Application classification using packet size distribution and port association

Ying-Dar Lin, Chun Nan Lu*, Yuan Cheng Lai, Wei Hao Peng, Po Ching Lin

*Corresponding author for this work

Research output: Contribution to journalReview articlepeer-review

65 Scopus citations


Traffic classification is an essential part in common network management applications such as intrusion detection and network monitoring. Identifying traffic by looking at port numbers is only suitable to well-known applications, while signature-based classification is not applicable to encrypted messages. Our preliminary observation shows that each application has distinct packet size distribution (PSD) of the connections. Therefore, it is feasible to classify traffic by analyzing the variances of packet sizes of the connections without analyzing packet payload. In this work, each connection is first transformed into a point in a multi-dimensional space according to its PSD. Then it is compared with the representative points of pre-defined applications and recognized as the application having a minimum distance. Once a connection is identified as a specific application, port association is used to accelerate the classification by combining it with the other connections of the same session because applications usually use consecutive ports during a session. Using the proposed techniques, packet size distribution and port association, a high accuracy rate, 96% on average, and low false positive and false negative rates, 4-5%, are achieved. Our proposed method not only works well for encrypted traffic but also can be easily incorporated with a signature-based method to provide better accuracy.

Original languageEnglish
Pages (from-to)1023-1030
Number of pages8
JournalJournal of Network and Computer Applications
Issue number5
StatePublished - 1 Sep 2009


  • Packet size distribution
  • Ports association
  • Traffic classification
  • Transport layer behaviors


Dive into the research topics of 'Application classification using packet size distribution and port association'. Together they form a unique fingerprint.

Cite this