TCP Traffic Classification Using Markov Models

This paper presents a novel traffic classification approach which classifies TCP connections with help of observable Markov models. As traffic properties, payload length, direction, and position of the first packets of a TCP connection are considered. We evaluate the accuracy of the classification approach with help of packet traces captured in a real network, achieving higher accuracies than the cluster-based classification approach of Bernaille [1]. As another advantage, the complexity of the proposed Markov classifier is low for both training and classification. Furthermore, the classification approach provides a certain level of robustness against changed usage of applications.

[1]  Georg Carle,et al.  TCP-Verkehrsklassifizierung mit Markov-Modellen , 2010, Prax. Inf.verarb. Kommun..

[2]  Juan E. Tapiador,et al.  Stochastic protocol modeling for anomaly based network intrusion detection , 2003, First IEEE International Workshop on Information Assurance, 2003. IWIAS 2003. Proceedings..

[3]  Lawrence R. Rabiner,et al.  A tutorial on hidden Markov models and selected applications in speech recognition , 1989, Proc. IEEE.

[4]  Charles V. Wright,et al.  HMM Profiles for Network Traffic Classification (Extended Abstract) , 2004 .

[5]  Antonio Pescapè,et al.  Classification of Network Traffic via Packet-Level Hidden Markov Models , 2008, IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference.

[6]  Grenville J. Armitage,et al.  A survey of techniques for internet traffic classification using machine learning , 2008, IEEE Communications Surveys & Tutorials.

[7]  Renata Teixeira,et al.  Early application identification , 2006, CoNEXT '06.

[8]  Charles V. Wright,et al.  HMM profiles for network traffic classification , 2004, VizSEC/DMSEC '04.