Reviewing traffic classification

Published on Jan 1, 2013 in TMA (Traffic Monitoring and Analysis)
· DOI :10.1007/978-3-642-36784-7_6
Silvio Valenti12
Estimated H-index: 12
(ENST: Télécom ParisTech),
Dario Rossi31
Estimated H-index: 31
(ENST: Télécom ParisTech)
+ 3 AuthorsMarco Mellia37
Estimated H-index: 37
(Polytechnic University of Turin)
Traffic classification has received increasing attention in the last years. It aims at offering the ability to automatically recognize the application that has generated a given stream of packets from the direct and passive observation of the individual packets, or stream of packets, flowing in the network. This ability is instrumental to a number of activities that are of extreme interest to carriers, Internet service providers and network administrators in general. Indeed, traffic classification is the basic block that is required to enable any traffic management operations, from differentiating traffic pricing and treatment (e.g., policing, shaping, etc.), to security operations (e.g., firewalling, filtering, anomaly detection, etc.). Up to few years ago, almost any Internet application was using well-known transport layer protocol ports that easily allowed its identification. More recently, the number of applications using random or non-standard ports has dramatically increased (e.g. Skype, BitTorrent, VPNs, etc.). Moreover, often network applications are configured to use well-known protocol ports assigned to other applications (e.g. TCP port 80 originally reserved for Web traffic) attempting to disguise their presence. For these reasons, and for the importance of correctly classifying traffic flows, novel approaches based respectively on packet inspection, statistical and machine learning techniques, and behavioral methods have been investigated and are becoming standard practice. In this chapter, we discuss the main trend in the field of traffic classification and we describe some of the main proposals of the research community. We complete this chapter by developing two examples of behavioral classifiers: both use supervised machine learning algorithms for classifications, but each is based on different features to describe the traffic. After presenting them, we compare their performance using a large dataset, showing the benefits and drawback of each approach.
  • References (64)
  • Citations (46)
📖 Papers frequently viewed together
873 Citations
20127.50IEEE Network
3 Authors (Alberto Dainotti, ..., kc claffy)
294 Citations
2008CoNEXT: Conference on Emerging Network Experiment and Technology
6 Authors (Hyunchul Kim, ..., KiYoung Lee)
403 Citations
78% of Scinapse members use related papers. After signing in, all features are FREE.
#1Andrew W. MooreH-Index: 26
#2Denis ZuevH-Index: 3
Last. Michael CroganH-Index: 1
view all 3 authors...
Any assessment of classification techniques requires data. This document describes sets of data intended to aid in the assessment of classification work. A number of data sets are described; each data set consists a number of objects, and each object is described by a group of features (also referred to as discriminators). Leveraged by a quantity of hand-classified data, each object within each data set represents a single flow of TCP packets between client and server. The features for each obje...
263 Citations
Nov 14, 2012 in IMC (Internet Measurement Conference)
#2Dario Rossi (ENST: Télécom ParisTech)H-Index: 31
Last. Javier AracilH-Index: 14
view all 6 authors...
In this paper we present a software-based traffic classification engine running on commodity multi-core hardware, able to process in real-time aggregates of up to 14.2 Mpps over a single 10 Gbps interface -- i.e., the maximum possible packet rate over a 10 Gbps Ethernet links given the minimum frame size of 64 Bytes. This significant advance with respect to the current state of the art in terms of achieved classification rates are made possible by:(i) the use of an improved network driver, Packe...
31 CitationsSource
Oct 16, 2012 in CCS (Computer and Communications Security)
#1Muhammad Asim Jamshed (KAIST)H-Index: 6
#2Jihyung Lee (KAIST)H-Index: 2
Last. KyoungSoo Park (KAIST)H-Index: 20
view all 8 authors...
As high-speed networks are becoming commonplace, it is increasingly challenging to prevent the attack attempts at the edge of the Internet. While many high-performance intrusion detection systems (IDSes) employ dedicated network processors or special memory to meet the demanding performance requirements, it often increases the cost and limits functional flexibility. In contrast, existing software-based IDS stacks fail to achieve a high throughput despite modern hardware innovations such as multi...
96 CitationsSource
Feb 25, 2012 in PPoPP (ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming)
#1Yuan Zu (USTC: University of Science and Technology of China)H-Index: 2
#2Ming Yang (USTC: University of Science and Technology of China)H-Index: 1
Last. Qunfeng Dong (USTC: University of Science and Technology of China)H-Index: 3
view all 7 authors...
Regular expression pattern matching is the foundation and core engine of many network functions, such as network intrusion detection, worm detection, traffic analysis, web applications and so on. DFA-based solutions suffer exponentially exploding state space and cannot be remedied without sacrificing matching speed. Given this scalability problem of DFA-based methods, there has been increasing interest in NFA-based methods for memory efficient regular expression matching. To achieve high matchin...
48 CitationsSource
#1Alberto DainottiH-Index: 23
#2Antonio PescapeH-Index: 33
Last. kc claffy (UCSD: University of California, San Diego)H-Index: 44
view all 3 authors...
294 CitationsSource
#1Alberto DainottiH-Index: 23
#2Antonio PescapeH-Index: 33
Last. Hyun-Chul Kim (SNU: Seoul National University)H-Index: 21
view all 3 authors...
Interest in traffic classification, in both industry and academia, has dramatically grown in the past few years. Research is devoting great efforts to statistical approaches using robust features. In this paper we propose a classification approach based on the joint distribution of Packet Size (PS) and Inter-Packet Time (IPT) and on machine- learning algorithms. Provided results, obtained using different real traffic traces, demonstrate how the proposed approach is able to achieve high (byte) ac...
13 CitationsSource
Oct 17, 2011 in CCS (Computer and Communications Security)
#1Giorgos Vasiliadis (FORTH: Foundation for Research & Technology – Hellas)H-Index: 11
#2Michalis Polychronakis (Columbia University)H-Index: 28
Last. Sotiris Ioannidis (FORTH: Foundation for Research & Technology – Hellas)H-Index: 30
view all 3 authors...
Network intrusion detection systems are faced with the challenge of identifying diverse attacks, in extremely high speed networks. For this reason, they must operate at multi-Gigabit speeds, while performing highly-complex per-packet and per-flow data processing. In this paper, we present a multi-parallel intrusion detection architecture tailored for high speed networks. To cope with the increased processing throughput requirements, our system parallelizes network traffic processing and analysis...
94 CitationsSource
#1Alberto DainottiH-Index: 23
#2Antonio PescapeH-Index: 33
Last. Antonio QuintavalleH-Index: 1
view all 4 authors...
The assignment of an IP flow to a class, according to the application that generated it, is at the basis of any modern network management platform. In several network scenarios, however, it is quite unrealistic to assume that all the classes an IP flow can belong to are a priori known. In these cases, in fact, some network protocols may be known, but novel protocols can appear so giving rise to unknown classes. In this paper, we propose to face the problem of classifying IP flows by means of a m...
5 CitationsSource
#1Alberto DainottiH-Index: 23
#2Antonio PescapeH-Index: 33
Last. Carlo SansoneH-Index: 30
view all 3 authors...
In thiswork we present and evaluate different automated combination techniques for traffic classification. We consider six intelligent combination algorithms applied to both traditional and more recent traffic classification techniques using either packet content or statistical properties of flows. Preliminary results show that, when selecting complementary classifiers, some combination algorithms allow a further improvement - in terms of classification accuracy - over already well-performing st...
65 CitationsSource
#1Paola Bermolen (ENST: Télécom ParisTech)H-Index: 6
#2Marco Mellia (Polytechnic University of Turin)H-Index: 37
Last. Silvio Valenti (ENST: Télécom ParisTech)H-Index: 12
view all 5 authors...
Abstract Peer-to-Peer streaming (P2P-TV) applications offer the capability to watch real time video over the Internet at low cost. Some applications have started to become popular, raising the concern of Network Operators that fear the large amount of traffic they might generate. Unfortunately, most of P2P-TV applications are based on proprietary and unknown protocols, and this makes the detection of such traffic challenging per se. In this paper, we propose a novel methodology to accurately cla...
41 CitationsSource
Cited By46
#1Amit DvirH-Index: 9
#2Yehonatan ZionH-Index: 2
Last. Ran DubinH-Index: 5
view all 6 authors...
Desktops and laptops can be maliciously exploited to violate privacy. In this paper, we consider the daily battle between the passive attacker who is targeting a specific user against a user that may be adversarial opponent. In this scenario, while the attacker tries to choose the best vector attack by surreptitiously monitoring the victims encrypted network traffic in order to identify users parameters such as the Operating System (OS), browser and apps. The user may use tools such as a Virtual...
#1Faiz Zaki (Information Technology University)H-Index: 1
#2Abdullah Gani (Information Technology University)H-Index: 46
Last. Nor Badrul Anuar (Information Technology University)H-Index: 33
view all 3 authors...
Network traffic classification is a fundamental process in network management and security. It allows network administrators to classify traffic based on various levels of classification granularity such as the source type or application. Existing literature focuses on analyzing the entire network traffic classification process with emphasis on the classification techniques. However, besides classification techniques, the literature lacks coverage on classification granularity, which deserves pr...
#1Feras N. Al-Obeidat (ZU: Zayed University)H-Index: 7
#2El-Sayed M. El-Alfy (UPM: King Fahd University of Petroleum and Minerals)H-Index: 12
Traffic classification in computer networks has very significant roles in network operation, management, and security. Examples include controlling the flow of information, allocating resources effectively, provisioning quality of service, detecting intrusions, and blocking malicious and unauthorized access. This problem has attracted a growing attention over years and a number of techniques have been proposed ranging from traditional port-based and payload inspection of TCP/IP packets to superv...
4 CitationsSource
#1Hassan Habibi Gharakheili (UNSW: University of New South Wales)H-Index: 13
#2Minzhao Lyu (UNSW: University of New South Wales)H-Index: 3
Last. Vijay Sivaraman (UNSW: University of New South Wales)H-Index: 29
view all 5 authors...
Video continues to dominate network traffic, yet operators today have poor visibility into the number, duration, and resolutions of the video streams traversing their domain. Current monitoring approaches are inaccurate, expensive, or unscalable, as they rely on statistical sampling, middle-box hardware, or packet inspection software. We present iTelescope , the first intelligent, inexpensive, and scalable softwarized network middle-box solution for identifying and classifying video flows in rea...
2 CitationsSource
#1Hussein Oudah (Plymouth University)H-Index: 1
#2Bogdan Ghita (Plymouth University)H-Index: 7
Last. David J. Walker (Plymouth University)H-Index: 6
view all 5 authors...
Network traffic classification is a vital task for service operators, network engineers, and security specialists to manage network traffic, design networks, and detect threats. Identifying the type/name of applications that generate traffic is a challenging task as encrypting traffic becomes the norm for Internet communication. Therefore, relying on conventional techniques such as deep packet inspection (DPI) or port numbers is not efficient anymore. This paper proposes a novel flow statistical...
1 CitationsSource
#1Alessandro D'Alconzo (Siemens)H-Index: 1
Last. Pedro Casas (Austrian Institute of Technology)H-Index: 21
view all 5 authors...
Network Traffic Monitoring and Analysis (NTMA) represents a key component for network management, especially to guarantee the correct operation of large-scale networks such as the Internet. As the complexity of Internet services and the volume of traffic continue to increase, it becomes difficult to design scalable NTMA applications. Applications such as traffic classification and policing require real-time and scalable approaches. Anomaly detection and security mechanisms require to quickly ide...
7 CitationsSource
Mar 27, 2019 in AINA (Advanced Information Networking and Applications)
#1Adrian Pekar (Victoria University of Wellington)H-Index: 2
#2Mona B. H. Ruan (Victoria University of Wellington)
Last. Winston K. G. Seah (Victoria University of Wellington)H-Index: 29
view all 3 authors...
Knowledge of the traffic that is being carried within a network is critical for ensuring the network’s smooth operation, and network traffic measurement has provided an effective means to achieve this. However, network traffic volume has substantially increased over the last decades. Combine that with the traffic heterogeneity from a diverse range of new, connected devices, we have reached a point where the response to any outage or anomalous event is simply beyond human ability. Network informa...
Dec 13, 2018 in SoCPaR (Soft Computing and Pattern Recognition)
#1Heini Ahde (UTU: University of Turku)
#2Sampsa Rauti (UTU: University of Turku)H-Index: 8
Last. Ville Leppänen (UTU: University of Turku)H-Index: 12
view all 3 authors...
In today’s diverse cyber threat landscape, anomaly-based intrusion detection systems that learn the normal behavior of a system and have the ability to detect previously unknown attacks are needed. However, the data gathered by the intrusion detection system is useless if we do not form reasonable data points for machine learning methods to work, based on the collected data sets. In this paper, we present a survey on data points used in previous research in the context of anomaly-based IDS resea...
Dec 1, 2018 in GLOBECOM (Global Communications Conference)
#1Hossein Doroud (Charles III University of Madrid)H-Index: 3
#2Giuseppe Aceto (Information Technology University)H-Index: 13
Last. Antonio Pescape (University of Naples Federico II)H-Index: 33
view all 7 authors...
The importance of network traffic classification has grown over the last two decades in line with the increasing diver- sity of networked applications. Nowadays traditional approaches to traffic classification, relying on port numbers and on Deep Packet Inspection (DPI), are not very effective in real scenarios respectively due to the usage of random or non-standard port numbers and to the wide usage of end-to-end encryption. Despite their limitations, port- based and DPI approaches are still wi...
3 CitationsSource