Accurate classification of Internet traffic is of fundamental importance for network management applications such as security monitoring, accounting, Quality-of-Service (QoS) provisioning, and for providing operators with useful information for network planning. Classical port-based or payload-based classification techniques are becoming less effective, because of the increasing presence of protocol obfuscation and payload encryption in today’s internet traffic. Therefore, there is growing interest in classification algorithms that only look at the IP and transport packet headers, along with other information which are difficult to obfuscate, such as the packet lengths and the interarrival times. Several recent papers have identified machine learning techniques as a viable technique for designing a classifier capable of dealing with the wide variety of protocols and implementations. In the real-time scenario, a traffic flow has to be classified by looking only at the first packets of the flow. In this context, measuring the activity of internet hosts can provide useful information about the applications that are generating the traffic coming from that host. In particular, we assume that the sequence of TCP connection requests (or, for UDP traffic, the sequence of new flows) generated by a given host using a given transport protocol towards a given transport port can be modeled as a random process with a power spectral density decaying according to a power law. Computation of the power law exponent for a given host/port pair requires some computational effort, but is available at the beginning of each flow, with no additional delay. In this paper, we show that using such information makes it possible to achieve a good classification accuracy by looking at very few packets, therefore yielding very quick response.

Using per-Host Measurements for Fast Internet Traffic Classification

LUCERNA, DIEGO;ROTTONDI, CRISTINA EMMA MARGHERITA;VERTICALE, GIACOMO
2010

Abstract

Accurate classification of Internet traffic is of fundamental importance for network management applications such as security monitoring, accounting, Quality-of-Service (QoS) provisioning, and for providing operators with useful information for network planning. Classical port-based or payload-based classification techniques are becoming less effective, because of the increasing presence of protocol obfuscation and payload encryption in today’s internet traffic. Therefore, there is growing interest in classification algorithms that only look at the IP and transport packet headers, along with other information which are difficult to obfuscate, such as the packet lengths and the interarrival times. Several recent papers have identified machine learning techniques as a viable technique for designing a classifier capable of dealing with the wide variety of protocols and implementations. In the real-time scenario, a traffic flow has to be classified by looking only at the first packets of the flow. In this context, measuring the activity of internet hosts can provide useful information about the applications that are generating the traffic coming from that host. In particular, we assume that the sequence of TCP connection requests (or, for UDP traffic, the sequence of new flows) generated by a given host using a given transport protocol towards a given transport port can be modeled as a random process with a power spectral density decaying according to a power law. Computation of the power law exponent for a given host/port pair requires some computational effort, but is available at the beginning of each flow, with no additional delay. In this paper, we show that using such information makes it possible to achieve a good classification accuracy by looking at very few packets, therefore yielding very quick response.
File in questo prodotto:
File Dimensione Formato  
2010_gtti.pdf

Accesso riservato

: Post-Print (DRAFT o Author’s Accepted Manuscript-AAM)
Dimensione 169.79 kB
Formato Adobe PDF
169.79 kB Adobe PDF   Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: http://hdl.handle.net/11311/580649
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? ND
social impact