104 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS

104 Ieee Transactions On Parallel And Distributed Systems-Free PDF

  • Date:29 Apr 2020
  • Views:24
  • Downloads:0
  • Pages:14
  • Size:2.12 MB

Share Pdf : 104 Ieee Transactions On Parallel And Distributed Systems

Download and Preview : 104 Ieee Transactions On Parallel And Distributed Systems


Report CopyRight/DMCA Form For : 104 Ieee Transactions On Parallel And Distributed Systems


Transcription:

ZHANG ET AL NETWORK TRAFFIC CLASSIFICATION USING CORRELATION INFORMATION 105. specific purposes This observation and the need for such the probability density function PDF based protocol. traffic classifiers motivate our work fingerprints to express three traffic statistical properties in. In this paper we propose a new framework Traffic a compact way Their work is extended with a parametric. Classification using Correlation TCC information to optimization procedure 20 Este et al 21 applied one. address the problem of very few training samples The class SVMs to traffic classification and presented a simple. correlation information in network traffic can be used to optimization algorithm for each set of SVM working. effectively improve the classification accuracy The major parameters Valenti et al 22 proposed to classify P2P TV. contributions of this work are summarized as follows traffic using the count of packets exchanged with other. peers during the small time windows Pietrzyk et al 23. We propose a novel nonparametric approach which evaluated three supervised methods for an ADSL provider. incorporates correlation of traffic flows to improve managing many points of presence the results of which are. the classification performance comparable to deep inspection solutions These works use. We provide a detailed analysis on the novel parametric machine learning algorithms which require an. classification approach and its performance benefit intensive training procedure for the classifier parameters. from both theoretical and empirical aspects and need the retraining for new discovered applications. The performance evaluation shows that the traffic There are a few works using nonparametric machine. classification using very few training samples can be learning algorithms Roughan et al 13 have tested NN and. significantly improved by our approach LDA methods for traffic classification using five categories. All data related to this work are available at http anss of statistical features Kim et al 3 extensively evaluated. org au tc ports based CorelReef method host behavior based BLINC. The remainder of the paper is organized as follows method and seven common statistical feature based meth. Section 2 reviews related work in traffic classification A ods using supervised algorithms on seven different traffic. novel classification approach and the theoretical analysis traces The performance of the NN based traffic classifier is. are proposed in Section 3 Section 4 presents a large number comparable to two outstanding parametric classifiers SVM. of experiments and results for performance evaluation and neural nets 3 Although nonparametric methods have. Some discussions related to this work are provided in several important advantages which are not shared by. Section 5 Finally the paper is concluded in Section 6 parametric methods their capabilities have been considered. undervalued in the area of traffic classification, Besides supervised learning has also been applied to. 2 RELATED WORK payload based traffic classification Although traffic classi. In the last decade considerable research works were fication by searching application signatures in payload. reported on the application of machine learning techniques content is more accurate deriving the signatures manually. to traffic classification These works can be categorized as is very time consuming To address this problem Haffner. supervised methods or unsupervised methods et al 8 proposed to apply the supervised learning. algorithms to automatically identify signatures for a range. 2 1 Supervised Methods of applications Finamore et al 24 proposed application. The supervised traffic classification methods analyze the signatures using statistical characterization of payload and. supervised training data and produce an inferred function applied supervised algorithms such as SVM to conduct. which can predict the output class for any testing flow In traffic classification Similar to the supervised methods. supervised traffic classification sufficient supervised train based on flow statistical features these payload based. ing data is a general assumption To address the problems methods require sufficient supervised training data. suffered by payload based traffic classification such as. encrypted applications and user data privacy Moore and 2 2 Unsupervised Methods. Zuev 7 applied the supervised naive Bayes techniques to The unsupervised methods or clustering try to find cluster. classify network traffic based on flow statistical features structure in unlabeled traffic data and assign any testing. Williams et al 11 evaluated the supervised algorithms flow to the application based class of its nearest cluster. including naive Bayes with discretization naive Bayes with McGregor et al 25 proposed to group traffic flows into a. kernel density estimation C4 5 decision tree Bayesian. small number of clusters using the expectation maximiza. network and naive Bayes tree Nguyen and Armitage 15. tion EM algorithm and manually label each cluster to an. proposed to conduct traffic classification based on the. application Zander et al 26 used AutoClass to group. recent packets of a flow for real time purpose Auld et al. traffic flows and proposed a metric called intraclass. 12 extended the work of 7 with the application of, Bayesian neural networks for accurate traffic classification homogeneity for cluster evaluation Bernaille et al 9. Erman et al 16 used unidirectional statistical features for applied the k means algorithm to traffic clustering and. traffic classification in the network core and proposed an labeled the clusters to applications using a payload analysis. algorithm with the capability of estimating the missing tool Erman et al 27 evaluated the k means DBSCAN and. features Bernaille and Teixeira 17 proposed to use only AutoClass algorithms for traffic clustering on two empirical. the size of the first packets of an SSL connection to data traces The empirical research showed that traffic. recognize the encrypted applications Bonfiglio et al 18 clustering can produce high purity clusters when the. proposed to analyze the message content randomness number of clusters is set as much larger than the number. introduced by the encryption processing using Pearson s of real applications Generally the clustering techniques can. chi Square test based technique Crotti et al 19 proposed be used to discover traffic from previously unknown. 106 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS VOL 24 NO 1 JANUARY 2013. Fig 2 Impact of training data size,Fig 1 A new traffic classification system model. of relevant features for building robust classification. models Flow correlation analysis is proposed to correlate. applications 28 Wang et al 29 proposed to integrate. information in the traffic flows Finally the robust traffic. statistical feature based flow clustering with payload. classification engine classifies traffic flows into application. signature matching method so as to eliminate the require. based classes by taking all information of statistical features. ment of supervised training data Finamore et al 30. and flow correlation into account, combined flow statistical feature based clustering and. We observe that the accuracy of conventional traffic. payload statistical feature based clustering for mining classification methods are severely affected by the size of. unidentified traffic However the clustering methods suffer training data Fig 2 reports the average overall accuracy. from a problem of mapping from a large number of clusters of three classification algorithms 31 when a small size of. to real applications This problem is very difficult to solve training data is available The experimental conditions are. without knowing any information about real applications described in detail in Section 4 The classification perfor. Erman et al 10 proposed to use a set of supervised mance of all algorithms are very poor when only 10 or. training data in an unsupervised approach to address the 20 training samples are available for each class In our. problem of mapping from flow clusters to real applications experiments NN classifier has the best classification. However the mapping method will produce a large performance However in the case of 10 training samples. proportion of unknown clusters especially when the the average overall accuracy of NN classifier is only about. supervised training data is very small In this paper 60 percent on two data sets which is very low. we study the problem of supervised traffic classification The novelty of our system model is to discover. using very few training samples From the supervised correlation information in the traffic flows and incorporate. learning point of view several supervised samples are it into the classification process Conventional supervised. available for each class Without the process of unsuper classification methods treat the traffic flows as the indivi. vised clustering the mapping between clusters and dual and independent instances They do not take the. applications can be avoided Our work focuses on non correlation among traffic flows into account We argue that. parametric classification methods and address the difficult the correlation information can significantly improve the. problem of traffic classification using very few training classification performance especially when the size of. samples The motivations are twofold First as mentioned training data is very small In the proposed system model. in Section 1 nonparametric NN method has three important flow correlation analysis is a new component for traffic. advantages which are suitable for traffic classification in classification which takes the role of correlation discovery. current complex network situation Second labeling train Robust classification methods can use the correlation. ing data is time consuming and the capability of classifica information as input. tion using very few training sample is very useful In this paper we use bag of flows BoF to model. correlation information in traffic flows, 3 A TRAFFIC CLASSIFICATION APPROACH WITH A BoF consists of some correlated traffic flows which are.
FLOW CORRELATION generated by the same application. This section presents a new framework which we call A BoF can be described by. Traffic Classification using Correlation information or. Q fx1 xn g 1, TCC for short A novel nonparametric approach is also. proposed to effectively incorporate flow correlation infor where xi is a feature vector representing the ith flow in the. mation into the classification process BoF Q The BoF Q explicitly denotes the correlation among. n flows fx1 xn g The power of modeling correlation. 3 1 System Model information with a bag has been demonstrated in our. Fig 1 shows the proposed system model In the preproces preliminary work for image ranking 32 In this paper the. sing the system captures IP packets crossing a computer proposed flow correlation analysis will produce and. network and constructs traffic flows by IP header inspec analyze a large number of BoFs see Section 3 3 A robust. tion A flow consists of successive IP packets having the classification method should be able to deal with BoFs. same five tuple fsrc ip src port dst ip dst port protocolg instead of individual flows We will comprehensively study. After that a set of statistical features are extracted to traffic classification with the BoF model from both. represent each flow Feature selection aims to select a subset theoretical and empirical perspectives. ZHANG ET AL NETWORK TRAFFIC CLASSIFICATION USING CORRELATION INFORMATION 107. 3 2 Probabilistic Framework arg max log p Qj, In this section we present a probabilistic framework for BoF 1 X 2 9. arg min minkx x0 k, model based traffic classification Given a BoF as the query kQk x2Q x0 2. Q fx1 xn g all flows in the BoF Q will be classified. into the predicted class for Q Equation 9 shows a new nonparametric approach for BoF. According to the Bayesian decision theory 14 the model based traffic classification which is derived from the. maximum a posteriori MAP classifier aims to minimize Bayesian decision theory. the average classification error For the query Q the optimal. 3 3 Correlation Analysis,class given by the MAP classifier is arg max P jQ. With the assumption of uniform prior P we have the We conduct correlation analysis using a three tuple heur. Maximum Likelihood ML classifier istic which can quickly discover BoFs in the real traffic data. Three tuple heuristic in a certain period of time the. arg max P jQ arg max p Qj 2 flows sharing the same three tuple fdst ip dst port. protocolg form a BoF, We consider the Naive Bayes assumption in this study The correlated flows sharing the same three tuple are.
p Qj p x1 xn j x2Q p xj And the log prob generated by the same application For example several. ability of the ML classifier is flows initiated by different hosts are all connecting to a. same host at TCP port 80 in a short period These flows are. arg max log p Qj very likely generated by the same application such as a web. 1 X 3 browser The three tuple heuristic about flow correlation. arg max log p xj has been considered in several practical traffic classification. schemes 34 35 36 Ma et al 34 proposed a payload, Taking practical use into account we uses an NN classifier based clustering method for protocol inference in which. encrypted applications and user data privacy Moore and Zuev 7 applied the supervised naive Bayes techniques to classify network traffic based on flow statistical features Williams et al 11 evaluated the supervised algorithms including naive Bayes with discretization naive Bayes with kernel density estimation C4 5 decision tree Bayesian

Related Books