A real-time traffic classification approach

Real-Time traffic classification is a fundamental task for many network management decisions: by timely identifying the applications that generate traffic on a specific network link, network managers can optimize the utilization of their networks; better Quality-of-Service (QoS) can be offered to connected clients while preventing the saturation of many network resources. In addition, the timely identification of malicious traffic, or of traffic presenting anomalous patterns, can be also achieved for assuring the protection of the connected hosts and network resources. However, achieving such ability is not an easy task. The inherent complexity of current Internet applications and services together with the existence of several privacy and legal restrictions prevent the analysis of the contents of the packets, thus preventing an accurate and timely traffic classification. In this paper, we address this issue by analyzing captured Internet traffic over several classification windows, until an accurate identification decision is achieved. The use of metrics such as the packet Inter-Arrival Time and the packet length will allow us to reduce the width of the classification windows, therefore achieving real-time identification. A multi-scale decomposition is then performed for evaluating the existing frequency components and a frequency spectrum profile is obtained. This profile allows an association, using several probabilistic approaches, of the traffic with the corresponding application. The obtained results show that the proposed approach can accurately and timely identify the traffic generated by the most important Internet applications, as well as identify traffic presenting illicit patterns.

[1]  Vinod Yegneswaran,et al.  An Inside Look at Botnets , 2007, Malware Detection.

[2]  Jing Tao,et al.  A Novel IRC Botnet Detection Method Based on Packet Size Sequence , 2010, 2010 IEEE International Conference on Communications.

[3]  Maya Gokhale,et al.  Real-Time Classification of Multimedia Traffic Using FPGA , 2010, 2010 International Conference on Field Programmable Logic and Applications.

[4]  Nicolas Ianelli,et al.  Botnets as a Vehicle for Online Crime , 2007 .

[5]  Paulo Salvador,et al.  Detection of Illicit Network Activities Based on Multivariate Gaussian Fitting of Multi-Scale Traffic Characteristics , 2011, 2011 IEEE International Conference on Communications (ICC).

[6]  Anja Feldmann,et al.  Data networks as cascades: investigating the multifractal nature of Internet WAN traffic , 1998, SIGCOMM '98.

[7]  Arvind Krishnamurthy,et al.  Studying Spamming Botnets Using Botlab , 2009, NSDI.

[8]  Ping Wang,et al.  An Advanced Hybrid Peer-to-Peer Botnet , 2007, IEEE Transactions on Dependable and Secure Computing.

[9]  Ratul Mahajan,et al.  Differentially-private network trace analysis , 2010, SIGCOMM '10.

[10]  Claire Elliott,et al.  Botnets: To what extent are they a threat to information security? , 2010, Inf. Secur. Tech. Rep..

[11]  Wenke Lee,et al.  Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic , 2005 .

[12]  John A. Clark,et al.  Defending the weakest link: phishing websites detection by analysing user behaviours , 2010, Telecommun. Syst..

[13]  Grenville J. Armitage,et al.  Training on multiple sub-flows to optimise the use of Machine Learning classifiers in real-world IP networks , 2006, Proceedings. 2006 31st IEEE Conference on Local Computer Networks.

[14]  Tung Le,et al.  Rapid Identification of BitTorrent traffic , 2010, IEEE Local Computer Network Conference.

[15]  Gustavo Gonzalez Granadillo,et al.  Botnets: Lifecycle and Taxonomy , 2011, 2011 Conference on Network and Information Systems Security.

[16]  Aaron Hackworth,et al.  Botnets as a Vehicle for Online Crimes , 2006 .