Results 1 - 10
of
135
Internet Traffic Classification Demystified: The Myths, Caveats and Best Practices
- In Proc. ACM CoNEXT
, 2008
"... Recent research on Internet traffic classification algorithms has yielded a flurry of proposed approaches for distinguishing types of traffic, but no systematic comparison of the various algorithms. This fragmented approach to traffic classification research leaves the operational community with no ..."
Abstract
-
Cited by 85 (4 self)
- Add to MetaCart
(Show Context)
Recent research on Internet traffic classification algorithms has yielded a flurry of proposed approaches for distinguishing types of traffic, but no systematic comparison of the various algorithms. This fragmented approach to traffic classification research leaves the operational community with no basis for consensus on what approach to use when, and how to interpret results. In this work we critically revisit traffic classification by conducting a thorough evaluation of three classification approaches, based on transport layer ports, host behavior, and flow features. A strength of our work is the broad range of data against which we test the three classification approaches: seven traces with payload collected in Japan, Korea, and the US. The diverse geographic locations, link characteristics and application traffic mix in these data allowed us to evaluate the approaches under a wide variety of conditions. We analyze the advantages and limitations of each approach, evaluate methods to overcome the limitations, and extract insights and recommendations for both the study and practical application of traffic classification. We make our software, classifiers, and data available for researchers interested in validating or extending this work. 1.
Graph-based P2P Traffic Classification at the Internet Backbone
"... Monitoring network traffic and classifying applications are essential functions for network administrators. In this paper, we consider the use of Traffic Dispersion Graphs (TDGs) to classify network traffic. Given a set of flows, a TDG is a graph with an edge between any two IP addresses that commun ..."
Abstract
-
Cited by 29 (5 self)
- Add to MetaCart
(Show Context)
Monitoring network traffic and classifying applications are essential functions for network administrators. In this paper, we consider the use of Traffic Dispersion Graphs (TDGs) to classify network traffic. Given a set of flows, a TDG is a graph with an edge between any two IP addresses that communicate; thus TDGs capture network-wide interactions. Using TDGs, we develop an application classification framework dubbed Graption (Graph-based classification). Our framework provides a systematic way to harness the power of network-wide behavior, flow-level characteristics, and data mining techniques. As a proof of concept, we instantiate our framework to detect P2P applications, and show that it can identify P2P traffic with recall and precision greater than 90 % in backbone traces, which are particularly challenging for other methods.
Issues and Future Directions in Traffic Classification
"... Traffic classification technology has increased in relevance this decade, as it is now used in the definition and implementation of mechanisms for service differentiation, network design and engineering, security, accounting, advertising, and research. Over the past 10 years the research community a ..."
Abstract
-
Cited by 20 (1 self)
- Add to MetaCart
(Show Context)
Traffic classification technology has increased in relevance this decade, as it is now used in the definition and implementation of mechanisms for service differentiation, network design and engineering, security, accounting, advertising, and research. Over the past 10 years the research community and the networking industry have investigated, proposed and developed several classification approaches. While traffic classification techniques are improving in accuracy and efficiency, the continued proliferation of different Internet application behaviors, in addition to growing incentives to disguise some applications to avoid filtering or blocking, are among the reasons that traffic classification remains one of many open problems in Internet research. In this article we review recent achievements and discuss future directions in traffic classification, along with their trade-offs in applicability, reliability, and privacy. We outline the persistently unsolved challenges in the field over the last decade, and suggest several strategies for tackling these challenges to promote progress in the science of Internet traffic classification.
KISS: Stochastic Packet Inspection Classifier for UDP Traffic
"... This paper proposes KISS, a novel Internet classification engine. Motivated by the expected raise of UDP traffic, which stems from the momentum of P2P streaming applications, we propose a novel classification framework which leverages on statistical characterization of payload. Statistical signatur ..."
Abstract
-
Cited by 17 (4 self)
- Add to MetaCart
This paper proposes KISS, a novel Internet classification engine. Motivated by the expected raise of UDP traffic, which stems from the momentum of P2P streaming applications, we propose a novel classification framework which leverages on statistical characterization of payload. Statistical signatures are derived by the means of a Chi-Square like test, which extracts the protocol “format”, but ignores the protocol “semantic ” and “synchronization ” rules. The signatures feed a decision process based either on the geometric distance among samples, or on Support Vector Machines. KISS is very accurate, and its signatures are intrinsically robust to packet sampling, reordering, and flow asymmetry, so that it can be used on almost any network. KISS is tested in different scenarios, considering traditional client-server protocols, VoIP and both traditional and new P2P Internet applications. Results are astonishing. The average True Positive percentage is 99.6%, with the worst case equal 98.1,% while results are almost perfect when dealing with new P2P streaming applications.
Protocol Misidentification Made Easy with Format-Transforming Encryption
"... Deep packet inspection (DPI) technologies provide muchneeded visibility and control of network traffic using portindependent protocol identification, where a network flow is labeled with its application-layer protocol based on packet contents. In this paper, we provide the first comprehensive evalua ..."
Abstract
-
Cited by 10 (2 self)
- Add to MetaCart
(Show Context)
Deep packet inspection (DPI) technologies provide muchneeded visibility and control of network traffic using portindependent protocol identification, where a network flow is labeled with its application-layer protocol based on packet contents. In this paper, we provide the first comprehensive evaluation of a large set of DPI systems from the point of view of protocol misidentification attacks, in which adversaries on the network attempt to force the DPI to mislabel connections. Our approach uses a new cryptographic primitive called format-transforming encryption (FTE), which, intuitively, extends conventional symmetric encryption with the ability to transform the ciphertext into a format of our choosing. We design an FTE-based record layer that can encrypt arbitrary application-layer traffic, and we experimentally show that this forces misidentification for all of the evaluated DPI systems. This set includes a proprietary, enterprise-class DPI system used by large corporations and nation-states. We also show that using FTE as a proxy system incurs no latency overhead and only 16 % more bandwidth than standard SSH tunnels. Finally, we integrate our FTE proxy into Tor and demonstrate that it evades realworld censorship by the Great Firewall of China. 1.
Analysis of UDP traffic usage on internet backbone links
- in saint'09, Ninth Annual International Symposium on Applications and the Internet, 2009
"... It is still an accepted assumption that Internet traffic is dominated by TCP [1], [2]. However, the rise of new streaming applications [3] such as IPTV (PPStream, PPLive) and new P2P protocols (e.g. uTP [4]) that try to avoid traffic ..."
Abstract
-
Cited by 9 (1 self)
- Add to MetaCart
(Show Context)
It is still an accepted assumption that Internet traffic is dominated by TCP [1], [2]. However, the rise of new streaming applications [3] such as IPTV (PPStream, PPLive) and new P2P protocols (e.g. uTP [4]) that try to avoid traffic
State of the art in traffic classification: A research review
- PAM Student Workshop
, 2009
"... The Internet, while emerging as the key component for all sorts of communication, is far from being well under-stood. The goal of traffic classification is to understand the type of traffic carried on the Internet, which continually ..."
Abstract
-
Cited by 8 (2 self)
- Add to MetaCart
(Show Context)
The Internet, while emerging as the key component for all sorts of communication, is far from being well under-stood. The goal of traffic classification is to understand the type of traffic carried on the Internet, which continually
SIDD: A framework for detecting sensitive data exfiltration by an insider attack
- In System Sciences, 2009. HICSS ’09. 42nd Hawaii International Conference on
, 2009
"... Detecting and mitigating insider threat is a critical element in the overall information protection strategy. By successfully implementing tactics to detect this threat, organizations mitigate the loss of sensitive information and also potentially protect against future attacks. Within the broader s ..."
Abstract
-
Cited by 8 (0 self)
- Add to MetaCart
Detecting and mitigating insider threat is a critical element in the overall information protection strategy. By successfully implementing tactics to detect this threat, organizations mitigate the loss of sensitive information and also potentially protect against future attacks. Within the broader scope of mitigating insider threat, we focus on detecting exfiltration of sensitive data through a protected network. We propose a multilevel framework called SIDD (Sensitive Information Dissemination Detection) system which is a high-speed transparent network bridge located at the edge of the protected network. SIDD consists of three main components: 1) network-level application identification, 2) content signature generation and detection, and 3) covert communication detection. Further, we introduce a model implementation of the key components, demonstrating how our system can be deployed. Our approach is based on the application of statistical and signal processing techniques on traffic flow to generate signatures and/or extract features for classification purposes. The proposed framework aims to address methods to detect, deter and prevent deliberate and unintended distribution of sensitive content outside the organization using the organization’s system and network resources by a trusted insider.
NetworkProfiler: Towards Automatic Fingerprinting of Android Apps
"... Abstract—Network operators need to have a clear visibility into the applications running in their network. This is critical for both security and network management. Recent years have seen an exponential growth in the number of smart phone apps which has complicated this task. Traditional methods of ..."
Abstract
-
Cited by 7 (1 self)
- Add to MetaCart
(Show Context)
Abstract—Network operators need to have a clear visibility into the applications running in their network. This is critical for both security and network management. Recent years have seen an exponential growth in the number of smart phone apps which has complicated this task. Traditional methods of traffic classification are no longer sufficient as the majority of this smart phone app traffic is carried over HTTP/HTTPS. Keeping up with the new applications that come up everyday is very challenging and time-consuming. We present a novel technique for automatically generating network profiles for identifying Android apps in the HTTP traffic. A network profile consists of fingerprints, i.e., unique characteristics of network behavior, that can be used to identify an app. To profile an Android app, we run the app automatically in an emulator and collect the network traces. We have developed a novel UI fuzzing technique for running the app such that different execution paths are exercised, which is necessary to build a comprehensive network profile. We have also developed a light-weight technique, for extracting fingerprints, that is based on identifying invariants in the generated traces. We used our technique to generate network profiles for thousands of apps. Using our network profiles we were able to detect the presence of these apps in real-world network traffic logs from a cellular provider. I.