A Novel Technique for Automatic Packet Traffic Classification

This paper proposes and analyzes the performance of a novel technique for the classification of Internet packet traffic. The technique associates the traffic coming from an IP source to the application that generated it by considering only the packet arrival process and without decoding the higher layer protocols. Our approach falls in the research field of Shallow Packet Inspection techniques and, therefore, is well suited to perform classification of obfuscated or encrypted traffic. For each active traffic source, we observe the packet generation process for a fixed time interval and calculate the Index of Variability, which has been recently introduced as a traffic measure capable of well describing the burstiness of packet sources over different time scales. The measured Index of Variability is then used as a classification attribute and fed to a Parzen classifier. The effectiveness of this technique is experimentally evaluated with both synthetic data and real traffic traces. Synthetic traffic traces make it possible to give an estimation of the classification error rate that the algorithm can achieve, under the assumption that the traffic sources behave according to the hyperexponential traffic model. Experiments with real traffic data show that the most common Internet applications are identified with an error rate similar to the more intrusive Deep Packet Inspection.