METHODS FOR EFFICIENT CLASSIFICATION OF NETWORK TRAFFIC

Accurate classification of traffic flows is an essential step for administrators to detect intrusion or malicious attacks, forbidden applications, or simply new applications which may impact the future provisioning of network resources. In this work four major topics are considered in connection with traffic classification activities. First, a novel validation method is proposed for characterizing the accuracy and completeness of traffic classification algorithms. The main advantages of the new method are that it is based on realistic traffic mixtures, and it enables a highly automated and reliable validation of traffic classification. The validation method is used to create reference traces and the classification performance of the existing traffic classification methods is measured. Using this information a combined traffic classification method that includes the advantages of different approaches is introduced, in order to provide a high level of classification completeness and accuracy. The second part of our work focuses on gaming traffic. Gaming traffic depends on two main factors, the game protocol and the gamers’ behavior. By understanding the nature of the impact of the later one user behavior detection algorithms are introduced to grab specific events and states from passive traffic measurements. The algorithms focus on the characteristics of the traffic rate, showing what information can be gathered by observing only packet header information. In the third part of our work, a novel model and an algorithm are introduced to extend the Deep Packet Inspection traffic classification method with the analysis of non-fix byte signatures, which are not considered in current methods. Finally, we focus on the performance of traffic classification methods in terms of speed. To support high speed traffic classification the majority of the tasks are reformulated as parallel algorithms and pushed to the Graphical Processing Unit to offload the CPU, which then may serve other processing intensive tasks, e.g., traffic capture. The performance tests of the proposed methods showed that traffic classification is possible up to approximately 6 Gbps with a commodity PC.

[1]  Andrew W. Moore,et al.  Internet traffic classification using bayesian analysis techniques , 2005, SIGMETRICS '05.

[2]  Patrick Haffner,et al.  ACAS: automated construction of application signatures , 2005, MineNet '05.

[3]  Sándor Molnár,et al.  Enhanced Skype traffic identification , 2007, Valuetools 2007.

[4]  Vern Paxson,et al.  The shunt: an FPGA-based accelerator for network intrusion prevention , 2007, FPGA '07.

[5]  Ming-Yang Kao,et al.  Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[6]  Zhi-Li Zhang,et al.  Profiling internet backbone traffic: behavior models and applications , 2005, SIGCOMM '05.

[7]  Neelam Goyal,et al.  Signature Matching in Network Processing using SIMD / GPU Architectures , 2007 .

[8]  Nen-Fu Huang,et al.  A GPU-Based Multiple-Pattern Matching Algorithm for Network Intrusion Detection Systems , 2008, 22nd International Conference on Advanced Information Networking and Applications - Workshops (aina workshops 2008).

[9]  Jan Beran,et al.  Statistics for long-memory processes , 1994 .

[10]  Renata Teixeira,et al.  Traffic classification on the fly , 2006, CCRV.

[11]  En Zhu,et al.  A Hybrid Parallel Signature Matching Model for Network Security Applications Using SIMD GPU , 2009, APPT.

[12]  Anu G. Bourgeois,et al.  Improving feature selection techniques for machine learning , 2007 .

[13]  András Veres,et al.  Towards Understanding the Evolution of Wars in Virtual and Real Worlds , 2009, 2009 Fourth International Conference on Systems and Networks Communications.

[14]  Stefan Savage,et al.  Unexpected means of protocol inference , 2006, IMC '06.

[15]  Tin Kam Ho,et al.  The Random Subspace Method for Constructing Decision Forests , 1998, IEEE Trans. Pattern Anal. Mach. Intell..

[16]  Hartmut Ritter,et al.  The effect of latency and network limitations on MMORPGs: a field study of everquest2 , 2005, NetGames '05.

[17]  Long Cheng,et al.  System-performance modeling for massively multiplayer online role-playing games , 2006, IBM Syst. J..

[18]  Jorge L. V. Barbosa,et al.  A communication optimization for conservative interactive simulators , 2006, IEEE Communications Letters.

[19]  Mark Claypool,et al.  The effects of loss and latency on user performance in unreal tournament 2003® , 2004, NetGames '04.

[20]  William Lau,et al.  Networked game mobility model for first-person-shooter games , 2005, NetGames '05.

[21]  Sotiris Ioannidis,et al.  Regular Expression Matching on Graphics Hardware for Intrusion Detection , 2009, RAID.

[22]  Injong Rhee,et al.  SLAW: A New Mobility Model for Human Walks , 2009, IEEE INFOCOM 2009.

[23]  Patrice Abry,et al.  Wavelet Analysis of Long-Range-Dependent Traffic , 1998, IEEE Trans. Inf. Theory.

[24]  Carey L. Williamson,et al.  Offline/realtime traffic classification using semi-supervised learning , 2007, Perform. Evaluation.

[25]  Michalis Faloutsos,et al.  Transport layer identification of P2P traffic , 2004, IMC '04.

[26]  Mark Claypool,et al.  The effect of latency on user performance in Real-Time Strategy games , 2005, Comput. Networks.

[27]  Markus Rupp,et al.  Online Gaming Models for Wireless Networks , 2005, EuroIMSA.

[28]  Albert-László Barabási,et al.  The origin of bursts and heavy tails in human dynamics , 2005, Nature.

[29]  Philip Branch,et al.  ARMA(1,1) modeling of Quake4 Server to client game traffic , 2007, NetGames '07.

[30]  Chun-Ying Huang,et al.  Game traffic analysis: an MMORPG perspective , 2005, NOSSDAV '05.

[31]  John W. Lockwood,et al.  Deep packet inspection using parallel bloom filters , 2004, IEEE Micro.

[32]  Jia Wang,et al.  Analyzing peer-to-peer traffic across large networks , 2004, IEEE/ACM Trans. Netw..

[33]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[34]  Michael Sipser,et al.  Introduction to the Theory of Computation , 1996, SIGA.

[35]  Sebastian Zander,et al.  Automated traffic classification and application identification using machine learning , 2005, The IEEE Conference on Local Computer Networks 30th Anniversary (LCN'05)l.

[36]  Sándor Molnár,et al.  On the impacts of human interactions in MMORPG traffic , 2009, Multimedia Tools and Applications.

[37]  Anirban Mahanti,et al.  Traffic classification using clustering algorithms , 2006, MineNet '06.

[38]  Sándor Molnár,et al.  Effects of User Behavior on MMORPG Traffic , 2009, 2009 IEEE International Conference on Communications.

[39]  Michalis Faloutsos,et al.  BLINC: multilevel traffic classification in the dark , 2005, SIGCOMM '05.

[40]  T. V. Lakshman,et al.  Fast and memory-efficient regular expression matching for deep packet inspection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[41]  Azer Bestavros,et al.  Self-similarity in World Wide Web traffic: evidence and possible causes , 1997, TNET.

[42]  Gábor Vattay,et al.  On the propagation of long-range dependence in the Internet , 2000, SIGCOMM 2000.

[43]  Walter Willinger,et al.  A Bibliographical Guide to Self-Similar Traffic and Performance Modeling for Modern High-Speed Netwo , 1996 .

[44]  Mark Claypool,et al.  Network analysis of Counter-strike and Starcraft , 2003, Conference Proceedings of the 2003 IEEE International Performance, Computing, and Communications Conference, 2003..

[45]  Luca Deri,et al.  High-Speed Dynamic Packet Filtering , 2007, Journal of Network and Systems Management.

[46]  Evangelos P. Markatos,et al.  Improving the Performance of Passive Network Monitoring Applications using Locality Buffering , 2007, 2007 15th International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems.

[47]  Yanghee Choi,et al.  Traffic characteristics of a massively multi-player online role playing game , 2005, NetGames '05.

[48]  Gaogang Xie,et al.  Accurate Online Traffic Classification with Multi-Phases Identification Methodology , 2008, 2008 5th IEEE Consumer Communications and Networking Conference.

[49]  Stéphane Mallat,et al.  A Theory for Multiresolution Signal Decomposition: The Wavelet Representation , 1989, IEEE Trans. Pattern Anal. Mach. Intell..

[50]  Chris GauthierDickey,et al.  A measurement study of virtual populations in massively multiplayer online games , 2007, NetGames '07.

[51]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[52]  Richard Bassett,et al.  Intrusion prevention systems: How do they prevent intrusion? , 2006 .

[53]  Sándor Molnár,et al.  Traffic Classification over Gbit Speed with Commodity Hardware , 2009 .

[54]  Mark J. Harris,et al.  Parallel Prefix Sum (Scan) with CUDA , 2011 .

[55]  István Szabó,et al.  Accurate Traffic Classification , 2007, 2007 IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks.

[56]  Michalis Faloutsos,et al.  Internet traffic classification demystified: myths, caveats, and the best practices , 2008, CoNEXT '08.

[57]  Géza Szabó,et al.  On the scaling characteristics of MMORPG traffic , 2008 .

[58]  Anthony McGregor,et al.  Flow Clustering Using Machine Learning Techniques , 2004, PAM.

[59]  Maurizio Dusi,et al.  Traffic classification through simple statistical fingerprinting , 2007, CCRV.

[60]  Carla E. Brodley,et al.  Offloading IDS Computation to the GPU , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[61]  Debanjan Saha,et al.  A long-term study of a popular MMORPG , 2007, NetGames '07.

[62]  Nitesh V. Chawla,et al.  Wrapper-based computation and evaluation of sampling methods for imbalanced datasets , 2005, UBDM '05.

[63]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[64]  Sotiris Ioannidis,et al.  Gnort: High Performance Network Intrusion Detection Using Graphics Processors , 2008, RAID.

[65]  Sebastian Zander,et al.  A preliminary performance comparison of five machine learning algorithms for practical IP traffic flow classification , 2006, CCRV.

[66]  Michael Mitzenmacher,et al.  Network Traffic Analysis using Traffic Dispersion Graphs (TDGs): Techniques and Hardware Implementation , 2007 .

[67]  Jeffrey Erman,et al.  Internet Traffic Identification using Machine Learning , 2006 .

[68]  Walter Willinger,et al.  Self-similarity through high-variability: statistical analysis of Ethernet LAN traffic at the source level , 1997, TNET.

[69]  S. Chong,et al.  SLAW : A Mobility Model for Human Walks , 2009 .

[70]  Patrick Crowley,et al.  Efficient regular expression evaluation: theory to practice , 2008, ANCS '08.

[71]  Jitendra Padhye,et al.  Measurement and Estimation of Network QoS Among Peer Xbox 360 Game Players , 2008, PAM.

[72]  James Won-Ki Hong,et al.  Towards automated application signature generation for traffic identification , 2008, NOMS 2008 - 2008 IEEE Network Operations and Management Symposium.

[73]  M. Sarkees,et al.  The Correlates of War Data On War: an Update To 1997 , 2000 .

[74]  J.B.D. Cabrera,et al.  On the statistical distribution of processing times in network intrusion detection , 2004, 2004 43rd IEEE Conference on Decision and Control (CDC) (IEEE Cat. No.04CH37601).

[75]  Wei Tsang Ooi,et al.  Avatar Mobility in Networked Virtual Environments: Measurements, Analysis, and Implications , 2008, ArXiv.

[76]  Djamel Sadok,et al.  Traffic Analysis Beyond This World: the Case of Second Life , 2007 .

[77]  Konstantina Papagiannaki,et al.  Toward the Accurate Identification of Network Applications , 2005, PAM.