Flow signatures of popular applications

Network flow data is widely used to analyze the protocol mix forwarded by a router or to identify anomalies that may be caused by hardware and software failures, configuration errors, or intrusion attempts. The goal of our research is to find application signatures in network flow traces that can be used to pinpoint certain applications, such as specific web browsers, mail clients, or media-players. Our starting point is the hypothesis that popular applications generate application specific flow signatures. In order to verify our hypothesis, we recorded traffic traces of several applications and we subsequently analyzed the traces to identify flow signatures of these applications. The flow signatures were formalized as queries of a stream-based flow query language. The queries have been executed on several flow traces in order to evaluate our approach.

[1]  James Won-Ki Hong,et al.  Towards Peer-to-Peer Traffic Analysis Using Flows , 2003, DSOM.

[2]  James F. Allen Maintaining knowledge about temporal intervals , 1983, CACM.

[3]  Bernhard Plattner,et al.  Host behaviour based early detection of worm outbreaks in Internet backbones , 2005, 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05).

[4]  Jürgen Schönwälder,et al.  Design of a Stream-Based IP Flow Record Query Language , 2009, DSOM.

[5]  Henning Schulzrinne,et al.  An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol , 2004, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[6]  Oliver Spatscheck,et al.  Accurate, scalable in-network identification of p2p traffic using application signatures , 2004, WWW '04.

[7]  P. Salvador,et al.  Identification of Peer-to-Peer Applications' Flow Patterns , 2008, 2008 Next Generation Internet Networks.

[8]  Mark R. Crispin,et al.  Internet Message Access Protocol - Version 4 , 1994, RFC.

[9]  W. Marsden I and J , 2012 .

[10]  Michalis Faloutsos,et al.  BLINC: multilevel traffic classification in the dark , 2005, SIGCOMM '05.

[11]  Daniel A. Keim,et al.  Visualizing large-scale IP traffic flows , 2007, VMV.

[12]  Christian Huitema,et al.  STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs) , 2003, RFC.

[13]  Jürgen Schönwälder,et al.  Implementation of a Stream-Based IP Flow Record Query Language , 2010, AIMS.

[14]  Jürgen Quittek,et al.  Architecture for IP Flow Information Export , 2009, RFC.

[15]  Dario Rossi,et al.  Tracking Down Skype Traffic , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[16]  Marshall T. Rose,et al.  Post Office Protocol: Version 3 , 1988, RFC.

[17]  Jean-Yves Le Boudec,et al.  A Two-Layered Anomaly Detection Technique Based on Multi-modal Flow Behavior Models , 2008, PAM.

[18]  Renata Teixeira,et al.  Traffic classification on the fly , 2006, CCRV.

[19]  Paul J. Leach,et al.  Simple Service Discovery Protocol/1.0 , 1999 .

[20]  Konstantina Papagiannaki,et al.  Toward the Accurate Identification of Network Applications , 2005, PAM.

[21]  Yan Gao,et al.  A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks , 2006, 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06).

[22]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[23]  Marco Mellia,et al.  Revealing skype traffic: when randomness plays with you , 2007, SIGCOMM 2007.

[24]  Mark R. Crispin Internet Message Access Protocol - Version 4rev1 , 1996, RFC.

[25]  Michalis Faloutsos,et al.  Transport layer identification of P2P traffic , 2004, IMC '04.

[26]  James Won-Ki Hong,et al.  Empirical Analysis of Application-Level Traffic Classification Using Supervised Machine Learning , 2008, APNOMS.

[27]  Sándor Molnár,et al.  Identification and Analysis of Peer-to-Peer Traffic , 2006, J. Commun..

[28]  Chris Sanders,et al.  Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems , 2007 .

[29]  Piotr Kijewski Automated Extraction of Threat Signatures from Network Flows , 2006 .

[30]  Stuart Cheshire,et al.  NAT Port Mapping Protocol (NAT-PMP) , 2013, RFC.

[31]  Dario Rossi,et al.  Revealing skype traffic: when randomness plays with you , 2007, SIGCOMM '07.

[32]  Marshall T. Rose,et al.  Post Office Protocol - Version 3 , 1988, RFC.

[33]  Zhen Xiao,et al.  Understanding Instant Messaging Traffic Characteristics , 2007, 27th International Conference on Distributed Computing Systems (ICDCS '07).

[34]  Benoit Claise,et al.  Cisco Systems NetFlow Services Export Version 9 , 2004, RFC.