TY - GEN
T1 - ACK utilization for traffic classification
AU - Kampeas, Joseph
AU - Cohen, Asaf
AU - Gurevvitz, Omer
N1 - Publisher Copyright:
© 2016 IEEE.
PY - 2017/1/4
Y1 - 2017/1/4
N2 - Network traffic classification is an essential feature for network users and administrators. It allows detailed information about the various applications traversing the network, thus enabling traffic shaping, accounting, anomaly detection, etc. In this paper, we suggest a novel fingerprinting technique to automatically classify ongoing TCP and UDP flows according to the various applications which created them, thus allowing classification with high accuracy. Specifically, for TCP flows, we suggest a fingerprint based on zero-length packets, which enables efficiently classifying flows based on a single Content-Addressable Memory (CAM) rule and a limited sample set, yet with very high accuracy. Moreover, our fingerprint is robust to network conditions such as congestion, fragmentation, delay, retransmissions, duplications and losses. For UDP flows, we utilize a similar approach based on the UDP length field. The fingerprinting schemes are evaluated on a variety of real traffic traces. Results show that the schemes attain very high accuracy. In particular, our scheme attains about 97% overall accuracy for a large variety of applications, by sampling small fraction of the trafik'. The UDP scheme attains over 98% accuracy, by sampling all the UDP traffic.
AB - Network traffic classification is an essential feature for network users and administrators. It allows detailed information about the various applications traversing the network, thus enabling traffic shaping, accounting, anomaly detection, etc. In this paper, we suggest a novel fingerprinting technique to automatically classify ongoing TCP and UDP flows according to the various applications which created them, thus allowing classification with high accuracy. Specifically, for TCP flows, we suggest a fingerprint based on zero-length packets, which enables efficiently classifying flows based on a single Content-Addressable Memory (CAM) rule and a limited sample set, yet with very high accuracy. Moreover, our fingerprint is robust to network conditions such as congestion, fragmentation, delay, retransmissions, duplications and losses. For UDP flows, we utilize a similar approach based on the UDP length field. The fingerprinting schemes are evaluated on a variety of real traffic traces. Results show that the schemes attain very high accuracy. In particular, our scheme attains about 97% overall accuracy for a large variety of applications, by sampling small fraction of the trafik'. The UDP scheme attains over 98% accuracy, by sampling all the UDP traffic.
UR - http://www.scopus.com/inward/record.url?scp=85014302445&partnerID=8YFLogxK
U2 - 10.1109/ICSEE.2016.7806131
DO - 10.1109/ICSEE.2016.7806131
M3 - Conference contribution
AN - SCOPUS:85014302445
T3 - 2016 IEEE International Conference on the Science of Electrical Engineering, ICSEE 2016
BT - 2016 IEEE International Conference on the Science of Electrical Engineering, ICSEE 2016
PB - Institute of Electrical and Electronics Engineers
T2 - 2016 IEEE International Conference on the Science of Electrical Engineering, ICSEE 2016
Y2 - 16 November 2016 through 18 November 2016
ER -