Statistical Protocol IDentification with SPID: Preliminary Results

Identifying application layer protocols within network sessions is important when assigning Quality of Service (QoS) priorities as well as when conducting network security monitoring. This paper introduces a Statistical Protocol IDentification algorithm (SPID) utilizing various statistical flow and application layer data features. We have identified application layer protocols by comparing probability vectors created from observed network traffic to probability vectors of known protocols. Promising preliminary results are presented, showing average precision of 100% and recall of 92% for a small set of protocols within traffic traces from an access network. To further improve the results, a number of ongoing and future directions with SPID are discussed, such as optimization of the attribute meters and improving robustness against different network environments.

[1]  R. A. Leibler,et al.  On Information and Sufficiency , 1951 .

[2]  Oliver Spatscheck,et al.  Accurate, scalable in-network identification of p2p traffic using application signatures , 2004, WWW '04.

[3]  Michalis Faloutsos,et al.  Internet traffic classification demystified: myths, caveats, and the best practices , 2008, CoNEXT '08.

[4]  Yin Zhang,et al.  Detecting Backdoors , 2000, USENIX Security Symposium.

[5]  Konstantina Papagiannaki,et al.  Toward the Accurate Identification of Network Applications , 2005, PAM.

[6]  George Varghese,et al.  Graph-Based P2P Traffic Classification at the Internet Backbone , 2009, IEEE INFOCOM Workshops 2009.

[7]  James Won-Ki Hong,et al.  Towards automated application signature generation for traffic identification , 2008, NOMS 2008 - 2008 IEEE Network Operations and Management Symposium.

[8]  Wolfgang John,et al.  Experiences from Passive Internet Traffic Measurements , 2008 .

[9]  Elie Bursztein,et al.  Probabilistic Identification for Hard to Classify Protocol , 2008, WISTP.

[10]  Maurizio Dusi,et al.  Traffic classification through simple statistical fingerprinting , 2007, CCRV.

[11]  Carey L. Williamson,et al.  A Longitudinal Study of P2P Traffic Classification , 2006, 14th IEEE International Symposium on Modeling, Analysis, and Simulation.

[12]  István Szabó,et al.  On the Validation of Traffic Classification Algorithms , 2008, PAM.

[13]  Erik Hjelmvik The SPID Algorithm Statistical Protocol IDentification , 2008 .

[14]  Wolfgang John,et al.  Heuristics to Classify Internet Backbone Traffic based on Connection Patterns , 2008, 2008 International Conference on Information Networking.

[15]  Min Zhang,et al.  State of the Art in Traffic Classification: A Research Review , 2009 .

[16]  Anirban Mahanti,et al.  Traffic classification using clustering algorithms , 2006, MineNet '06.

[17]  Michalis Faloutsos,et al.  BLINC: multilevel traffic classification in the dark , 2005, SIGCOMM '05.