Abstract
We present a fundamentally different approach to classifying traffic flows according to the applications that generate them. In contrast to previous methods, our approach is based on observing and identifying patterns of host behavior at the transport layer. We analyze these patterns at three levels of increasing detail (i) the social, (ii) the functional and (iii) the application level. This multilevel approach of looking at traffic flow is probably the most important contribution of this paper. Furthermore, our approach has two important features. First, it operates in the dark, having (a) no access to packet payload, (b) no knowledge of port numbers and (c) no additional information other than what current flow collectors provide. These restrictions respect privacy, technological and practical constraints. Second, it can be tuned to balance the accuracy of the classification versus the number of successfully classified traffic flows. We demonstrate the effectiveness of our approach on three real traces. Our results show that we are able to classify 80%-90% of the traffic with more than 95% accuracy.
- B. Aiello, C. Kalmanek, P. McDaniel, S. Sen, O. Spatscheck, and J. Van der Merwe. Analysis of Communities Of Interest in Data Networks. In PAM, 2005. Google ScholarDigital Library
- Bro. http://bro-ids.org/.Google Scholar
- D. Chakrabarti, S. Papadimitriou, D. Modha, and C. Faloutsos. Fully Automatic Cross-associations. In KDD, August 2004. Google ScholarDigital Library
- k. claffy, H.-W. Braun, and G. Polyzos. A Parametrizable methodology for Internet traffic flow profiling. In JSAC, 1995.Google Scholar
- C. Dewes, A. Wichmann, and A. Feldmann. An analysis of Internet chat systems. In ACM/SIGCOMM IMC, 2003. Google ScholarDigital Library
- C. Estan, S. Savage, and G. Varghese. Automatically Inferring Patterns of Resource Consumption in Network Traffic. In SIGCOMM, 2003. Google ScholarDigital Library
- F. Hernandez-Campos, A. B. Nobel, F. D. Smith, and K. Jeffay. Statistical Clustering of Internet Communication Patterns. Computing Science and Statistics, 35, July 2003.Google Scholar
- T. Karagiannis, A.Broido, M. Faloutsos, and kc claffy. Transport layer identification of P2P traffic. In ACM/SIGCOMM IMC, 2004. Google ScholarDigital Library
- T. Karagiannis, A.Broido, N.Brownlee, kc claffy, and M.Faloutsos. Is P2P dying or just hiding? In IEEE Globecom 2004, GI.Google Scholar
- T. Karagiannis, D. Papagiannaki, and M. Faloutsos. BLINC: Multilevel Traffic Classification in the Dark. Technical report, 2005. http://www.cs.ucr.edu/~tkarag/papers/BLINC_TR.pdf.Google Scholar
- K. Keys, D. Moore, R. Koga, E. Lagache, M. Tesch, and k. claffy. The architecture of the CoralReef: Internet Traffic monitoring software suite. In PAM, 2001.Google Scholar
- A. McGregor, M. Hall, P. Lorier, and J. Brunskill. Flow Clustering Using Machine Learning Techniques. In PAM, 2004.Google ScholarCross Ref
- A. Moore, J. Hall, C. Kreibich, E. Harris, and I. Pratt. Architecture of a Network Monitor. In PAM, 2003.Google Scholar
- A. Moore and K. Papagiannaki. Toward the Accurate Identification of Network Applications. In PAM, March 2005. Google ScholarDigital Library
- A. W. Moore and D. Zuev. Internet Traffic Classification Using Bayesian Analysis Techniques. In ACM SIGMETRICS, 2005. Google ScholarDigital Library
- Pastry. http://research.microsoft.com/~antr/Pastry/.Google Scholar
- Razor. http://razor.sourceforge.net/.Google Scholar
- M. Roughan, S. Sen, O. Spatscheck, and N. Duffield. Class-of-Service Mapping for QoS: A Statistical Signature-based Approach to IP Traffic Classification. In ACM/SIGCOMM IMC, November 2004. Google ScholarDigital Library
- S. Sen, O. Spatscheck, and D. Wang. Accurate, Scalable In-Network Identification of P2P Traffic Using Application Signatures. In WWW, 2004. Google ScholarDigital Library
- S. Sen and J. Wang. Analyzing Peer-to-Peer Traffic Across Large Networks. In ACM/SIGCOMM IMW, 2002. Google ScholarDigital Library
- SNORT. http://www.snort.org/.Google Scholar
- tcpdump. http://www.tcpdump.org/.Google Scholar
- K. Xu, Z. Zhang, and S. Bhattacharya. Profiling Internet Backbone Traffic: Behavior Models and Applications. In SIGCOMM, 2005. Google ScholarDigital Library
Index Terms
- BLINC: multilevel traffic classification in the dark
Recommendations
BLINC: multilevel traffic classification in the dark
SIGCOMM '05: Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communicationsWe present a fundamentally different approach to classifying traffic flows according to the applications that generate them. In contrast to previous methods, our approach is based on observing and identifying patterns of host behavior at the transport ...
Optimizing statistical classifiers of network traffic
IWCMC '10: Proceedings of the 6th International Wireless Communications and Mobile Computing ConferenceSupervised statistical approaches for the classification of network traffic are quickly moving from research laboratories to advanced prototypes, which in turn will become actual products in the next few years. While the research on the classification ...
Byte me: a case for byte accuracy in traffic classification
MineNet '07: Proceedings of the 3rd annual ACM workshop on Mining network dataNumerous network traffic classification approaches have recently been proposed. In general, these approaches have focused on correctly identifying a high percentage of total flows. However, on the Internet a small number of "elephant" flows contribute a ...
Comments