Identification of Traffic Flows Hiding behind TCP Port 80

Beyond Quality of Service and billing, one of the most important applications of traffic identification is in the field of network security. Despite their simplicity, current approaches based on port numbers are highly unreliable. This paper proposes an identification approach, based on a cascade of decision trees. The approach uses the sign pattern and payload size of the first four packets in each flow, thus remaining applicable to encrypted traffic too. The effectiveness of the proposed approach is evaluated on five real traffic traces collected in different time periods and over four different networks. The obtained overall accuracy gives us grounds to consider the adoption of this approach as stand-alone in on-line platforms for network traffic identification or in combination with classical firewall architectures.

[1]  Michalis Faloutsos,et al.  Transport layer identification of P2P traffic , 2004, IMC '04.

[2]  Michalis Faloutsos,et al.  Is P2P dying or just hiding? [P2P traffic measurement] , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[3]  Renata Teixeira,et al.  Early application identification , 2006, CoNEXT '06.

[4]  Andrew W. Moore,et al.  Bayesian Neural Networks for Internet Traffic Classification , 2007, IEEE Transactions on Neural Networks.

[5]  Sebastian Zander,et al.  Self-Learning IP Traffic Classification Based on Statistical Flow Characteristics , 2005, PAM.

[6]  Konstantina Papagiannaki,et al.  Toward the Accurate Identification of Network Applications , 2005, PAM.

[7]  Antonio Pescapè,et al.  TIE: A Community-Oriented Traffic Classification Platform , 2009, TMA.

[8]  Ronaldo M. Salles,et al.  On Metrics to Distinguish Skype Flows from HTTP Traffic , 2007, 2007 Latin American Network Operations and Management Symposium.

[9]  Luca Salgarelli,et al.  Comparing traffic classifiers , 2007, CCRV.

[10]  Ludmila I. Kuncheva,et al.  Combining Pattern Classifiers: Methods and Algorithms , 2004 .

[11]  Subhash C. Bagui,et al.  Combining Pattern Classifiers: Methods and Algorithms , 2005, Technometrics.

[12]  Jeffrey Erman,et al.  Internet Traffic Identification using Machine Learning , 2006 .

[13]  Sebastian Zander,et al.  A preliminary performance comparison of five machine learning algorithms for practical IP traffic flow classification , 2006, CCRV.

[14]  Maurizio Dusi,et al.  Traffic classification through simple statistical fingerprinting , 2007, CCRV.

[15]  Andrew W. Moore,et al.  Internet traffic classification using bayesian analysis techniques , 2005, SIGMETRICS '05.

[16]  Renata Teixeira,et al.  Early Recognition of Encrypted Applications , 2007, PAM.

[17]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[18]  Kevin W. Bowyer,et al.  Combination of multiple classifiers using local accuracy estimates , 1996, Proceedings CVPR IEEE Computer Society Conference on Computer Vision and Pattern Recognition.

[19]  Carey L. Williamson,et al.  Offline/realtime traffic classification using semi-supervised learning , 2007, Perform. Evaluation.

[20]  Luca Salgarelli,et al.  Pattern Recognition Approaches for Classifying IP Flows , 2008, SSPR/SPR.

[21]  Sebastian Zander,et al.  Automated traffic classification and application identification using machine learning , 2005, The IEEE Conference on Local Computer Networks 30th Anniversary (LCN'05)l.

[22]  Carlo Sansone,et al.  Network Protocol Verification by a Classifier Selection Ensemble , 2009, MCS.

[23]  David G. Stork,et al.  Pattern Classification (2nd ed.) , 1999 .

[24]  David G. Stork,et al.  Pattern Classification , 1973 .

[25]  Shigeo Abe DrEng Pattern Classification , 2001, Springer London.

[26]  Michalis Faloutsos,et al.  BLINC: multilevel traffic classification in the dark , 2005, SIGCOMM '05.

[27]  Antonio Pescapè,et al.  Classification of Network Traffic via Packet-Level Hidden Markov Models , 2008, IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference.

[28]  Charles V. Wright,et al.  On Inferring Application Protocol Behaviors in Encrypted Network Traffic , 2006, J. Mach. Learn. Res..

[29]  Antonio Pescapè,et al.  Traffic classification and its applications to modern networks , 2009, Comput. Networks.