Can multiscale traffic analysis be used to differentiate Internet applications?

An accurate mapping of Internet traffic to applications can be important for a broad range of network management and measurement tasks, including traffic engineering, service differentiation, performance/failure monitoring and security. Traditional mapping approaches have become increasingly inaccurate because many applications use non-default or ephemeral port numbers, use well-known port numbers associated with other applications, change application signatures or use traffic encryption. In this paper we will demonstrate that multiscale traffic analysis based on multi-order wavelet spectrum can be used as a discriminator of Internet applications traffic profiles. By performing clustering analysis over the multiscale wavelet spectrum coefficients that are inferred from the measured traffic, the proposed methodology is able to efficiently differentiate different IP applications without using any payload information. This characteristic will allow the differentiation of traffic flows in unencrypted and encrypted scenarios. In order to compare the differentiating potential of different traffic application data, upload, download and joint upload and download flow statistics are considered to evaluate the identification approach for each selected protocol. Moreover, we also evaluate which timescales and spectrum orders are more relevant for the traffic differentiation. From the analysis of the obtained results we can conclude that the proposed methodology is able to achieve good identification results using a small set of timescales of a single order wavelet spectrum of a general raw traffic statistic.

[1]  Michalis Faloutsos,et al.  Transport layer identification of P2P traffic , 2004, IMC '04.

[2]  Patrick Haffner,et al.  ACAS: automated construction of application signatures , 2005, MineNet '05.

[3]  FeldmannA.,et al.  Data networks as cascades , 1998 .

[4]  Paulo Salvador,et al.  Discriminating Internet Applications based on Multiscale Analysis , 2009, 2009 Next Generation Internet Networks.

[5]  D. Veitch,et al.  Infinitely divisible cascade analysis of network traffic data , 2000, 2000 IEEE International Conference on Acoustics, Speech, and Signal Processing. Proceedings (Cat. No.00CH37100).

[6]  George Varghese,et al.  Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications , 2001, SIGCOMM 2001.

[7]  Ali S. Hadi,et al.  Finding Groups in Data: An Introduction to Chster Analysis , 1991 .

[8]  Anja Feldmann,et al.  Data networks as cascades: investigating the multifractal nature of Internet WAN traffic , 1998, SIGCOMM '98.

[9]  Anja Feldmann,et al.  Dynamics of IP traffic: a study of the role of variability and the impact of control , 1999, SIGCOMM '99.

[10]  Anthony McGregor,et al.  Flow Clustering Using Machine Learning Techniques , 2004, PAM.

[11]  Oliver Spatscheck,et al.  Accurate, scalable in-network identification of p2p traffic using application signatures , 2004, WWW '04.

[12]  John C. S. Lui,et al.  Application Identification Based on Network Behavioral Profiles , 2008, 2008 16th Interntional Workshop on Quality of Service.

[13]  Rudolf H. Riedi,et al.  Multifractal Properties of TCP Traffic: a Numerical Study , 1997 .

[14]  R. Valadas,et al.  Classification of Internet users using discriminant analysis and neural networks , 2005, Next Generation Internet Networks, 2005.

[15]  V. Alarcón-Aquino,et al.  Anomaly detection in communication networks using wavelets , 2001 .

[16]  Michalis Faloutsos,et al.  Is P2P dying or just hiding? [P2P traffic measurement] , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[17]  Paulo Salvador,et al.  MODULE FOR IDENTIFYING INTERNET APPLICATIONS AND ITS INTEGRATION IN A PEER-TO-PEER MEASUREMENT TOOL , 2007 .

[18]  Anu Ramanathan,et al.  WADeS: a tool for Distributed Denial of Service Attack detection , 2002 .

[19]  Zbigniew R. Struzik,et al.  WAVELET-BASED MULTIFRACTAL ANALYSIS OF REAL AND SIMULATED TIME SERIES OF EARTHQUAKES , 2004 .

[20]  Patrice Abry,et al.  Wavelets for the Analysis, Estimation, and Synthesis of Scaling Data , 2002 .

[21]  tcpdump Tcpdump/Libpcap public repository , 2010 .

[22]  Carey L. Williamson,et al.  A Longitudinal Study of P2P Traffic Classification , 2006, 14th IEEE International Symposium on Modeling, Analysis, and Simulation.

[23]  J. MacQueen Some methods for classification and analysis of multivariate observations , 1967 .

[24]  Anirban Mahanti,et al.  Traffic classification using clustering algorithms , 2006, MineNet '06.

[25]  Sebastian Zander,et al.  Automated traffic classification and application identification using machine learning , 2005, The IEEE Conference on Local Computer Networks 30th Anniversary (LCN'05)l.

[26]  Michalis Faloutsos,et al.  BLINC: multilevel traffic classification in the dark , 2005, SIGCOMM '05.

[27]  H. L. Le Roy,et al.  Proceedings of the Fifth Berkeley Symposium on Mathematical Statistics and Probability; Vol. IV , 1969 .

[28]  Walter Willinger,et al.  On the self-similar nature of Ethernet traffic , 1993, SIGCOMM '93.

[29]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[30]  D. Cochran A consequence of signal normalization in spectrum analysis , 1988, ICASSP-88., International Conference on Acoustics, Speech, and Signal Processing.