Review: Application classification using packet size distribution and port association

Authors:
Ying-Dar Lin;Chun-Nan Lu;Yuan-Cheng Lai;Wei-Hao Peng;Po-Ching Lin
Affiliations:
Department of Computer Science, National Chiao Tung University, HsinChu, Taiwan;Department of Computer Science, National Chiao Tung University, HsinChu, Taiwan;Department of Information Management, National Taiwan University of Science and Technology, Taipei, Taiwan;Department of Computer Science, National Chiao Tung University, HsinChu, Taiwan;Department of Computer Science, National Chiao Tung University, HsinChu, Taiwan
Venue:
Journal of Network and Computer Applications
Year:
2009

Citing 17
Cited 5

Empirically derived analytic models of wide-area TCP connections

IEEE/ACM Transactions on Networking (TON)
Wide area traffic: the failure of Poisson modeling

IEEE/ACM Transactions on Networking (TON)
Bro: a system for detecting network intruders in real-time

Computer Networks: The International Journal of Computer and Telecommunications Networking
Identifying patterns in internet traffic

ICCC '02 Proceedings of the 15th international conference on Computer communication
Transport layer identification of P2P traffic

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Class-of-service mapping for QoS: a statistical signature-based approach to IP traffic classification

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
The CoralReef Software Suite as a Tool for System and Network Administrators

LISA '01 Proceedings of the 15th USENIX conference on System administration
Internet traffic classification using bayesian analysis techniques

SIGMETRICS '05 Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
BLINC: multilevel traffic classification in the dark

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Automated Traffic Classification and Application Identification using Machine Learning

LCN '05 Proceedings of the The IEEE Conference on Local Computer Networks 30th Anniversary
Traffic classification on the fly

ACM SIGCOMM Computer Communication Review
Traffic classification through simple statistical fingerprinting

ACM SIGCOMM Computer Communication Review
Traffic modeling and classification using packet train length and packet train size

IPOM'06 Proceedings of the 6th IEEE international conference on IP Operations and Management
Toward the accurate identification of network applications

PAM'05 Proceedings of the 6th international conference on Passive and Active Network Measurement
A survey of techniques for internet traffic classification using machine learning

IEEE Communications Surveys & Tutorials
Packet-level traffic measurements from the Sprint IP backbone

IEEE Network: The Magazine of Global Internetworking

Unsupervised host behavior classification from connection patterns

International Journal of Network Management
Session level flow classification by packet size distribution and session grouping

Computer Networks: The International Journal of Computer and Telecommunications Networking
A structural approach for modelling the hierarchical dynamic process of Web workload in a large-scale campus network

Journal of Network and Computer Applications
Detection and classification of peer-to-peer traffic: A survey

ACM Computing Surveys (CSUR)
From an IP address to a street address: using wireless signals to locate a target

WOOT'13 Proceedings of the 7th USENIX conference on Offensive Technologies

Quantified Score

Hi-index	0.00

Visualization

Abstract

Traffic classification is an essential part in common network management applications such as intrusion detection and network monitoring. Identifying traffic by looking at port numbers is only suitable to well-known applications, while signature-based classification is not applicable to encrypted messages. Our preliminary observation shows that each application has distinct packet size distribution (PSD) of the connections. Therefore, it is feasible to classify traffic by analyzing the variances of packet sizes of the connections without analyzing packet payload. In this work, each connection is first transformed into a point in a multi-dimensional space according to its PSD. Then it is compared with the representative points of pre-defined applications and recognized as the application having a minimum distance. Once a connection is identified as a specific application, port association is used to accelerate the classification by combining it with the other connections of the same session because applications usually use consecutive ports during a session. Using the proposed techniques, packet size distribution and port association, a high accuracy rate, 96% on average, and low false positive and false negative rates, 4-5%, are achieved. Our proposed method not only works well for encrypted traffic but also can be easily incorporated with a signature-based method to provide better accuracy.