitoring platform in the Northwest Center of CERNET (China Education and Research Network) verify the accuracy and robustness of our method.

Yan Tong,Jian Zhang,Wei Chen,Mingdi Xu,Tao Qin

DOI: https://doi.org/10.1007/978-3-319-78139-6_30

2017-01-01

Abstract:Focus on the difficulty of large-scale network traffic monitoring and analysis, this paper proposed the concepts of Group Behavior Flow model to aggregate traffic packets and perform abnormal behavior detection. Based on the flow model the pivotal traffic metrics can be extracted while the number of flow records are reduced significantly. Secondly, we employ the graph model to capture the traffic feature distribution between different group users. And optical flow analysis methods are proposed to extract the dynamic behavior changing features between different groups and achieve the goal of abnormal behavior detection. The experimental results based on actual traffic traces show that the methods proposed in this paper can capture the traffic features effectually in the current 10 Gbps network environment, and achieve the goal of abnormal behavior detection and abnormal source location, which is very important for traffic management.

Xiaofei Bu,Yu-E Sun,Yang Du,Xiaocan Wu,Boyu Zhang,He Huang

DOI: https://doi.org/10.1007/s12083-020-01036-8

2021-01-11

Abstract:Detecting the flows with abnormally large spreads over big network data can help us identify network attacks, such as DDoS attacks and scanners. Most per-flow measurement studies use compact data structures to reduce their memory requirements, fitting in the limited on-chip memory and catching up with the line rate. In this paper, we study a novel problem called spread estimation among multi-periods to measure the total number of distinct elements or the number of distinct <i>k</i>-persistent elements in a flow among multiple traffic measurement periods. In our design, we use an on-chip/off-chip model to record the per-flow traffic information, which uses small on-chip memory and matches the line rate, <i>i.e.</i>, we use on-chip memory to filter out the duplicates, sample the elements, and store the sampled traffic data in off-chip memory. By performing the set operations on the sampled traffic data, we can derive the total number of distinct elements and the number of distinct <i>k</i>-persistent elements among multiple periods based on probability analysis. The experimental results on real Internet traffic traces show that, when performing spread estimation among multiple periods, our estimator is efficient in memory usage and estimation accuracy and can efficiently detect the stealthy DDoS attack and scanners.

computer science, information systems,telecommunications

Xiaodong Zang,Jian Gong,Maoli Wang,Peng Gao,Guowei Zhang

DOI: https://doi.org/10.1016/j.jnca.2023.103603

IF: 7.574

2023-04-01

Journal of Network and Computer Applications

Abstract:Discovering and describing IP traffic behavior is becoming more and more significant for efficient network management and security monitoring. Recently, many modeling techniques have been proposed, most of which focused on properties of a single dimension, such as volume-based or spatial-based. Characterizing IP traffic behavior with individual dimension features is often insufficient as they are spatiotemporally correlated. In this paper, we demonstrate that IP traffic behavior can be profiled from the perspective of end users’ access relationship. We find that groups of IPs have similar behavior traits, and with insights from the identified behavior profiles, we can discover malicious traffic behavior in the overwhelming measurement data. To this end, firstly, we extract a collection of features to profile traffic behavior from the dimension of temporal, spatial, category, and intensity. Then, we characterize and model the rhythmic behavior, the cyclical behavior, the access stable behavior, the service diversity behavior, and the hotspot behavior. Finally, we use the open-source dataset, synthetic data, and the real Internet Netflow data collected from the China Education Research Network backbone (CERNET) to empirically validate our proposal. Extensive results demonstrate that the applications of derived traffic patterns can achieve fine-grained traffic monitoring.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Donghong Qin,Jiahai Yang,Jiamian Wang,Bin Zhang

DOI: https://doi.org/10.1109/icct.2011.6158005

2011-01-01

Abstract:With the rapid development of Internet, many network applications (e.g., P2P) use dynamic ports and encryption technology, which makes the traditional port and payload-based classification methods ineffective. Hence, it is important and necessary to find the more effective ones. Currently the machine learning (ML) techniques provide a promising alternative one for IP traffic classification. In this work, we use the ML-based classification method to identify the classes of the unknown flows using the payload-independent statistical features such as packet-length and arrival-interval. In order to improve the efficiency of the classification methods, the feature reduction techniques are further adopted to refine the selected features for attaining a best group of features. Finally we compare and evaluate the ML classification algorithms based on the BRASIL data source in terms of the three metrics such as overall accuracy, average precision and average recall. Our experiments show that the decision-tree algorithm is the best ML one for IP traffic classification and is able to construct the real-time classification system.

GU Yue,LI Dan,GAO Kaihui

DOI: https://doi.org/10.11959/j.issn.1000-0801.2021052

2021-01-01

Abstract:With the continuous development of Internet technology and the continuous expansion of network scale, there are many different types of applications , and various new applications have endlessly emerged.In order to ensure the quality of service (QoS) and ensure network security, accurate and fast traffic classification is an urgent problem for both operators and network managers.Firstly, the problem definition and performance metrics of network traffic classification were given.Then, the traffic classification methods based on machine learning and deep learning were introduced respectively, the advantages and disadvantages of these methods were analyzed, and the existing problems were expounded.Next, the related work by focusing on the three problems encountered elaborated and analyzed in traffic classification when considering online deployment: dataset, zero-day application identification and the cost of online deployment, and further discusses the challenges faced by the current network traffic classification researches.Finally, the next research direction of network traffic classification was prospected.

Josef Koumar,Karel Hynek,Tomáš Čejka

2023-07-25

Abstract:Network traffic monitoring using IP flows is used to handle the current challenge of analyzing encrypted network communication. Nevertheless, the packet aggregation into flow records naturally causes information loss; therefore, this paper proposes a novel flow extension for traffic features based on the time series analysis of the Single Flow Time series, i.e., a time series created by the number of bytes in each packet and its timestamp. We propose 69 universal features based on the statistical analysis of data points, time domain analysis, packet distribution within the flow timespan, time series behavior, and frequency domain analysis. We have demonstrated the usability and universality of the proposed feature vector for various network traffic classification tasks using 15 well-known publicly available datasets. Our evaluation shows that the novel feature vector achieves classification performance similar or better than related works on both binary and multiclass classification tasks. In more than half of the evaluated tasks, the classification performance increased by up to 5\%.

Machine Learning,Networking and Internet Architecture