Identification Of Network Applications Research Articles

Identification of Network Application Behaviors Hiding in HTTP Tunnels

HTTP tunnels almost obscure the original contents and behaviors of network applications, which makes it challenging for the network management and cybersecurity equipment to identify the hidden network application behaviors. Many efficient detection schemes have been exploited for network application identification in prior works. However, the following “Last Mile” problem, the application behavior identification hidden in HTTP tunnels, remains a significant challenge. In this paper, the typical network application behaviors are firstly summarized and the discriminative spatial–temporal features are selected by information gain and information gain ratio analysis. The feature extraction is developed on flow fragments instead of a whole HTTP flow. Experiments are conducted to verify the effectiveness of the selected features and compare the performance of three popular machine learning (ML) algorithms, namely Decision Tree, Random Forest, and Naïve Bayes. The implementation parameter suggestion for Decision Tree is also given according to a series of experiments on different algorithm parameters and flow fragmenting sizes with the compositive computation and accuracy considerations.

Improving signature quality for network application identification

Network application identification is one of the core elements in network operations and management to provide enhanced network service and security. For accurate identification, an approach using common patterns called “signatures” is widely used to compensate the limitations of the traditional transport-layer port-based classification. However, our simulation results indicate that using the signatures generated from a set of well known algorithms may lead to very poor identification performance, with less than 60% of true positives even in an optimal case. To improve the quality of signatures, we present a technique in this paper, which consists of two steps: (i) pairwise merging to consider every possible combination of the initially collected signatures to reduce their specificity that causes the signatures to be less common; and (ii) signature reduction to identify effective signatures with greater importance from a large set of signatures produced in the merging step, so as to manage the space/time complexity in the identification process for greater scalability. Our experimental results show that the proposed technique can dramatically improve the performance, even with a small number of signatures (e.g., 95% true positives rate with 30 signatures per application) which is more compact than the initial signature set.

A Hybrid Classifier with a Binning Method for Network Application Identification

Despite the increasing interest in application identification, the traditional approach based on transport layer port numbers has become less effective due to several reasons including the increasing use of random or non-standard port numbers and tunneling (e.g., HTTP tunnels). One approach to overcome this is to inspect application payload information. While highly accurate, it is limited and complicated for encrypted or obfuscated packets. Another common approach is to utilize flow statistics, such as flow size and duration, for classifying applications. Since it does not require to read packet contents, this approach has no limitation to plain-text flows, but it is known to be relatively less accurate. In this work, we develop a framework that incorporates those multiple classification techniques to offer accurate identification of applications with greater flexibility. In particular, we present our design of the hybrid classifier that performs classification based on machine learning with payload information and statistical flow-level features. With a recently collected traffic data set with a diverse set of applications, our experimental results show that our hybrid approach provides a high degree of accuracy for application identification yielding an accuracy of 95% on average. In addition, we propose an optimization technique with a novel binning method that partitions the given application set into multiple subgroups to improve the overall identification accuracy.

Environment Based Design of Services

Design comes from an environment, serves the environment, and changes the environment (Zeng, 2011). A product would resolve conflict(s) in its environment by providing certain services while becoming a part of the environment once having been realized. The environment of a service includes the subjects to be served, the infrastructure to support the service, and the resources available to the service. This issue includes four papers addressing different aspects in delivering a service to their respective environments. The first paper, titled “A hybrid classifier with a binning method for network application identification” by Moon et al, aims to develop a method for the accurate identification of network traffic related to an online service. This research could equip web services with a better infrastructure by enabling the implementation of a variety of crucial functions such as accounting and analysis, network operations and management, and security. A framework is developed to incorporate multiple classification techniques to offer an accurate identification of applications with greater flexibility. Particularly, a hybrid classifier is designed to perform the classification based on machine learning with payload information and statistical flow-level features. The authors also propose an optimization technique with a novel binning method that partitions the given application set into multiple subgroups to improve the overall identification accuracy. The second paper, titled “A reference model for privacy protection in social networking service” by Deng et al, addresses privacy issue in social network services (SNS). This paper is based on an observation that users have a great motivation to share their personal updates in a social media in order to maintain their contacts while they still have a strong need to protect their privacy in order to prevent all kinds of frauds from attackers. By using Environment Based Design (EBD) methodology, the authors propose a reference model for privacy protection, which encompasses factors such as user’s behaviour, SNS provider’s security policy, and information management strategy. Major challenges and related solutions are identified to provide a holistic framework to resolve the conflict between information sharing and privacy protection. The third paper, titled “Hospital healthcare service risk assessment and management with Risk-OMeter software metrics for a field application” by Sahinoglu et al, implements a practical methodology for assessing and improving the patient-centered quality of care in healthcare services. This paper is focused on the assessment and management of patient-centered quality of care risk by using a software system, Risk-O-Meter (RoM), through a simulation analysis. As such, it provides a patient-centred metric of hospital health-care risk, and risk mitigation advice for vulnerabilities and threats associated with automated management of healthcare quality in a hospital or clinic. A questionnaire survey is then

Network Application Identification Using Sequential Transition Patterns of Payload Length

Network Application Identification Using Sequential Transition Patterns of Payload Length

Towards High-Performance Network Application Identification With Aggregate-Flow Cache

Classifying network traffic according to their application-layer protocols is an important task in modern networks for traffic management and network security. Existing payload-based or statistical methods of application identification cannot meet the demand of both high performance and accurate identification at the same time. We propose an application identification framework that classifies traffic at aggregateflow level leveraging aggregate-flow cache. A detailed traffic classifier designed based on this framework is illustrated to improve the throughput of payload-based identification methods. We further optimize the classifier by proposing an efficient design of aggregate-flow cache. The cache design employs a frequency-based, recency-aware replacement algorithm based on the analysis of temporal locality of aggregate-flow cache. Experiments on real-world traces show that our traffic classifier with aggregateflow cache can reduce up to 95% workload of backend identification engine. The proposed cache replacement algorithm outperforms well-known replacement algorithms, and achieves 90% of the optimal performance using only 15% of memory. The throughput of a payload-based identification system, L7-filter [1], is increased by up to 5.1 times by using our traffic classifier design.

Traffic classification and packet detections to facilitate networks security

Traffic classification has a vital role in tasks as wide ranging as trend analyses, adaptive network-based QoS marking of traffic, dynamic access control and lawful interception. The identification of network applications through observation of associated packet traffic flows is vital to the areas of network management and surveillance. An important role of this work is to show the need for thorough comparisons between the plethora of proposed solutions in traffic classification and packet detections. Certainly there are other learning algorithms, other features, other performance measures, different approaches to traffic classification and packet detection, in general more research have been done, and within the same lane, we propose a novel strategy called 'separator'. This paper is an attempt to create discussion and inspire future research in this direction. The method proposed is theoretically proved to have tight error bound and small space usage. We then show that it is useful to differentiate algorithms based on computational performance rather than classification accuracy alone, as although classification accuracy between the algorithms is similar, computational performance can differ significantly. Comprehensive experiments conducted also verify our mechanism accuracy and efficiency.

Network Application Identification Based on Communication Characteristics of Application Messages

Network Application Identification Based on Communication Characteristics of Application Messages

Profiling and identification of P2P traffic

Accurate identification of network applications is important for many network activities. The traditional port-based technique has become much less effective since many new applications no longer use well-known fixed port numbers. In this paper, we propose a novel profile-based approach to identifying traffic flows belonging to the target application. In contrast to the method used in previous studies, of classifying traffic based on statistics of individual flows, we build behavioral profiles of the target application, which describe dominant patterns in the application. Based on the behavior profiles, a two-level matching method is used to identify new traffic. We first determine whether a host participates in the target application by comparing its behavior with the profiles. Subsequently, we compare each flow of the host with those patterns in the application profiles to determine which flows belong to this application. We demonstrate the effectiveness of our method on-campus traffic traces. Our results show that one can identify popular P2P applications with very high accuracy.

A preliminary performance comparison of five machine learning algorithms for practical IP traffic flow classification

The identification of network applications through observation of associated packet traffic flows is vital to the areas of network management and surveillance. Currently popular methods such as port number and payload-based identification exhibit a number of shortfalls. An alternative is to use machine learning (ML) techniques and identify network applications based on per-flow statistics, derived from payload-independent features such as packet length and inter-arrival time distributions. The performance impact of feature set reduction, using Consistency-based and Correlation-based feature selection, is demonstrated on Naïve Bayes, C4.5, Bayesian Network and Naïve Bayes Tree algorithms. We then show that it is useful to differentiate algorithms based on computational performance rather than classification accuracy alone, as although classification accuracy between the algorithms is similar, computational performance can differ significantly.