Justin Ma
Stefan Savage
ABSTRACT
Network managers are inevitably called upon to associate network traffic with particular applications. Indeed, this operation is critical for a wide range of management functions ranging from debugging and security to analytics and policy support. Traditionally, managers have relied on application adherence to a well established global port mapping: Web traffic on port 80, mail traffic on port 25 and so on. However, a range of factors - including firewall port blocking, tunneling, dynamic port allocation, and a bloom of new distributed applications - has weakened the value of this approach. We analyze three alternative mechanisms using statistical and structural content models for automatically identifying traffic that uses the same application-layer protocol, relying solely on flow content. In this manner, known applications may be identified regardless of port number, while traffic from one unknown application will be identified as distinct from another. We evaluate each mechanism's classification performance using real-world traffic traces from multiple sites.
- Ethereal: A network protocol analyzer. http://www.ethereal.com.Google Scholar
- S. Baset and H. Schulzrinne. An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol. Technical report, Columbia University, New York, NY, 2004.Google Scholar
- L. Bernaille, R. Teixeira, I. Akodkenou, A. Soule, and K. Salamatian. Traffic classification on the fly. ACM SIGCOMM Computer Communication Review, 36(2):23--26, April 2006. Google ScholarDigital Library
- K. Claffy, G. Miller, and K. Thompson. The nature of the best: Recent measurements from an Internet backbone. In Proc. of INET '98, jul, 1998.Google Scholar
- T. M. Cover and J. A. Thomas. Elements of Information Theory. John Wiley & Sons, 1991. Google ScholarDigital Library
- C. Dewes, A. Wichmann, and A. Feldmann. An Analysis of Internet Chat Systems. In Proc. of the Second Internet Measurement Workshop (IMW), Nov 2002. Google ScholarDigital Library
- C. Fraleigh, S. Moon, B. Lyles, C. Cotton, M. Khan, D. Moll, R. Rockell, T. Seely, and C. Diot. Packet-level Traffic Measurements from the Sprint IP Backbone. IEEE Network, 17(6):6--16, 2003. Google ScholarDigital Library
- P. Haffner, S. Sen, O. Spatscheck, and D. Wang. ACAS: Automated construction of application signatures. In Proceedings of the 2005 Workshop on Mining Network Data, pages 197--202, 2005. Google ScholarDigital Library
- IANA. TCP and UDP port numbers. http://www.iana.org/assignments/port-numbers.Google Scholar
- T. Karagiannis, A. Broido, N. Brownlee, K. Claffy, and M. Faloutsos. Is P2P dying or just hiding? In IEEE Globecom 2004 - Global Internet and Next Generation Networks, Dallas/Texas, USA, Nov, 2004. IEEE.Google Scholar
- T. Karagiannis, A. Broido, M. Faloutsos, and K. Claffy. Transport Layer Identification of P2P Traffic. In Proc. of the Second Internet Measurement Workshop (IMW), Nov 2002. Google ScholarDigital Library
- T. Karagiannis, D. Papagiannaki, and M. Faloutsos. BLINC: Multilevel traffic classification in the dark. In Proceedings of the 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pages 229--240, 2005. Google ScholarDigital Library
- P. Maymounkov and D. Mazières. Kademlia: A peer-to-peer information system based on the xor metric. In Proceedings of the First International Workshop on Peer-to-Peer Systems (IPTPS), 2002. Google ScholarDigital Library
- A. Moore and D. Papagiannaki. Toward the Accurate Identification of Network Applications. In Proc. of the Passive and Active Measurement Workshop, mar 2005. Google ScholarDigital Library
- A. W. Moore and D. Zuev. Internet traffic classification using bayesian analysis techniques. In Proceedings of the 2005 Conference on Measurement and Modeling of Computer Systems, pages 50--60, 2005. Google ScholarDigital Library
- T. Oliver, B. Schmidt, and D. Maskell. Hyper customized processors for bio-sequence database scanning on fpgas. In FPGA '05: Proc. of the 2005 ACMSIGDA 13th international symposium on Field-programmable gate arrays, pages 229--237, New York, NY, USA, 2005. ACM Press. Google ScholarDigital Library
- V. Paxson. Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks (Amsterdam, Netherlands: 1999), 31(23-24):2435--2463, 1998. Google ScholarDigital Library
- D. Plonka. FlowScan: A Network Traffic Flow Reporting and Visualization Tool. In Proc. of USENIX LISA, jul, 2000. Google ScholarDigital Library
- A. Sanfeliu and K. Fu. A Distance Measure Between Attributed Relational Graphs for Pattern Recognition. IEEE Transactions on Systems, Man and Cybernetics, SMC-13(3):353--362, 1981.Google Scholar
- S. Sen, O. Spatscheck, and D. Want. Accurate, Scalable In-network Identification of P2P Traffic Using Application Signatures. In Proc. of the 13th International World Wide Web Conference, may 2004. Google ScholarDigital Library
- T. F. Smith and M. S. Waterman. Identification of Common Molecular Subsequences. Journal of Molecular Biology, 147, 1981. http://gel.ym.edu.tw/~chc/AB_papers03/.pdf.Google Scholar
- G. Voss, A. Schröder, W. Müller-Wittig, and B. Schmidt. Using Graphics Hardware to Accelerate Biological Sequence Analysis. In Proc. of IEEE Tencon, Melbourne, Australia, 2005.Google Scholar
- S. Zander, T. Nguyen, and G. Armitage. Self-learning IP Traffic Classification based on Statistical Flow Characteristics. In Proc. of the 6th Passive and Active Network Measurement Workshop, March 2005. Google ScholarDigital Library
Index Terms
- Unexpected means of protocol inference
Recommendations
POSTER: Mining Elephant Applications in Unknown Traffic by Service Clustering
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityNetwork traffic classification is of great importance for fine-grained network management and network security. However, with the rapid development of new network applications in recent years, traffic that cannot be identified by classifiers accounts ...
Class-of-service mapping for QoS: a statistical signature-based approach to IP traffic classification
IMC '04: Proceedings of the 4th ACM SIGCOMM conference on Internet measurementThe ability to provide different Quality of Service (QoS) guarantees to traffic from different applications is a highly desired feature for many IP network operators, particularly for enterprise networks. Although various mechanisms exist for providing ...
Robust network traffic identification with unknown applications
ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications securityTraffic classification is a fundamental component in advanced network management and security. Recent research has achieved certain success in the application of machine learning techniques into flow statistical feature based approach. However, most of ...
Comments