Peter Rabinovitch

Peer-to-Peer IP Traffic Classification Using Decision Tree and IP Layer Attributes

We present a new approach using data-mining technique and, in particular, decision tree to classify peer-to-peer (P2P) traffic in IP networks. We captured the Internet traffic at a main gateway router, performed preprocessing on the data, selected the most significant attributes, and prepared a training-data set to which the decision-tree algorithm was applied. We built several models using a combination of various attribute sets for different ratios of P2P to non-P2P traffic in the training data. We observed that the accuracy of the model increases significantly when we include the attributes “Src IP addr” and “Dst IP addr” in building the model. By detecting communities of peers, we achieved classification accuracy of higher than 98%. Consequently, we recommend that: (a) the classification must be done within the authority of the Internet service providers (ISP) in order to detect communities of peers, and (b) the decision tree needs to be frequently trained to ensure the fairness and correctness of the classification algorithm. Our approach is based only on information in the IP layer, eliminating the privacy issues associated with deep-packet inspection.

Classification of Peer-to-Peer traffic using incremental neural networks (Fuzzy ARTMAP)

We present application of data mining, and in particular, fuzzy ARTMAP neural networks, in classification of peer-to-peer (P2P) traffic in IP networks. We captured Internet traffic at a main gateway router, performed pre-processing on the data, selected the most significant attributes, and prepared a training data set to which the fuzzy ARTMAP algorithms were applied. Fuzzy ARTMAP is an incremental learning classifier suitable for mining stream of data. We built several models using incremental and non-incremental approaches for different sizes of the training data set. We observed that when the size of the training set is relatively small, incremental learning has better performance than non-incremental algorithm. This highlights the efficiency of the incremental learning classifier in stream data mining applications where memory size is usually limited. Our approach relies only on the IP header of the packets, eliminating the privacy concern associated with the techniques that use deep packet inspection.

Tracking per-flow state - Binned duration flow tracking

Recent advances in network monitoring have increasingly focused on obtaining per-flow information, such as flow state. Tracking the state of network flows opens up a new dimension of information gathering for network operators, allowing previously unattainable data to be captured. This paper presents a time efficient novel method — Binned Duration Flow Tracking (BDFT) — of tracking per-flow state by grouping valid flows into “bins”. BDFT is intended for high-speed routers where CPU time is crucial. BDFT is time efficient by adopting Bloom filters as the primary data structures. Simulation results show that BDFT can achieve over 99% accuracy on traces of real network traffic.

An efficient hybrid approach to per-flow state tracking for high-speed networks

Maintaining per-flow information and state is a crucial topic in network monitoring. Tracking per-flow state is a relatively new area. Two main approaches have been proposed for tracking state: Binned Duration Flow Tracking (BDFT) and Fingerprint-Compressed Filter Approximate Concurrent State Machine (FCF ACSM). BDFT which uses Bloom filters is time efficient, whereas FCF ACSM using d-left hash tables has near-perfect memory efficiency but has higher computational cost. This paper presents a hybrid method (BDFT-H) by employing the best features of BDFT and FCF ACSM to achieve both time and space efficiency. Performance analysis and comparisons are conducted for BDFT, FCF ACSM, and BDFT-H. These methods are all intended for implementation on high-speed routers where resources such as memory and CPU time are limited. For the computational performance of the three schemes, we find that based on analysis, d-left hashing may require substantially more computational resources than Bloom filters. We also conduct simulations to compare the accuracy of these three schemes and the results show that all three methods can achieve over 99% accuracy on traces of real traffic. The proposed BDFT-H provides the best overall tradeoff between time and space efficiency. Both BDFT and FCF ACSM may have the false positive issue. This paper also presents two additional BDFT extensions: BDFT-FPR (false positive removal) and BDFT-FPC (false positive correction) to deal with the false positive issue. Performance comparisons for BDFT and these two BDFT extensions are also conducted using real traffic traces for comparison.

A TCP Connection Establishment Filter: Symmetric Connection Detection

Network measurement at 10+Gbps speeds imposes many restrictions on the resource consumption of the measurement application, making any filtering of input data highly desirable. Symmetric connection detection (SCD) is a method of filtering TCP sessions, passing only those sessions which become fully established. SCD can benefit network monitoring applications that are only interested fully established TCP connections by reducing processing requirements. Incomplete connection attempts, such as port scanning attempts, simply waste resources in many applications if they are not filtered. SCD filters out unsuccessful connection attempts using a combination of Bloom filters to track the state of connection establishment for every flow passing through a network device. Unsuccessful flows can be filtered out to a very high degree of accuracy, depending on the size of the Bloom filter and traffic rate, 99.5% is typical. Resource consumption, both memory and CPU is low. The core SCD algorithm is designed to work in high-speed routers, in real-time, and at line speed. Using an upper bound of 32 k bytes of RAM our experimental results indicate 99+% accuracy with 900,000 active flows.

An Efficient Approach to Per-Flow State Tracking for High-Speed Networks

Maintaining per-flow information and state is a crucial topic in network monitoring. Tracking per-flow state is a relatively new area. Two main approaches have been proposed for tracking state: Binned Duration Flow Tracking (BDFT) and Fingerprint-Compressed Filter Approximate Concurrent State Machine (FCF ACSM). BDFT which uses Bloom filters is time efficient, whereas FCF ACSM using d-left hash tables has near-perfect memory efficiency but has higher computational cost. This paper presents a hybrid method (BDFT-H) by employing the best features of BDFT and FCF ACSM to achieve both time and space efficiency. Performance analysis and comparisons are conducted for BDFT, FCF ACSM, and BDFT-H. These methods are all intended for implementation on high-speed routers where resources such as memory and CPU time are limited. For the computational performance of the three schemes, we find that based on analysis, d-left hashing may require substantially more computational resources than Bloom filters. We also conduct simulations to compare the accuracy of these three schemes and the results show that all three methods can achieve over 99% accuracy on traces of real traffic. The proposed approach provides the best overall tradeoff between time and space efficiency.