TY - JOUR
T1 - Application classification using packet size distribution and port association
AU - Lin, Ying-Dar
AU - Lu, Chun Nan
AU - Lai, Yuan Cheng
AU - Peng, Wei Hao
AU - Lin, Po Ching
PY - 2009/9/1
Y1 - 2009/9/1
N2 - Traffic classification is an essential part in common network management applications such as intrusion detection and network monitoring. Identifying traffic by looking at port numbers is only suitable to well-known applications, while signature-based classification is not applicable to encrypted messages. Our preliminary observation shows that each application has distinct packet size distribution (PSD) of the connections. Therefore, it is feasible to classify traffic by analyzing the variances of packet sizes of the connections without analyzing packet payload. In this work, each connection is first transformed into a point in a multi-dimensional space according to its PSD. Then it is compared with the representative points of pre-defined applications and recognized as the application having a minimum distance. Once a connection is identified as a specific application, port association is used to accelerate the classification by combining it with the other connections of the same session because applications usually use consecutive ports during a session. Using the proposed techniques, packet size distribution and port association, a high accuracy rate, 96% on average, and low false positive and false negative rates, 4-5%, are achieved. Our proposed method not only works well for encrypted traffic but also can be easily incorporated with a signature-based method to provide better accuracy.
AB - Traffic classification is an essential part in common network management applications such as intrusion detection and network monitoring. Identifying traffic by looking at port numbers is only suitable to well-known applications, while signature-based classification is not applicable to encrypted messages. Our preliminary observation shows that each application has distinct packet size distribution (PSD) of the connections. Therefore, it is feasible to classify traffic by analyzing the variances of packet sizes of the connections without analyzing packet payload. In this work, each connection is first transformed into a point in a multi-dimensional space according to its PSD. Then it is compared with the representative points of pre-defined applications and recognized as the application having a minimum distance. Once a connection is identified as a specific application, port association is used to accelerate the classification by combining it with the other connections of the same session because applications usually use consecutive ports during a session. Using the proposed techniques, packet size distribution and port association, a high accuracy rate, 96% on average, and low false positive and false negative rates, 4-5%, are achieved. Our proposed method not only works well for encrypted traffic but also can be easily incorporated with a signature-based method to provide better accuracy.
KW - Packet size distribution
KW - Ports association
KW - Traffic classification
KW - Transport layer behaviors
UR - http://www.scopus.com/inward/record.url?scp=67649458219&partnerID=8YFLogxK
U2 - 10.1016/j.jnca.2009.03.001
DO - 10.1016/j.jnca.2009.03.001
M3 - Review article
AN - SCOPUS:67649458219
SN - 1084-8045
VL - 32
SP - 1023
EP - 1030
JO - Journal of Network and Computer Applications
JF - Journal of Network and Computer Applications
IS - 5
ER -