Showing papers on "Traffic classification published in 2007"

Traffic classification through simple statistical fingerprinting

Abstract: The classification of IP ows according to the application that generated them is at the basis of any modern network management platform. However, classical techniques such as the ones based on the analysis of transport layer or application layer information are rapidly becoming ineffective. In this paper we present a ow classification mechanism based on three simple properties of the captured IP packets: their size, inter-arrival time and arrival order. Even though these quantities have already been used in the past to define classification techniques, our contribution is based on new structures called protocol fingerprints, which express such quantities in a compact and efficient way, and on a simple classification algorithm based on normalized thresholds. Although at a very early stage of development, the proposed technique is showing promising preliminary results from the classification of a reduced set of protocols.

Identifying and discriminating between web and peer-to-peer traffic in the network core

Abstract: Traffic classification is the ability to identify and categorize network traffic by application type. In this paper, we consider the problem of traffic classification in the network core.Classification at the core is challenging because only partial information about the flows and their contributors is available. We address this problem by developing a framework that can classify a flow using only unidirectional flow information. We evaluated this approach using recent packet traces that we collected and pre-classified to establish a "base truth". From our evaluation, we find that flow statistics for the server-to-client direction of a TCP connection provide greater classification accuracy than the flow statistics for the client-to-server direction. Because collection of the server-to-client flow statistics may not always be feasible, we developed and validated an algorithm that can estimate the missing statistics froma unidirectional packet trace.

A Machine Learning Approach for Efficient Traffic Classification

Abstract: Traffic classification is of fundamental importance to track the evolution of network applications and model their behaviours. Further, classified traffic is required to understand how the Internet is being used, and to effectively control the services that traffic receives. In this paper we present a machine-learning approach that accurately classifies live traffic using C4.5 decision tree. By collecting 12 features at the start of the flows, without inspecting the packet payload, our method can identify live traffic of different types of applications with 99.8% total accuracy. Moreover, accuracy is not our only concern; we also consider the latency and throughput as of high importance.

Network testing and monitoring systems

Abstract: A method of testing a digital mobile phone network such as a GPRS or 3G network comprises either using real traffic or creating test traffic using test mobile phone coupled to a computer, and using the computer to measure a parameter associated with the network's response to the traffic. The measurements made by the computer are themselves sent as traffic to create one or more data streams within the mobile phone network comprising the traffic, measurements relating to the traffic, and signalling relating to the traffic, whereby this data stream or these streams can be captured at interface points within the network and analysed to investigate the functioning of the network dynamically as the network is exercised with the traffic. Software and test equipment for performing the method are also described.

Accurate Classification of the Internet Traffic Based on the SVM Method

Abstract: The need to quickly and accurately classify Internet traffic for security and QoS control has been increasing significantly with the growing Internet traffic and applications over the past decade. Pattern recognition by learning the features in the training samples to classify the unknown flows is one of the main methods. However, many methods developed in the previous works are too complicated to be applied in real-time, and the prior probabilities based on the training samples are severely biased. This paper uses the SVM (support vector machine) method to train 7 classes of applications of different characteristics, captured from a campus network backbone. A discriminator selection algorithm is developed to obtain the best combination of the features for classification. Our optimized method yields approximately 96.9% accuracy for un-biased training and testing samples. For regular biased samples, the accuracy is about 99.4%. Furthermore, all the feature parameters are computable in real time from captured packet headers, suggesting real time network traffic classification with high accuracy is achievable.

Semi-supervised network traffic classification

Abstract: Identifying and categorizing network traffic by application type is challenging because of the continued evolution of applications, especially of those with a desire to be undetectable. The diminished effectiveness of port-based identification and the overheads of deep packet inspection approaches motivate us to classify traffic by exploiting distinctive flow characteristics of applications when they communicate on a network. This paper proposes a traffic classification methodology that relies on using only flow statistics to classify traffic. We introduce a flexible mathematical framework that leverages both labeled and unlabeled flows. This semi-supervised [1] approach to learning a network traffic classifier is one key contribution of this work. There are three main advantages to our proposed semisupervised approach. First, fast and accurate classifiers can be obtained by training with a small number of labeled flows mixed with a large number of unlabeled flows. Second, our approach is robust and can handle both previously unseen applications and changed behavior of existing applications. Furthermore, our approach allows iterative development of the classifier by allowing network operators the flexibility of adding unlabeled flows to enhance the classifier’s performance. Third, our approach can be integrated with solutions that collect flow statistics. For example, our framework can leverage recent work on flow estimation and can classify traffic at both the edge and the core of the network [5]. As a proof of concept, we implemented prototype offline and realtime classification systems. A distinguishing aspect of our work is the implementation of a realtime classifier in the Bro [6] Intrusion Detection System (IDS). We also consider the longevity of classifiers [4]. Our experiments with long-term Internet packet traces suggests that classifiers are generally applicable over reasonably long periods of time (e.g., on the order of weeks) with retraining necessary when there are significant changes in the network usage patterns including introduction of new applications.

Network Traffic Classification Using K-means Clustering

Abstract: Network traffic classification and application identification provide important benefits for IP network engineering, management and control and other key domains. Current popular methods, such as port-based and payload-based, have shown some disadvantages, and the machine learning based method is a potential one. The traffic is classified according to the payload-independent statistical characters. This paper introduces the different levels in network traffic-analysis and the relevant knowledge in machine learning domain, analysis the problems of port-based and payload-based methods in traffic classification. Considering the priority of the machine learning-based method, we experiment with unsupervised K-means to evaluate the efficiency and performance. We adopt feature selection to find an optimal feature set and log transformation to improve the accuracy. The experimental results on different datasets convey that the method can obtain up to 80% overall accuracy, and, after a log transformation, the accuracy is improved to 90% or more.

Accurate Traffic Classification

Abstract: The analysis of network traffic can provide important information for network operators and administrators. One of the main purposes of traffic analysis is to identify the traffic mixture the network carries. A couple of different approaches have been proposed in the literature, but none of them performs well for all different application traffic types present in the Internet. Thus, a combined method that includes the advantages of different approaches is needed, in order to provide a high level of classification completeness and accuracy. According to our best knowledge, this study is the first attempt where the currently known traffic classification methods are benchmarked on network traces captured in operational mobile networks. The pros and cons of the classification methods are analyzed, based on the experienced accuracy for different types of applications. Using the gained knowledge about the strengths and weaknesses of the existing approaches, a novel traffic classification method is proposed. The novel method is based on a complex decision mechanism, in order to provide an appropriate identification mode for each different application type. As a consequence, the ratio of the unclassified traffic becomes significantly lower. Further, the reliability of the classification improves, as the various methods validate the results of each other. The novel method is tested on several network traces, and it is shown that the proposed solution improves both the completeness and the accuracy of the traffic classification, when compared to existing methods.

Detecting HTTP Tunnels with Statistical Mechanisms

Abstract: Application level gateways and firewalls are commonly used to enforce security policies at network boundaries, especially in large-sized business networks. However, several mechanisms can be used to circumvent these policies and bypass the whole security infrastructure: for example, tunneling an (otherwise blocked) application layer protocol into another one allowed by the policy, such as HTTP. In this paper we propose the application of a statistically-based traffic classification technique to solve this problem. By the analysis of inter-arrival time, size and order of the packets crossing a gateway, we show that it is possible to detect with high accuracy whether an observed flow is carrying a legitimate HTTP session, or the flow is being used to tunnel another protocol. This paper describes how this technique can be used effectively to enhance application level gateways and firewalls, helping to better apply network security policies.

Lightweight application classification for network management

Abstract: Traffic application classification is an essential step in the network management process to provide high availability of network services. However, network management has seen limited use of traffic classification because of the significant overheads of existing techniques. In this context we explore the feasibility and performance of lightweight traffic classification based on NetFlow records. In our experiments, the NetFlow records are created from packet-trace data and pre-tagged based upon packet content. This provides us with NetFlow records that are tagged with a high accuracy for ground-truth. Our experiments show that NetFlow records can be usefully employed for application classification. We demonstrate that our machine learning technique is able to provide an identification accuracy (a 91%) that, while a little lower than that based upon previous packet-based machine learning work (> 95%), is significantly higher than the commonly used port-based approach (50--70%). Trade-offs such as the complexity of feature selection and packet sampling are also studied. We conclude that a lightweight mechanism of classification can provide application information with a considerably high accuracy, and can be a useful practice towards more effective network management.

BotTorrent: misusing BitTorrent to launch DDoS attacks

Abstract: BitTorrent is currently one of the most popular peer-to-peer systems. BitTorrent clients are widely spread all over the world and account for a large fraction of today's Internet traffic. In this paper, we show that BitTorrent can be exploited by misdirecting clients to send their traffic toward any host on the Internet. The volume of a BitTorrent swarm can thus be converted into firepower for launching a distributed denial-of-service attack that can exhaust the victim's resources, including access bandwidth and connection resources. We identify novel exploits of the BitTorrent system and conduct real-life experiments that demonstrate the feasibility and severity of such attacks. We characterize the volume, duration and spread of attack traffic observed in our experiments. Finally, we discuss possible fixes and the limits of both attack and defense approaches.

Byte me: a case for byte accuracy in traffic classification

Abstract: Numerous network traffic classification approaches have recently been proposed In general, these approaches have focused on correctly identifying a high percentage of total flows However, on the Internet a small number of "elephant" flows contribute a significant amount of the traffic volume In addition, some application types like Peer-to-Peer (P2P) and FTP contribute more elephant flows than other applications types like Chat In this opinion piece, we discuss how evaluating a classifier on flow accuracy alone can bias the classification results By not giving special attention to these traffic classes and their elephant flows in the evaluation of traffic classification approaches we might obtain significantly different performance when these approaches are deployed in operational networks for typical traffic classification tasks such as traffic shaping We argue that byte accuracy must also be used when evaluating the accuracy of traffic classification algorithms

SmartTunnel: Achieving Reliability in the Internet

Abstract: Reliability is critical to a variety of network applications. Unfortunately, due to lack of QoS support across ISP boundaries, it is difficult to achieve even two 9s (99%) reliability in toadyism Internet. In this paper, we propose SmartTunnel, an end-to-end approach to achieving reliability. A SmartTunnel is a logical point-to-point tunnel between two end points that spans multiple physical network paths. It achieves reliability by strategically allocating traffic onto multiple paths and performing FEC coding. Such an end-to-end approach requires no explicit QoS support from intermediate ISPs, and is therefore easy to deploy in today's Internet. To fully realize the potential of SmartTunnel, we analytically derive near-optimal traffic allocation schemes that minimize loss rates. We extensively evaluate our approach using trace-driven simulations, ns-2 simulations, and experiments on PlanetLab. Our results clearly demonstrate that SmartTunnel is effective in achieving high reliability.

BEHAVIOR-BASED TRAFFIC DIFFERENTIATION (BTD) FOR DEFENDING AGAINST DISTRIBUTED DENIAL OF SERVICE(DDoS) ATTACKS

Abstract: Embodiments are directed toward a method for Behavior-based Traffic Differentiation (BTD) that initially receives incoming packets and performs traffic classification to determine the protocol of the incoming packets. In addition, BTD performs bandwidth division/allocation to further support traffic classification amongst non-TCP traffic such as UDP and ICMP. For TCP traffic, the method for BTD determines whether a TCP connection has been established and performs at least one of rate limiting, waiting time reduction for half-open connections, and incrementing backlog queue size when the TCP connection has not been established. If the TCP connection has been established successfully, the method for BTD further includes proactive tests for traffic differentiation which identify normal traffic, which is admitted, and attack traffic, which is dropped.

Modeling path capacity in multi-hop IEEE 802.11 networks for QoS services

Abstract: QoS provisioning in multi-hop IEEE 802.11 networks is very challenging due to the interference nature of wireless medium and the contention-based behavior among neighboring nodes. In such networks, one of the key questions for QoS support is: given a specific topology and traffic condition, how much bandwidth can be utilized along a path in the network without violating QoS demand of existing traffic? Considering that in general QoS-sensitive traffic has the well-controlled sending rate, one key observation is that the network unsaturated condition should be considered. Another observation is that, not only the interaction between the new traffic and the existing ones that can be sensed (by the new one), but also the interaction between the new traffic and the traffic that is hidden but can have influence upon the new one should be studied. Based upon the above observations, we propose an analytical model for multi-hop IEEE 802.11 networks to calculate how much bandwidth can be utilized along a path without violating the QoS requirements of existing traffic. A notion, "free channel time", which is the time allowed for a wireless link to transmit data, is introduced to analyze the path capacity. Simulation results demonstrate that our proposed analytical model can accurately predict the path capacity under various network conditions without breaking QoS demands of all existing traffic

Internet Traffic Classification Using Machine Learning

Abstract: Internet traffic identification and classification is vital to the areas of network management and security monitoring, network planning, and QoS provision. Traditional approaches such as port-based and payload-based identification are becoming increasingly difficult with many new applications (e.g. P2P) using dynamic port numbers, masquerading techniques, and encryption to avoid detection. An alternative approach is to classify traffic by exploiting the distinctive characteristics of flow statistics. We present here a traffic classification scheme based on machine learning (ML). The performance impact of the dataset size, feature selection and ML algorithm selection is demonstrated by experiments. The genetic algorithm based feature selection can dramatically reduce the ML learning and modeling time with less decrease or even a bit increase in classification accuracy. The chosen ML algorithms: TAN, C4.5, NBTree, RandomForest and distance weighted KNN, can reach high classification accuracy. Typically, C4.5 and RandomForest are superior to other ML algorithms in computational complexity. Besides, experiments show that the size of data set would impact on the classification performance, and tuning dataset's size could meet the requirements of specific applications.

A markovian signature-based approach to IP traffic classification

Abstract: In this paper we present a real-time automatic process to traffic classification and to the detection of abnormal behaviors in IP traffic. The proposed method aims to detect anomalies in the traffic associated to a particular service, or to automatically recognize the service associated to a given sequence of packets at the transport layer. Service classification is becoming a central issue because of the emergence of new services (P2P, VoIP, Streaming video, etc...) which raises new challenges in resource reservation, pricing, network monitoring, etc... In order to identify a specific signature to an application, we first of all model the sequence of its packets at the transport layer by means of a first order Markov chain. Then, we decide which service should be associated to any new sequence by means of standard decision techniques (Maximum Likelihood criterion, Neyman-Pearson test). The evaluation of our automatic recognition procedure using live GPRS Orange France traffic traces demonstrates the feasibility and the excellent performance of this approach.

Traffic analysis of mobile broadband networks

Abstract: Detailed knowledge about the traffic mixture is essential for network operators and administrators, as it is a key input for numerous network management activities. Several traffic classification approaches co-exist in the literature, but none of them performs well for all different application traffic types present in the Internet. In this study we compare and benchmark the currently known traffic classification methods on network traces captured in an operational 3G mobile network. Utilizing the experiences about the strengths and weaknesses of the existing approaches, a novel combined method is proposed aiming at improving the completeness and accuracy of classification. The novel method is based on a complex decision mechanism, which can provide appropriate identification for each different application type. As a main contribution, with the help of the new method it is shown that applications previously used only in fixed access networks may appear in mobile broadband environment.

Method and system for traffic control for providing quality of service in a network

Abstract: A method and system for providing QoS in a network using traffic management including traffic stream admission and traffic control, is provided. The traffic stream admission and control is achieved using parameterized QoS within a network. Such parameterized QoS enhances QoS service in the UPnP QoS architecture.

Active P2P Traffic Identification Technique

Abstract: Accurate traffic classification for different P2P applications is fundamental to numerous network activities, from security monitoring, capacity planning and provisioning to service differentiation. However, current P2P applications use dynamic port numbers, HTTP masquerading and inaccessible payload to prevent being identified. The paper proposed an accurate P2P identification system using Decision Tree algorithms (J48 and REPTree) on the basis of effective feature selection. The experimental results show that our scheme is of better accuracy, less computational complexity and it is robust enough to deal with the unknown P2P traffic. With the merits, the scheme can suit the real-time active detection environment, such as monitoring network attacks camouflaged with P2P traffic and service differentiation.

P2P Traffic Identification Technique

Abstract: Accurate traffic classification for different P2P applications is fundamental to numerous network activities, from security monitoring, capacity planning and provisioning to service differentiation. However, current P2P applications use dynamic port numbers, HTTP masquerading and inaccessible payload to prevent being identified. The paper proposed an accurate P2P identification system using Decision Tree algorithms (J48 and REPTree) on the basis of effective feature selection. The experimental results show that our scheme is of better accuracy, less computational complexity and it is robust enough to deal with the unknown P2P traffic. With the merits, the scheme can suit the real-time active detection environment, such as monitoring network attacks camouflaged with P2P traffic and service differentiation.

Extending the NetPDL Language to Support Traffic Classification

Abstract: Despite the importance of traffic classification in modern networks, the number of languages tailored to this task is extremely limited. These languages can be valuable, because they allow the update of an application (e.g. firewall) in terms of supported protocols by simply updating its protocol description database, instead of recompiling the application from scratch. This paper presents a set of extensions to the Network Protocol Description Language (NetPDL) allowing support of traffic classification from data-link to application-layer protocols. A set of preliminary experimental results obtained with these new extensions is presented as well.

Research of P2P Traffic Identification Based on BP Neural Network

Abstract: Today's P2P application is a big challenge to network traffic workload. In contrast to first generation P2P networks which used well-defined port numbers, current P2P applications have ability to disguise their existence through the use of arbitrary ports. Our goal is to give out a new approach for P2P traffic identification based BP Neural Network, and without relying on keyword matching. This article introduces BP algorithm, analyzes the characters of P2P traffic, gives out the BP network based on connection patterns ofP2P networks. The trained BPNN was applied as a P2P traffic identifier, which can be used to distinguish any kind of P2P applications from non-P2P applications. This feasible solution has many advantages in P2P traffic identification. We believe our approach is the first method for characterizing P2P traffic using network dynamics based on BP network rather than any userpayload.

Controlling Access to Preserve QoS in a Self-Aware Network

Abstract: Multimedia traffic and real-time applications created a need for network quality of service(QoS). This demand led to the development of autonomous networks that use adaptive packet routing in order to provide the best possible QoS. Admission control (AC) is a mechanism which takes those networks a step further in guaranteeing packet delivery even under strict QoS constraints. This paper describes a measurement-based admission control algorithm which decides whether a new connection can be served without affecting the existing users of the network, based on the multiple QoS metrics that the users of a self-aware network have specified. Our algorithm promises QoS throughout the lifetime of all accepted connections in the network. The impact that the new call will have, on the QoS of both the new and the existing users, is estimated by sending probe packets and monitoring the networks by exploiting its self-awareness. The decision of whether to accept a new call is made using a novel algebra of QoS metrics, inspired by Warshall's algorithm, which looks for a path with acceptable QoS values that can accommodate the new flow. In this paper we describe the underlying mathematical principles and present experimental results obtained by evaluating the method in a large laboratory test-bed operating the self-aware cognitive packet network (CPN) protocol.

Network traffic classification with Self Organizing Maps

Abstract: Anomaly detection in network traffic is one of the most challenging topics in the study of computer science and networking. This paper introduces a classification method for analyzing network traffic behavior. In order to distinguish the normal traffic with well-known anomalies such as port scanning and DOS attacks, Self Organizing Maps (SOMs), one of the well- known artificial neural network architecture, is used. The measurement of traffic is performed by using Simple Network Management Protocol (SNMP). In this work, it is proposed a SOM-based classifier to discriminate three types of network traffic as port scanning, heavy-download and the rests. It is worth to mention that impressively satisfactory results have been obtained. The method has also been enhanced to obtain better results by trying to find trajectories on the map with sliding the input vectors in time and developed an alarm mechanism. Here it is possible to detect whether consecutive trajectories are hit by one of the classes or not. The success rate of the system is approximate to certain.

Under-assigning resources to video in triple-play virtual topologies to protect data-class traffic

Abstract: A method for video-on-demand (VoD) admission control at a network edge assigns to a triple-play network virtual topology lesser resources than there exists in a corresponding underlying physical link bandwidth. This prevents video-on-demand (VoD) starvation of data-class traffic. At least one policy enforcement point (PEP) is attached to an edge of the network, providing for autonomous short-term, application-aware controls to be applied to corresponding network ingress traffic, and also providing for long-term controls on corresponding network ingress traffic. The network ingress traffic to the network comes under management when the traffic nears or exceeds network capacity. It is enabled to do so by computations of current network routing topology and bandwidth reservations. Path tables are used to calculate if a PEP may admit more, or must shed, sessions/calls to maintain service for other existing application traffic. The PEP and a session/call admission controller (S/CAC) may be independently located within the topology of the network, and together implement admission controls that differentiate between triple-play video, voice, and data traffic classes.

Performance analysis of the ANGEL system for automated control of game traffic prioritisation

Abstract: The Automated Network Games Enhancement Layer (ANGEL) [6] is a novel architecture for meeting Quality of Service (QoS) requirements of real-time network game traffic across consumer broadband links. ANGEL utilises detection of game traffic in the ISP network via the use of Machine Learning techniques and then uses this information to inform network routers - in particular the home access modem where bandwidth is limited - of these flows such that the traffic may be prioritised. In this paper we present the performance characteristics of the fully built ANGEL system. In particular we show that ANGEL is able to detect game traffic with better than 96% accuracy and effect prioritisation within a second of game flow detection. We also demonstrate the processing performance of key ANGEL components under typical hardware scenarios.

Providing QoS for Multimodal System Traffic Flows in Distributed Haptic Virtual Environments

Abstract: Future internet architectures will be required to support the transmission of data that is multimodal in nature, and this will include the ability to transport reflected force, or haptic information. This paper presents for the first time, an investigation into providing specific network Quality of Service (QoS) for haptic traffic together with voice and video traffic. Because it originates from a different human sense, the QoS required to support haptic traffic is significantly different from that used to support conventional real-time traffic such as voice or video. Each type of network impairment has different (and severe) impacts on the user's haptic experience. While some recent efforts have established the basic range of the network QoS parameters for haptic interaction, to date there has been no specific provision for this traffic over a QoS enabled IP network. The work presented here involves both simulation and practical experimentation whereby haptics, voice and video are transmitted over a best effort IP network and a QoS-enabled IP network. The results show that the network simulation model compares favourably with the physical network, and can be used to generate a scalable haptic network model where multiple connections carrying haptic traffic may be examined. Both approaches show that reducing network delay and jitter by using specific QoS classes for haptic traffic can lead to improvements in users' haptic experiences with distributed applications such as virtual environments.