TY - GEN
T1 - Session level flow classification by packet size distribution and session grouping
AU - Lu, Chun Nan
AU - Lin, Ying-Dar
AU - Huang, Chun-Ying
AU - Lai, Yuan Cheng
PY - 2012/5/14
Y1 - 2012/5/14
N2 - Classifying traffic into specific network applications is essential for application-aware network management and it becomes more challenging because modern applications obscure their network behaviors. While port number-based classifiers work only for some well-known applications and signature-based classifiers are not applicable to encrypted packet payloads, researchers tend to classify network traffic based on behaviors observed in network applications. In this paper, a session level flow classification (SLFC) approach is proposed to classify network flows as a session, which comprises of flows in the same conversation. SLFC first classifies flows into the corresponding applications by packet size distribution (PSD) and then group flows as sessions by port locality. With PSD, each flow is transformed into a set of points in a two-dimension space and the distances between each flow and the representatives of pre-selected applications are computed. The flow is recognized as the application having a minimum distance. Meanwhile, port locality is used to group flows as sessions because an application often uses consecutive port numbers within a session. If flows of a session are classified into different applications, an arbitration algorithm is invoked to make the correction. The evaluation shows that SLFC achieves high accuracy rates on flow session classifications, say 99.9. When SLFC is applied to online classification, an average of 72 of packets in long-lasting flows can be skipped without reducing the classification accuracy rates.
AB - Classifying traffic into specific network applications is essential for application-aware network management and it becomes more challenging because modern applications obscure their network behaviors. While port number-based classifiers work only for some well-known applications and signature-based classifiers are not applicable to encrypted packet payloads, researchers tend to classify network traffic based on behaviors observed in network applications. In this paper, a session level flow classification (SLFC) approach is proposed to classify network flows as a session, which comprises of flows in the same conversation. SLFC first classifies flows into the corresponding applications by packet size distribution (PSD) and then group flows as sessions by port locality. With PSD, each flow is transformed into a set of points in a two-dimension space and the distances between each flow and the representatives of pre-selected applications are computed. The flow is recognized as the application having a minimum distance. Meanwhile, port locality is used to group flows as sessions because an application often uses consecutive port numbers within a session. If flows of a session are classified into different applications, an arbitration algorithm is invoked to make the correction. The evaluation shows that SLFC achieves high accuracy rates on flow session classifications, say 99.9. When SLFC is applied to online classification, an average of 72 of packets in long-lasting flows can be skipped without reducing the classification accuracy rates.
KW - flow classification
KW - packet size distribution
KW - session grouping
UR - http://www.scopus.com/inward/record.url?scp=84860704252&partnerID=8YFLogxK
U2 - 10.1109/WAINA.2012.145
DO - 10.1109/WAINA.2012.145
M3 - Conference contribution
AN - SCOPUS:84860704252
SN - 9780769546520
T3 - Proceedings - 26th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2012
SP - 221
EP - 226
BT - Proceedings - 26th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2012
T2 - 26th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2012
Y2 - 26 March 2012 through 29 March 2012
ER -