Hierarchical TCP network traffic classification with adaptive optimisation

Nowadays, with the increasing deployment of modern packet-switching networks, traffic classification is playing an important role in network administration. To identify what kinds of traffic transmitting across networks can improve network management in various ways, such as traffic shaping, differential services, enhanced security, etc. By applying different policies to different kinds of traffic, Quality of Service (QoS) can be achieved and the granularity can be as fine as flow-level. Since illegal traffic can be identified and filtered, network security can be enhanced by employing advanced traffic classification. There are various traditional techniques for traffic classification. However, some of them cannot handle traffic generated by applications using non-registered ports or forged ports, some of them cannot deal with encrypted traffic and some techniques require too much computational resources. The newly proposed technique by other researchers, which uses statistical methods, gives an alternative approach. It requires less resources, does not rely on ports and can deal with encrypted traffic. Nevertheless, the performance of the classification using statistical methods can be further improved. In this thesis, we are aiming for optimising network traffic classification based on the statistical approach. Because of the popularity of the TCP protocol, and the difficulties for classification introduced by TCP traffic controls, our work is focusing on classifying network traffic based on TCP protocol. An architecture has been proposed for improving the classification performance, in terms of accuracy and response time. Experiments have been taken and results have been evaluated for proving the improved performance of the proposed optimised classifier. In our work, network packets are reassembled into TCP flows. Then, the statistical characteristics of flows are extracted. Finally the classes of input flows can be determined by comparing them with the profiled samples. Instead of using only one algorithm for classifying all traffic flows, our proposed system employs a series of binary classifiers, which use optimised algorithms to detect different traffic classes separately. There is a decision making mechanism for dealing with controversial results from the binary classifiers. Machining learning algorithms including k-nearest neighbour, decision trees and artificial neural networks have been taken into consideration together with a kind of non-parametric statistical algorithm — Kolmogorov-Smirnov test. Besides algorithms, some parameters are also optimised locally, such as detection windows, acceptance thresholds. This hierarchical architecture gives traffic classifier more flexibility, higher accuracy and less response time.

[1]  Nick McKeown,et al.  Algorithms for packet classification , 2001, IEEE Netw..

[2]  David Clark Are ATM, Gigabit Ethernet Ready for Prime Time? , 1998, Computer.

[3]  Zuriati Ahmad Zukarnain,et al.  Comparison Study of Transmission Control Protocol and User Datagram Protocol Behavior over Multi-Protocol Label Switching Networks in Case of Failures , 2009 .

[4]  Peter Norvig,et al.  Artificial Intelligence: A Modern Approach , 1995 .

[5]  Marvin Minsky,et al.  Perceptrons: An Introduction to Computational Geometry , 1969 .

[6]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[7]  Jeffrey C. Mogul,et al.  Simple and Flexible Datagram Access Controls for UNIX-based Gateways , 1999 .

[8]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[9]  John Nagle,et al.  Congestion control in IP/TCP internetworks , 1995, CCRV.

[10]  Geoff Huston,et al.  Quality of Service: Delivering QoS on the Internet and in Corporate Networks , 1998 .

[11]  David J. Parish,et al.  Optimised TCP Traf“c Classi“cation with multiple statistical algorithms , 2010, 2010 International Conference on Information, Networking and Automation (ICINA).

[12]  Alberto Leon-Garcia,et al.  Communication Networks: Fundamental Concepts and Key Architectures , 1999 .

[13]  David J. Parish,et al.  Optimised Multi-stage TCP Traffic Classifier Based on Packet Size Distributions , 2010, 2010 Third International Conference on Communication Theory, Reliability, and Quality of Service.

[14]  Aiko M. Hormann,et al.  Programs for Machine Learning. Part I , 1962, Inf. Control..

[15]  Mark Claypool,et al.  Network analysis of Counter-strike and Starcraft , 2003, Conference Proceedings of the 2003 IEEE International Performance, Computing, and Communications Conference, 2003..

[16]  Yan Luo,et al.  Efficient memory utilization on network processors for deep packet inspection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[17]  Andrew W. Moore,et al.  Internet traffic classification using bayesian analysis techniques , 2005, SIGMETRICS '05.

[18]  Maurizio Dusi,et al.  Detecting HTTP Tunnels with Statistical Mechanisms , 2007, 2007 IEEE International Conference on Communications.

[19]  Kymie M. C. Tan,et al.  Detection and classification of TCP/IP network services , 1997, Proceedings 13th Annual Computer Security Applications Conference.

[20]  W. Richard Stevens,et al.  TCP Slow Start, Congestion Avoidance, Fast Retransmit, and Fast Recovery Algorithms , 1997, RFC.

[21]  Sanjoy Paul Integrated Services in the Internet and RSVP , 1998 .

[22]  Hong-Shik Park,et al.  UDP based P2P game traffic classification with transport layer behaviors , 2008, 2008 14th Asia-Pacific Conference on Communications.

[23]  Janet J. Prichard,et al.  Cyber Terrorism: A Study of the Extent of Coverage in Computer Science Textbooks , 2004, J. Inf. Technol. Educ..

[24]  C. Edward Chow,et al.  Enhance network security with dynamic packet filter , 1998, Proceedings 7th International Conference on Computer Communications and Networks (Cat. No.98EX226).

[25]  Wenbin Zheng,et al.  Intrusion prevention system design , 2004 .

[26]  Bo Li Detecting TCP-based applications using packet size distributions , 2008 .

[27]  Patrice Y. Simard,et al.  Using GPUs for machine learning algorithms , 2005, Eighth International Conference on Document Analysis and Recognition (ICDAR'05).

[28]  C. Macian,et al.  An evaluation of the key design criteria to achieve high update rates in packet classifiers , 2001, IEEE Netw..

[29]  David J. Parish,et al.  Using packet size distributions to identify real-time networked applications , 2003 .

[30]  Mo-Yuen Chow,et al.  Implicit traffic classification for service differentiation , 2002 .

[31]  Spiros Mancoridis,et al.  A genetic algorithm for solving the binning problem in networked applications detection , 2007, 2007 IEEE Congress on Evolutionary Computation.

[32]  Ronaldo M. Salles,et al.  Detecting VoIP calls hidden in web traffic , 2008, IEEE Transactions on Network and Service Management.

[33]  Paulo Salvador,et al.  Detecting Internet Applications using Neural Networks , 2006, International conference on Networking and Services (ICNS'06).

[34]  Maurizio Dusi,et al.  Traffic classification through simple statistical fingerprinting , 2007, CCRV.

[35]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[36]  John H. Hartman,et al.  Optimizing TCP forwarder performance , 2000, TNET.

[37]  Michalis Faloutsos,et al.  Is P2P dying or just hiding? [P2P traffic measurement] , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[38]  G.E. Moore,et al.  Cramming More Components Onto Integrated Circuits , 1998, Proceedings of the IEEE.

[39]  Lakshmi Raman OSI systems and network management , 1999 .

[40]  Ralf Bendrath Global technology trends and national regulation: Explaining Variation in the Governance of Deep Packet Inspection , 2009 .

[41]  Ana L. C. Bazzan,et al.  Balancing Training Data for Automated Annotation of Keywords: a Case Study , 2003, WOB.

[42]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[43]  Chao Liu,et al.  A statistical-feature-based approach to internet traffic classification using Machine Learning , 2009, 2009 International Conference on Ultra Modern Telecommunications & Workshops.

[44]  Pablo Rodriguez,et al.  TPOT: translucent proxying of TCP , 2001, Comput. Commun..

[45]  Andrew W. Moore,et al.  A Machine Learning Approach for Efficient Traffic Classification , 2007, 2007 15th International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems.

[46]  Karthikeyan Sankaralingam,et al.  Evaluating GPUs for network packet signature matching , 2009, 2009 IEEE International Symposium on Performance Analysis of Systems and Software.

[47]  John W. Lockwood,et al.  Deep packet inspection using parallel bloom filters , 2004, IEEE Micro.

[48]  Fernando Gont,et al.  On the implementation of TCP urgent data , 2009 .