Accurate, scalable in-network identification of p2p traffic using application signatures

Sen, Subhabrata; Spatscheck, Oliver; Wang, Dongmei

doi:10.1145/988672.988742

Cited by 673 publications

(382 citation statements)

References 12 publications

Supporting

Mentioning

370

Contrasting

Unclassified

Order By: Relevance

“…As a result, port-based classification on their network was useless; at least 30-70% of all traffic would be misclassified because most P2P applications nowadays use dynamic port numbering. Studies done by Sen et al [21] and Moore et al [22] also demonstrated that port-based classification is ineffective. Sen et al examined various P2P protocols and found that three popular P2P protocols (KaZaA, Gnutella and DirectConnect) use anywhere between 35-70% of non-standard ports which could not be classified by IANA's mapping.…”

Section: Port-based Classificationmentioning

confidence: 99%

“…In [21], Sen et al looked to find signatures for five popular P2P applications (Gnutella, eDonkey, DirectConnect, KaZaA and BitTorrent). Each P2P application has its own specific protocol it uses to communicate and Sen et al looked to find a signature on this protocol in the payload of a single TCP packet (most of their signatures were found in the HTTP request header).…”

Section: Deep-packet Inspectionmentioning

confidence: 99%

See 1 more Smart Citation

Controlling False Alarm/Discovery Rates in Online Internet Traffic Flow Classification

2009

View full text Add to dashboard Cite

Classifying Internet traffic flows online into applications or broader classes without inspecting the packet payloads or without relying on port numbers has become a necessity for network operators. The operators can use this information to monitor their networks and provide per-class quality of service. There has been a great deal of research done on Internet traffic classification recently and numerous techniques have been proposed. While the current techniques can obtain a high accuracy classifying Internet traffic, providing performance guarantees for particular classes of interest has never been addressed. In this thesis, we provide two novel types of online Internet traffic classifiers that can provide performance guarantees on the false alarm and false discovery rates, respectively. These guarantees can be for an entire class (class-wise) or between two classes (pair-wise). Controlling false alarm rates is well-suited for application prioritization (i.e. prioritizing time-sensitive applications like VoIP over HTTP) whereas controlling false discovery rates is better suited for blocking or rate-limiting a targeted class of traffic (i.e. Peer-to-Peer). The classifier that provides false alarm rate guarantees is based on a Neyman-Pearson classification framework while the classifier that provides false discovery rate guarantees is based on the Learning to Satisfy (LSAT) framework. Both of these classifiers are implemented using a machine learning technique, namely, the 2-nu Support Vector Machine (SVM). Moreover, all previous work done with these two statistical methodologies focused on binary classification only; we extend these statistical methodologies to a multi-class setting. In addition to the regular application classification problem, we also present preliminary work on a binary LSAT classifier that can detect, after the reception of only a handful of packets, whether a flow will be large, as defined by a network operator. This large flow detector can act as a preprocessor for regular application classifiers. By allowing only large flows to pass to the classifier, this allows the classifier to focus on the more resource-intensive flows. We validated our Internet traffic classifiers by testing our approaches using data provided by an ISP.ii Abrégé Identifier l'application (ou autre classe plus générale) qui génère un flux de trafic Internet, sans compter sur le numéro du port ou inspecter la charge des paquets, est devenu une nécessité pour les opérateurs de réseau. Les opérateurs peuvent utiliser cette information pour surveiller leurs réseaux et fournir une qualité de service propreà chaque classe. Il y a eu beaucoup de travaux de recherche portant sur la classification du trafic Internet effectué récemment et de nombreuses techniques ontété proposées. Bien que les techniques actuelles puissent obtenir une grande précision pour classer le trafic Internet, offrir des garanties de performance pour des catégories particulières est un problème encore inexploré.Dans ce mémoire, nous proposons deu...

show abstract

Section: Port-based Classificationmentioning

confidence: 99%

Section: Deep-packet Inspectionmentioning

confidence: 99%

Controlling False Alarm/Discovery Rates in Online Internet Traffic Flow Classification

2009

View full text Add to dashboard Cite

show abstract

“…기존의 제안된 포트 기반 분류 방법 [6,7] , 페이로드 시그니쳐 분류 방법 [8,9,10] , 머신러닝 분 류 방법 [11,12] 법론을 제안한다. 본 논문에서 구축한 멀티레벨 트래 픽 분석 시스템은 헤더 시그니쳐 [13] , 통계 시그니쳐 [14] , 페이로드 시그니쳐 [9] , 행동양식 기반 알고리즘 [15] 의 따라서, IANA [6] 에 정의된 포트 정보 기반의 분류 방법을 통해 신뢰성과 정확성이 높은 트래픽 분류 결과를 도출할 수 있었다.…”

unclassified

“…본 논문에서 구축한 멀티레벨 트래 픽 분석 시스템은 헤더 시그니쳐 [13] , 통계 시그니쳐 [14] , 페이로드 시그니쳐 [9] , 행동양식 기반 알고리즘 [15] 의 따라서, IANA [6] 에 정의된 포트 정보 기반의 분류 방법을 통해 신뢰성과 정확성이 높은 트래픽 분류 결과를 도출할 수 있었다. 하지만, 현재 인터넷 트래 픽의 상당수를 차지하고 있는 P2P 프로그램을 비롯 한 많은 응용 프로그램들은 동적 포트 할당과 같은 기술들로 포트 기반 분류 방법론은 더 이상 정확하 지 않다 [10] .…”

unclassified

“…페이로드 시그니쳐 기반 트래픽 분류 방법론 [8][9][10] 은 패킷의 페이로드 내에서 응용마다 가지는 특정한 [13] , 응용 트래픽의 발생 형태를 사용하여 트래픽을 분석 하는 행동 기반 방법론 [15] , 트래픽 상이의 연관성을 사용한 상관 관계 기반 방법론 [17,18] 등 다양한 분석 방법론이 제안되고 있다. …”

unclassified

See 1 more Smart Citation

Performance Improvement of a Real-time Traffic Identification System on a Multi-core CPU Environment

Yoon¹,

Park²,

Kim³

2012

The Journal of Korea Information and Communications Society

View full text Add to dashboard Cite

The application traffic analysis is getting more and more challenging due to the huge amount of traffic from high-speed network link and variety of applications running on wired and wireless Internet devices. Multi-level combination of various analysis methods is desired to achieve high completeness and accuracy of analysis results for a real-time analysis system, while requires much of processing burden on the contrary. This paper proposes a novel architecture for a real-time traffic analysis system which improves the processing performance on multi-core CPU environment. The main contribution of the proposed architecture is an efficient parallel processing mechanism with multiple threads of various analysis methods. The feasibility of the proposed architecture was proved by implementing and deploying it on our campus network.

show abstract

An automatic application signature construction system for unknown traffic

Wang

Xiang

Shu

2010

Concurrency and Computation

View full text Add to dashboard Cite

SUMMARYIdentifying applications and classifying network traffic flows according to their source applications are critical for a broad range of network activities. Such a decision can be based on packet header fields, packet payload content, statistical characteristics of traffic and communication patterns of network hosts. However, most present techniques rely on some sort of a priori knowledge, which means they require labor-intensive preprocessing before running and cannot deal with previously unknown applications. In this paper, we propose a traffic classification system based on application signatures, with a novel approach to fully automate the process of deriving signatures from unidentified traffic. The key idea is to integrate statistics-based flow clustering with payload-based signature matching method, so as to eliminate the requirement of pre-labeled training data sets. We evaluate the efficiency of our approach using real-world traffic trace, and the results indicate that signature classifiers built from clustered data and pre-labeled data are able to achieve similar high accuracy better than 99%.

show abstract

Accurate, scalable in-network identification of p2p traffic using application signatures

Cited by 673 publications

References 12 publications

Controlling False Alarm/Discovery Rates in Online Internet Traffic Flow Classification

Controlling False Alarm/Discovery Rates in Online Internet Traffic Flow Classification

Performance Improvement of a Real-time Traffic Identification System on a Multi-core CPU Environment

An automatic application signature construction system for unknown traffic

Contact Info

Product

Resources

About