Kyu-Seok Shim

Payload signature structure for accurate application traffic classification

Emergence of high-speed Internet and various smart devices has led to a rapid increase of applications on the Internet. In order to provide reliable services and efficient management of network resources, accurate traffic classification of various applications is essential. Through various methods of extraction when payload signatures are extracted, most of these payload signature formats are just strings or hex values which appear frequently within payloads. Thus, it is difficult to extract unique signatures for a specific application, because redundant signatures extraction is in most cases unavoidable. In this paper, we propose a more elaborative payload signature structure for accurate classification of each specific application. The formats of this signature structure is composed of three level signatures. These are Content signature which is single contiguous substring in payloads, Packet signature which is the sequence of Content signatures that appear in the same packet, and the Flow signature which is a sequence of Packet signatures that appear in the same flow. By applying and comparing the existing signature format and proposed signature format to the actual application traffic classification, we demonstrate the effectiveness of the proposed signature structure.

A Survey of Automatic Protocol Reverse Engineering Approaches, Methods, and Tools on the Inputs and Outputs View

A network protocol defines rules that control communications between two or more machines on the Internet, whereas Automatic Protocol Reverse Engineering (APRE) defines the way of extracting the structure of a network protocol without accessing its specifications. Enough knowledge on undocumented protocols is essential for security purposes, network policy implementation, and management of network resources. This paper reviews and analyzes a total of 39 approaches, methods, and tools towards Protocol Reverse Engineering (PRE) and classifies them into four divisions, approaches that reverse engineer protocol finite state machines, protocol formats, and both protocol finite state machines and protocol formats to approaches that focus directly on neither reverse engineering protocol formats nor protocol finite state machines. The efficiency of all approaches’ outputs based on their selected inputs is analyzed in general along with appropriate reverse engineering inputs format. Additionally, we present discussion and extended classification in terms of automated to manual approaches, known and novel categories of reverse engineered protocols, and a literature of reverse engineered protocols in relation to the seven layers’ OSI (Open Systems Interconnection) model.

Application traffic classification using payload size sequence signature

Summary Recently, network traffic has become more complex and diverse because of the emergence of new applications and services. Therefore, the importance of application-level traffic classification is increasing rapidly, and it has become a very popular research area. Although a lot of methods for traffic classification have been introduced in literature, they have some limitations to achieve an acceptable level of performance in real-time application-level traffic classification. In this paper, we propose a novel application-level traffic classification method using payload size sequence signature. The proposed method generates unique payload size sequence signatures for each application using packet order, direction, and payload size of the first N packets in a flow and uses them to identify application traffic. The evaluation shows that this method can classify application traffic easily and quickly with high accuracy and completeness rates, over 99.93% and 93.45%, respectively. Furthermore, the method can classify each application traffic into its respective individual application. The evaluation shows that the method can classify all applications traffic, known and unknown (new) applications into their respective applications, and it can classify applications traffic that use the same application protocol or are encrypted into each other.

Application traffic classification in Hadoop distributed computing environment

Today, network traffic has increased because of the appearance of various applications and services. However, methods for network traffic analysis are not developed to catch up the trend of increasing usage of the network. Most methods for network traffic analysis are operated on a single server environment, which results in the limits about memory, processing speed, storage capacity. When considering the increment of network traffic, we need a method of network traffic to handle the Bigdata traffic. Hadoop system can be effectively used for analyzing Bigdata traffic. In this paper, we propose a method of application traffic classification in Hadoop distributed computing system and compare the processing time of the proposed system with a single server system to show the advantages of Hadoop.

Effective behavior signature extraction method using sequence pattern algorithm for traffic identification

Summary With the rapid development of the internet and a vigorous emergence of new applications, traffic identification has become a key issue. Although various methods have been proposed, there are still several limitations to achieving fine-grained and application-level identification. Therefore, we previously proposed a behavior signature model for extracting a unique traffic pattern of an application. Although this signature model achieves a good identification performance, it has trouble with the signature extraction, particularly from a huge amount of input traffic, because a Candidate-Selection method is used for extracting the signature. To improve this inefficiency in the extraction process, in this paper, we propose a novel behavior signature extraction method using a sequence pattern algorithm. The proposed method can extract a signature regardless of the volume of input traffic because it excludes certain unsatisfactory candidates using a predefined support value during the early stage of the process. We proved experimentally the feasibility of the proposed extraction method for 7 popular applications.

SigManager: Automatic payload signature management system for the classification of dynamically changing internet applications

Todays network environment is becoming very complicated. Accordingly, traffic classification for network management becomes difficult. For the study of traffic classification, the development of automatic payload signature generation system was carried out very actively. However, the existing automatic payload signature generation system has problems such as semi-automatic system, disposable signature generation, false-positive signature generation and not up-to-date signature. Therefore, we propose the SigManager. SigManager performs all process such as traffic collection, signature generation, signature management and signature verification. The traffic collection stage automatically collects ground-truth traffic through TMA and TMS. The signature management stage removes unnecessary signatures and the signature generation stage generates the new signatures. Finally, the signature verification stage removes the false-positive signatures. We solved the problem of existing automatic signature generation system through this system. As a result of applying this system to campus network, we could maintain high completeness and low false-positive rate for 4 applications.

Structured whitelist generation in SCADA network using PrefixSpan algorithm

SCADA system works in repeated or periodic used of only limited communication devices. Because of this feature, whitelist based security techniques are widely used and access restriction method using whitelist based static ACL is most commonly applied in security field. Static ACL have advantages in security, but their expressiveness is too simple to express communication using dynamic allocated port. In addition, it does not reflect all the communication characteristics of the control device, and the generated static ACL should always be open regardless of the frequent use. We propose a structured ACL that extends the fixed generation sequence information between the communication and communication-specific periodicity to reflect the mechanical and repetitive communication characteristics of the SCADA system in the static ACL. We demonstrate the feasibility of the proposed Structured ACL model in this paper by applying the real SCADA network traffic.

Classification of application traffic using tensorflow machine learning

Applications are becoming more complicated and diverse as the network environment grows day by day. So, it is important to classify application traffic accurately. Although there are many ways to classify applications traffic, machine learning based approaches are becoming more efficient in nowadays. This is because machine learning methods are more appropriate than existing methods for accurate and efficient applications traffic classification. Payload signature methods have limitations to deal with various patterns and increasing application traffic complexity. In this paper, we propose a method for extracting flow features and a system for classifying applications traffic based on Machine Learning.

Framework for multi-level application traffic identification

With the acceleration of the Internet speed and the vigorous emergence of new applications, the amount of Internet traffic has increased. In order to provide stable Internet service, efficient network management based on accurate traffic identification is critical. Although various methods for traffic identification have been proposed, not a single method identifies all types of Internet traffic. In this paper, we propose a framework for multi-level application traffic identification by combining several single methods.

Signature management system to cope with traffic changes in application and service

Today, the number of applications using network service has been increasing. Also, many applications have changed their traffic pattern frequently due to various reasons. Nevertheless, network managers tend to stay with old signatures. But they should update with new signatures to detect the modified application traffic. The extraction of signature is work to demand a lot of time. And it is difficult to continuously and timely extract the new signature for all applications. In this paper, we propose a noble signature management system which automatically extract new signatures detecting the modified traffic and delete old signatures no longer used. The proposed system analyzes traffic with existing signatures and extracts new signature automatically for updated traffic. For automatic generation of new signatures, we uses a sequence pattern algorithm. Also, the proposed system analyze usage of the old signatures to remove them when they are not used any more. We proved the feasibility and applicability of the proposed system by showing that that detection rate of all application was increased.