We address the problem of classifying Internet packet flows according to the application level protocol that generated them. Unlike deep packet inspection, which reads up to application layer payloads and keeps track of packet sequences, we consider classification based on statistical features extracted in real time from the packet flow, namely IP packet lengths and inter-arrival times. A statistical classification algorithm is proposed, built upon the powerful and rich tools of cluster analysis. By exploiting traffic traces taken at the Networking Lab of our Department and traces from CAIDA, we defined data sets made up of thousands of flows for up to five different application protocols. With the classic approach of training and test data sets we show that cluster analysis yields very good results in spite of the little information it is based on, to stick to the real time decision requirement. We aim to show that the investigated applications are characterized from a "signature" at the network layer that can be useful to recognize such applications even when the port number is not significant. Numerical results are presented to highlight the effect of major algorithm parameters. We discuss complexity and possible exploitation of the statistical classifier. © 2009 Springer-Verlag Berlin Heidelberg.
On-the-fly statistical classification of Internet traffic at application layer based on cluster analysis / Baiocchi, Andrea; Maiolini, G.; Molina, G.; Rizzi, Antonello. - 53:(2009), pp. 178-185. (Intervento presentato al convegno International Workshop on Computational Intelligence in Security for Information Systems - CISIS'08 tenutosi a Genova; Italy) [10.1007/978-3-540-88181-0_23].
On-the-fly statistical classification of Internet traffic at application layer based on cluster analysis
BAIOCCHI, Andrea;RIZZI, Antonello
2009
Abstract
We address the problem of classifying Internet packet flows according to the application level protocol that generated them. Unlike deep packet inspection, which reads up to application layer payloads and keeps track of packet sequences, we consider classification based on statistical features extracted in real time from the packet flow, namely IP packet lengths and inter-arrival times. A statistical classification algorithm is proposed, built upon the powerful and rich tools of cluster analysis. By exploiting traffic traces taken at the Networking Lab of our Department and traces from CAIDA, we defined data sets made up of thousands of flows for up to five different application protocols. With the classic approach of training and test data sets we show that cluster analysis yields very good results in spite of the little information it is based on, to stick to the real time decision requirement. We aim to show that the investigated applications are characterized from a "signature" at the network layer that can be useful to recognize such applications even when the port number is not significant. Numerical results are presented to highlight the effect of major algorithm parameters. We discuss complexity and possible exploitation of the statistical classifier. © 2009 Springer-Verlag Berlin Heidelberg.| File | Dimensione | Formato | |
|---|---|---|---|
|
Baiocchi_Postprint_On-the-fly_2009.pdf
solo utenti autorizzati
Tipologia:
Documento in Post-print (versione successiva alla peer review e accettata per la pubblicazione)
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
176.64 kB
Formato
Adobe PDF
|
176.64 kB | Adobe PDF | Contatta l'autore |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
