Improving signature quality for network application identification

Abstract

Network application identification is one of the core elements in network operations and management to provide enhanced network service and security. For accurate identification, an approach using common patterns called “signatures” is widely used to compensate the limitations of the traditional transport-layer port-based classification. However, our simulation results indicate that using the signatures generated from a set of well known algorithms may lead to very poor identification performance, with less than 60% of true positives even in an optimal case. To improve the quality of signatures, we present a technique in this paper, which consists of two steps: (i) pairwise merging to consider every possible combination of the initially collected signatures to reduce their specificity that causes the signatures to be less common; and (ii) signature reduction to identify effective signatures with greater importance from a large set of signatures produced in the merging step, so as to manage the space/time complexity in the identification process for greater scalability. Our experimental results show that the proposed technique can dramatically improve the performance, even with a small number of signatures (e.g., 95% true positives rate with 30 signatures per application) which is more compact than the initial signature set.