Manuel Crotti
Abstract
The classification of IP ows according to the application that generated them is at the basis of any modern network management platform. However, classical techniques such as the ones based on the analysis of transport layer or application layer information are rapidly becoming ineffective. In this paper we present a ow classification mechanism based on three simple properties of the captured IP packets: their size, inter-arrival time and arrival order. Even though these quantities have already been used in the past to define classification techniques, our contribution is based on new structures called protocol fingerprints, which express such quantities in a compact and efficient way, and on a simple classification algorithm based on normalized thresholds. Although at a very early stage of development, the proposed technique is showing promising preliminary results from the classification of a reduced set of protocols.
- D. Moore, K. Keys, R. Koga, E. Lagache, and K. C. Claffy. The CoralReef Software Suite as a Tool for System and Network Administrators. In LISA '01: Proceedings of the 15th USENIX conference on Systems Administration, pages 133--144, San Diego, CA, USA, December 2001. Google Scholar
Digital Library
- V. Paxson. Bro: a system for detecting network intruders in real-time. Computer Networks, 31(23-24):2435--2463, 1999. Google ScholarDigital Library
- M. Roesch. SNORT: Lightweight Intrusion Detection for Networks. In LISA '99: Proceedings of the 13th USENIX Conference on Systems Administration, pages 229--238, Seattle, WA, USA, November 1999. Google ScholarDigital Library
- C. Dewes, A. Wichmann, and A. Feldmann. An analysis of Internet chat systems. In IMC '03: Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement, pages 51--64, Miami Beach, FL, USA, October 2003. Google ScholarDigital Library
- T. Karagiannis, K. Papagiannaki, and M. Faloutsos. BLINC: multilevel traffic classification in the dark. In SIGCOMM'05: Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications, pages 229--240, Philadelphia, PA, USA, August 2005. Google ScholarDigital Library
- V. Paxson. Empirically derived analytic models of wide-area TCP connections. IEEE/ACM Trans. Netw., 2(4):316--336, 1994. Google ScholarDigital Library
- V. Paxson and S. Floyd. Wide area traffic: the failure of Poisson modeling. IEEE/ACM Trans. Netw.,3(3):226--244, 1995. Google ScholarDigital Library
- A. Mena and J. Heidemann. An Empirical Study of Real Audio Traffic. In Proceedings of the IEEE Infocom, pages 101--110, Tel-Aviv, Israel, March 2000.Google ScholarCross Ref
- F. Hernández-Campos, F. Donelson Smith, K. Jeffay, and A. B. Nobel. Statistical Clustering of Internet Communications Patterns. In Computing Science and Statistics, volume 35, July 2003.Google Scholar
- A. McGregor, M. Hall, P. Lorier, and J. Brunskill. Flow Clustering Using Machine Learning Techniques. In Proceedings of the 5th Passive and Active Measurement Workshop (PAM 2004), pages 205--214, Antibes Juan-les-Pins, France, March 2004.Google ScholarCross Ref
- M. Roughan, S. Sen, O. Spatscheck, and N. Duffield. Class-of-service mapping for QoS: a statistical signature-based approach to IP traffic classification. In IMC '04: Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, pages 135--148, Taormina, Sicily, Italy, October 2004. Google ScholarDigital Library
- A. W. Moore and D. Zuev. Internet traffic classification using bayesian analysis techniques. In SIGMETRICS '05: Proceedings of the 2005 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems, pages 50--60, Banff, Alberta, Canada, June 2005. Google ScholarDigital Library
- A. W. Moore and K. Papagiannaki. Toward the Accurate Identification of Network Applications. In Proceedings of the 6th Passive and Active Measurement Workshop (PAM 2005), pages 41--54, October 2005. Google ScholarDigital Library
- L. Bernaille, R. Teixeira, and K. Salamatian. Early Application Identification. In The 2nd ADETTI/ISCTE CoNEXT Conference, Lisboa, Portugal, December 2006. Google ScholarDigital Library
- C. Trivedi, H. J. Trussel, A. Nilsson, and M-Y. Chow. Implicit Traffic Classification for Service Differentiation. Technical report, ITC Specialist Seminar, Wurzburg, Germany, July 2002.Google Scholar
- Tcpdump/Libpcap. http://www.tcpdump.org.Google Scholar
- L7 Filter. http://l7-filter.sourceforge.net.Google Scholar
Index Terms
- Traffic classification through simple statistical fingerprinting
Recommendations
Observing real Multipath TCP traffic
We analyse a Multipath TCP dataset collected from multipath-tcp.org consecutively in 5 months.Multipath TCP correctly passes through a wide range of Internet paths.Current implementations of Multipath TCP try to utilise additional paths as quickly as ...
On simplifying congestion window handling for CMT-SCTP
SAC '19: Proceedings of the 34th ACM/SIGAPP Symposium on Applied ComputingCurrently Concurrent Multipath Transfer for Stream Control Transmission Protocol draft RFC (CMT-SCTP) [2] specifies that the sender should implement a new algorithm, named Cwnd Update for CMT (CUC), section 3.2, in order to cope with the increased ...
Optimizing statistical classifiers of network traffic
IWCMC '10: Proceedings of the 6th International Wireless Communications and Mobile Computing ConferenceSupervised statistical approaches for the classification of network traffic are quickly moving from research laboratories to advanced prototypes, which in turn will become actual products in the next few years. While the research on the classification ...
Comments