Grenville J. Armitage

A survey of techniques for internet traffic classification using machine learning

The research community has begun looking for IP traffic classification techniques that do not rely on `well known¿ TCP or UDP port numbers, or interpreting the contents of packet payloads. New work is emerging on the use of statistical traffic characteristics to assist in the identification and classification process. This survey paper looks at emerging research into the application of Machine Learning (ML) techniques to IP traffic classification - an inter-disciplinary blend of IP networking and data mining techniques. We provide context and motivation for the application of ML techniques to IP traffic classification, and review 18 significant works that cover the dominant period from 2004 to early 2007. These works are categorized and reviewed according to their choice of ML strategies and primary contributions to the literature. We also discuss a number of key requirements for the employment of ML-based traffic classifiers in operational IP networks, and qualitatively critique the extent to which the reviewed works meet these requirements. Open issues and challenges in the field are also discussed.

A preliminary performance comparison of five machine learning algorithms for practical IP traffic flow classification

The identification of network applications through observation of associated packet traffic flows is vital to the areas of network management and surveillance. Currently popular methods such as port number and payload-based identification exhibit a number of shortfalls. An alternative is to use machine learning (ML) techniques and identify network applications based on per-flow statistics, derived from payload-independent features such as packet length and inter-arrival time distributions. The performance impact of feature set reduction, using Consistency-based and Correlation-based feature selection, is demonstrated on Naïve Bayes, C4.5, Bayesian Network and Naïve Bayes Tree algorithms. We then show that it is useful to differentiate algorithms based on computational performance rather than classification accuracy alone, as although classification accuracy between the algorithms is similar, computational performance can differ significantly.

Automated traffic classification and application identification using machine learning

The dynamic classification and identification of network applications responsible for network traffic flows offers substantial benefits to a number of key areas in IP network engineering, management and surveillance. Currently such classifications rely on selected packet header fields (e.g. port numbers) or application layer protocol decoding. These methods have a number of shortfalls e.g. many applications can use unpredictable port numbers and protocol decoding requires a high amount of computing resources or is simply infeasible in case protocols are unknown or encrypted. We propose a novel method for traffic classification and application identification using an unsupervised machine learning technique. Flows are automatically classified based on statistical flow characteristics. We evaluate the efficiency of our approach using data from several traffic traces collected at different locations of the Internet. We use feature selection to find an optimal feature set and determine the influence of different features

A survey of covert channels and countermeasures in computer network protocols

Covert channels are used for the secret transfer of information. Encryption only protects communication from being decoded by unauthorised parties, whereas covert channels aim to hide the very existence of the communication. Initially, covert channels were identified as a security threat on monolithic systems i.e. mainframes. More recently focus has shifted towards covert channels in computer network protocols. The huge amount of data and vast number of different protocols in the Internet seems ideal as a high-bandwidth vehicle for covert communication. This article is a survey of the existing techniques for creating covert channels in widely deployed network and application protocols. We also give an overview of common methods for their detection, elimination, and capacity limitation, required to improve security in future computer networks.

Self-Learning IP traffic classification based on statistical flow characteristics

A number of key areas in IP network engineering, management and surveillance greatly benefit from the ability to dynamically identify traffic flows according to the applications responsible for their creation. Currently such classifications rely on selected packet header fields (e.g. destination port) or application layer protocol decoding. These methods have a number of shortfalls e.g. many applications can use unpredictable port numbers and protocol decoding requires high resource usage or is simply infeasible in case protocols are unknown or encrypted. We propose a framework for application classification using an unsupervised machine learning (ML) technique. Flows are automatically classified based on their statistical characteristics. We also propose a systematic approach to identify an optimal set of flow attributes to use and evaluate the effectiveness of our approach using captured traffic traces.

Training on multiple sub-flows to optimise the use of Machine Learning classifiers in real-world IP networks

Literature on the use of machine learning (ML) algorithms for classifying IP traffic has relied on full-flows or the first few packets of flows. In contrast, many real-world scenarios require a classification decision well before a flow has finished even if the flows beginning is lost. This implies classification must be achieved using statistics derived from the most recent N packets taken at any arbitrary point in a flows lifetime. We propose training the classifier on a combination of short sub-flows (extracted from full-flow examples of the target applications traffic). We demonstrate this optimisation using the naive Bayes ML algorithm, and show that our approach results in excellent performance even when classification is initiated mid-way through a flow with windows as small as 25 packets long. We suggest future use of unsupervised ML algorithms to identify optimal sub-flows for training

Timely and continuous machine-learning-based classification for interactive IP traffic

Machine Learning (ML) for classifying IP traffic has relied on the analysis of statistics of full flows or their first few packets only. However, automated QoS management for interactive traffic flows requires quick and timely classification well before the flows finish. Also, interactive flows are often long-lived and should be continuously monitored during their lifetime. We propose to achieve this by using statistics derived from sub-flows—a small number of most recent packets taken at any point in a flows lifetime. Then, the ML classifier must be trained on a set of sub-flows, and we investigate different sub-flow selection strategies. We also propose to augment training datasets so that classification accuracy is maintained even when a classifier mixes up client-to-server and server-to-client directions for applications exhibiting asymmetric traffic characteristics. We demonstrate the effectiveness of our approach with the Naive Bayes and C4.5 Decision Tree ML algorithms, for the identification of first-person-shooter online game and VoIP traffic. Our results show that we can classify both applications with up to 99% Precision and 95% Recall within less than 1 s. Stable results are achieved regardless of where within a flow the classifier captures the packets and the traffic direction.

Packet reassembly during cell loss

Asynchronous transfer mode (ATM) is a packet switched data transport system based on short, fixed length cells. Each cell carries a virtual channel indicator (VCI) and virtual path indicator (VPI) in its header. Essential to the services offered by the ATM networks is the ATM adaptation layer (AAL), an ITU-TSS defined layer that adapts the cell-based ATM physical layer to packet, datagram, or bit-stream-oriented higher layers. Failure modes causing cell loss along a virtual connection are examined, and the ways AALs cope are analyzed. The sources of cell loss and their effects on AAL3/4 or AAL5 type of service are described. The usefulness of the ability of AAL3/4 to pass fragments of corrupted data up to higher layer protocols is discussed, and the implementation of selective cell discarding within switching nodes is considered, and the limitations imposed by each AAL are examined.<<ETX>>

Achieving fairness in multiplayer network games through automated latency balancing

Over the past few years, the prominence of multiplayer network gaming has increased dramatically in the Internet. The effect of network delay (lag) on multiplayer network gaming has been studied before. Players with higher delays (whether due to slower connections, congestion or a larger distance to the server) are at a clear disadvantage relative to players with low delay. In this paper we evaluate whether eliminating the delay differences will provide a fairer solution whilst maintaining good gameplay. We have designed and implemented an application that can be used with existing network games to equalize the delay differences. To evaluate the effectiveness of the approach we use a novel method involving computer players (bots) instead of human players. This method provides some advantages over difficult and time-consuming human usability trials. We show that bots experience similar unfairness problems as humans and demonstrate that the application we have developed significantly improves fairness.

Securing BGP — A Literature Survey

The Border Gateway Protocol (BGP) is the Internets inter-domain routing protocol. One of the major concerns related to BGP is its lack of effective security measures, and as a result the routing infrastructure of the Internet is vulnerable to various forms of attack. This paper examines the Internets routing architecture and the design of BGP in particular, and surveys the work to date on securing BGP. To date no proposal has been seen as offering a combination of adequate security functions, suitable performance overheads and deployable support infrastructure. Some open questions on the next steps in the study of BGP security are posed.