Early application identification

Laurent Bernaille 1 Renata Teixeira 1 Kavé Salamatian 1
1 NPA - Networks and Performance Analysis
LIP6 - Laboratoire d'Informatique de Paris 6
Abstract : The automatic detection of applications associated with net-work traffic is an essential step for network security and traffic engineering. Unfortunately, simple port-based clas-sification methods are not always efficient and systematic analysis of packet payloads is too slow. Most recent re-search proposals use flow statistics to classify traffic flows once they are finished, which limit their applicability for on-line classification. In this paper, we evaluate the feasibility of application identification at the beginning of a TCP con-nection. Based on an analysis of packet traces collected on eight different networks, we find that it is possible to distin-guish the behavior of an application from the observation of the size and the direction of the first few packets of the TCP connection. We apply three techniques to cluster TCP connections: K-Means, Gaussian Mixture Model and spec-tral clustering. Resulting clusters are used together with assignment and labeling heuristics to design classifiers. We evaluate these classifiers on different packet traces. Our re-sults show that the first four packets of a TCP connection are sufficient to classify known applications with an accu-racy over 90% and to identify new applications as unknown with a probability of 60%.
Type de document :
Communication dans un congrès
CoNEXT 2006 - 2nd Conference on Emerging Network Experiment and Technology, Dec 2006, Lisbon, Portugal. 2006, 〈10.1145/1368436.1368445〉
Liste complète des métadonnées

Littérature citée [19 références]  Voir  Masquer  Télécharger

Contributeur : Renata Teixeira <>
Soumis le : vendredi 19 décembre 2014 - 18:51:14
Dernière modification le : lundi 26 novembre 2018 - 01:17:59
Document(s) archivé(s) le : lundi 23 mars 2015 - 18:40:57


Fichiers produits par l'(les) auteur(s)




Laurent Bernaille, Renata Teixeira, Kavé Salamatian. Early application identification. CoNEXT 2006 - 2nd Conference on Emerging Network Experiment and Technology, Dec 2006, Lisbon, Portugal. 2006, 〈10.1145/1368436.1368445〉. 〈hal-01097554〉



Consultations de la notice


Téléchargements de fichiers