Traffic Classification Based on Zero-Length Packets

Joseph Kampeas; Asaf Cohen; Omer Gurewitz

doi:10.1109/TNSM.2018.2825881

Traffic Classification Based on Zero-Length Packets

Joseph Kampeas, Asaf Cohen, Omer Gurewitz

Department of Communication Systems Engineering

Research output: Contribution to journal › Article › peer-review

19 Scopus citations

Abstract

Network traffic classification is fundamental to network management and its performance. However, traditional approaches for traffic classification, which were designed to work on a dedicated hardware at very high line rates, may not function well in a virtual software-based environment. In this paper, we devise a novel fingerprinting technique that can be utilized as a software-based solution which enables machine-learning-based classification of ongoing flows. The suggested scheme is very simple to implement and requires minimal resources, yet attains very high accuracy. Specifically, for TCP flows, we suggest a fingerprint that is based on zero-length packets, hence enables a highly efficient sampling strategy which can be adopted with a single content-addressable memory rule. The suggested fingerprinting scheme is robust to network conditions such as congestion, fragmentation, delay, retransmissions, duplications, and losses and to varying processing capabilities. Hence, its performance is essentially independent of placement and migration issues, and thus yields an attractive solution for virtualized software-based environments. We suggest an analogous fingerprinting scheme for user datagram protocol traffic, which benefits from the same advantages as the TCP one and attains very high accuracy as well. Results show that our scheme correctly classified about 97% of the flows on the dataset tested, even on encrypted data.

Original language	English
Article number	8335764
Pages (from-to)	1049-1062
Number of pages	14
Journal	IEEE Transactions on Network and Service Management
Volume	15
Issue number	3
DOIs	https://doi.org/10.1109/TNSM.2018.2825881
State	Published - 1 Sep 2018

Keywords

Network traffic classification
machine learning
network function virtualization
network monitoring and measurements
software-defined networking

ASJC Scopus subject areas

Computer Networks and Communications
Electrical and Electronic Engineering

Access to Document

10.1109/TNSM.2018.2825881

Cite this

@article{b606508d6f014374b71d6c986ecb0679,

title = "Traffic Classification Based on Zero-Length Packets",

abstract = "Network traffic classification is fundamental to network management and its performance. However, traditional approaches for traffic classification, which were designed to work on a dedicated hardware at very high line rates, may not function well in a virtual software-based environment. In this paper, we devise a novel fingerprinting technique that can be utilized as a software-based solution which enables machine-learning-based classification of ongoing flows. The suggested scheme is very simple to implement and requires minimal resources, yet attains very high accuracy. Specifically, for TCP flows, we suggest a fingerprint that is based on zero-length packets, hence enables a highly efficient sampling strategy which can be adopted with a single content-addressable memory rule. The suggested fingerprinting scheme is robust to network conditions such as congestion, fragmentation, delay, retransmissions, duplications, and losses and to varying processing capabilities. Hence, its performance is essentially independent of placement and migration issues, and thus yields an attractive solution for virtualized software-based environments. We suggest an analogous fingerprinting scheme for user datagram protocol traffic, which benefits from the same advantages as the TCP one and attains very high accuracy as well. Results show that our scheme correctly classified about 97% of the flows on the dataset tested, even on encrypted data.",

keywords = "Network traffic classification, machine learning, network function virtualization, network monitoring and measurements, software-defined networking",

author = "Joseph Kampeas and Asaf Cohen and Omer Gurewitz",

note = "Funding Information: Manuscript received December 7, 2017; revised March 17, 2018; accepted April 1, 2018. Date of publication April 11, 2018; date of current version September 7, 2018. Part of this study appeared in IEEE International Conference on the Science of Electrical Engineering, 2016. This work was partly supported by the European Union Horizon 2020 Research and Innovation Programme SUPERFLUIDITY, Grant 671566. The associate editor coordinating the review of this paper and approving it for publication was F. De Turck. (Corresponding author: Joseph Kampeas.) The authors are with the Department of Communication Systems Engineering, Ben-Gurion University of the Negev, Beer-Sheva 84105, Israel (e-mail: kampeas@bgu.ac.il; coasaf@bgu.ac.il; gurewitz@bgu.ac.il). Digital Object Identifier 10.1109/TNSM.2018.2825881 Publisher Copyright: {\textcopyright} 2004-2012 IEEE.",

year = "2018",

month = sep,

day = "1",

doi = "10.1109/TNSM.2018.2825881",

language = "English",

volume = "15",

pages = "1049--1062",

journal = "IEEE Transactions on Network and Service Management",

issn = "1932-4537",

publisher = "Institute of Electrical and Electronics Engineers",

number = "3",

}

TY - JOUR

T1 - Traffic Classification Based on Zero-Length Packets

AU - Kampeas, Joseph

AU - Cohen, Asaf

AU - Gurewitz, Omer

N1 - Funding Information: Manuscript received December 7, 2017; revised March 17, 2018; accepted April 1, 2018. Date of publication April 11, 2018; date of current version September 7, 2018. Part of this study appeared in IEEE International Conference on the Science of Electrical Engineering, 2016. This work was partly supported by the European Union Horizon 2020 Research and Innovation Programme SUPERFLUIDITY, Grant 671566. The associate editor coordinating the review of this paper and approving it for publication was F. De Turck. (Corresponding author: Joseph Kampeas.) The authors are with the Department of Communication Systems Engineering, Ben-Gurion University of the Negev, Beer-Sheva 84105, Israel (e-mail: kampeas@bgu.ac.il; coasaf@bgu.ac.il; gurewitz@bgu.ac.il). Digital Object Identifier 10.1109/TNSM.2018.2825881 Publisher Copyright: © 2004-2012 IEEE.

PY - 2018/9/1

Y1 - 2018/9/1

N2 - Network traffic classification is fundamental to network management and its performance. However, traditional approaches for traffic classification, which were designed to work on a dedicated hardware at very high line rates, may not function well in a virtual software-based environment. In this paper, we devise a novel fingerprinting technique that can be utilized as a software-based solution which enables machine-learning-based classification of ongoing flows. The suggested scheme is very simple to implement and requires minimal resources, yet attains very high accuracy. Specifically, for TCP flows, we suggest a fingerprint that is based on zero-length packets, hence enables a highly efficient sampling strategy which can be adopted with a single content-addressable memory rule. The suggested fingerprinting scheme is robust to network conditions such as congestion, fragmentation, delay, retransmissions, duplications, and losses and to varying processing capabilities. Hence, its performance is essentially independent of placement and migration issues, and thus yields an attractive solution for virtualized software-based environments. We suggest an analogous fingerprinting scheme for user datagram protocol traffic, which benefits from the same advantages as the TCP one and attains very high accuracy as well. Results show that our scheme correctly classified about 97% of the flows on the dataset tested, even on encrypted data.

AB - Network traffic classification is fundamental to network management and its performance. However, traditional approaches for traffic classification, which were designed to work on a dedicated hardware at very high line rates, may not function well in a virtual software-based environment. In this paper, we devise a novel fingerprinting technique that can be utilized as a software-based solution which enables machine-learning-based classification of ongoing flows. The suggested scheme is very simple to implement and requires minimal resources, yet attains very high accuracy. Specifically, for TCP flows, we suggest a fingerprint that is based on zero-length packets, hence enables a highly efficient sampling strategy which can be adopted with a single content-addressable memory rule. The suggested fingerprinting scheme is robust to network conditions such as congestion, fragmentation, delay, retransmissions, duplications, and losses and to varying processing capabilities. Hence, its performance is essentially independent of placement and migration issues, and thus yields an attractive solution for virtualized software-based environments. We suggest an analogous fingerprinting scheme for user datagram protocol traffic, which benefits from the same advantages as the TCP one and attains very high accuracy as well. Results show that our scheme correctly classified about 97% of the flows on the dataset tested, even on encrypted data.

KW - Network traffic classification

KW - machine learning

KW - network function virtualization

KW - network monitoring and measurements

KW - software-defined networking

UR - http://www.scopus.com/inward/record.url?scp=85045312104&partnerID=8YFLogxK

U2 - 10.1109/TNSM.2018.2825881

DO - 10.1109/TNSM.2018.2825881

M3 - Article

AN - SCOPUS:85045312104

SN - 1932-4537

VL - 15

SP - 1049

EP - 1062

JO - IEEE Transactions on Network and Service Management

JF - IEEE Transactions on Network and Service Management

IS - 3

M1 - 8335764

ER -

Traffic Classification Based on Zero-Length Packets

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this