Application Classification in Real Traffic:Using Packet Size Distribution and Ports Association

• Main Authors: Wei-Hao Peng, 彭偉豪
• Other Authors: Yin-Dar Lin
• Format: Others
• Language: en_US
• Published: 2007
• Online Access: http://ndltd.ncl.edu.tw/handle/96702524118063479907

碩士 === 國立交通大學 === 網路工程研究所 === 95 === Signature based classification methodology has been used for a long time, but it can't be applied to encrypted protocol message. Some researches try to find out useful characteristics of separate applications from their transport layer behaviorsthat can be divided into two kinds: social network behaviors and statistical behaviors. Most of them are time-consuming due to a huge amount of information needed. In our work, we use Packet Size Distribution and Ports Association to achieve our goal. Every succeeded connection would be transformed into one vector in the multi-dimensional coordinate spaces and classified into some specified application or other unknown ones. Besides, the Euclidean distances of every connection between all individual centers, the representatives of the applications, will also be computed. Once a connection is identified and classified into some certain session, we can use ports association algorithm to associate and accelerate other connections in the same session. Using the proposed method, we can reach high classification accuracy rate, 96% on average, and low false positive and false negative rate, 4%~5%, after the preparation process of 100~200 packets. Lastly, we present an basic on-line architecture to show the correctness and simplicity.