Abstract
We present a novel approach for timely classification and verification of network traffic using Gaussian Mixture Models (GMMs). We generate a separate GMM for each class of applications using component-wise expectation-maximization (CEM) to match the network traffic distribution generated by these applications. We apply our models for both traffic classification, where the goal is to identify the source application from which the traffic originates, by evaluating the maximum posterior probability, and for traffic verification, where the goal is to verify whether the application that claims to be the source of the traffic is as expected, by likelihood testing. Our models use only the first initial packets of truncated flows in order to provide more efficient and timely traffic classification and verification. This allows for triggering timely countermeasures before the end of flows. We demonstrate the effectiveness of our approach by experiments on a public dataset collected from a real network. Our traffic classification approach outperforms other state-of-the-art approaches that are based on machine learning, and achieves up to 97.7% flow classification accuracy when using only 9 first initial packets of flows. We show that 96.6% flow classification accuracy can still be obtained when training the GMMs using only 0.5% of all flows. Our traffic verification approach achieves a minimum Half Total Error Rate (HTER) of 7.65% when using only 6 first initial packets of flows.
Highlights
The number of internet applications and the variety of endusers is increasing continuously, as well as the number of online network attacks and advanced generations of malware
4) We demonstrate that our approach outperforms stateof-the-art approaches for traffic classification that are based on machine learning
In this paper we presented an almost real-time traffic classification as well as an fast application-aware traffic anomaly detection system based on an original use of Gaussian Mixture Models (GMMs)
Summary
The number of internet applications and the variety of endusers is increasing continuously, as well as the number of online network attacks and advanced generations of malware. This has caused that both classification and verification of network traffic have become more difficult. We present a novel generative approach for timely traffic classification and traffic verification. Before generating the GMM for an application class, we first derive feature vectors from the network traffic generated by the applications in the class. The GMM is a probabilistic model that represents the probability density function of the feature vectors.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
