基于Apriori算法的流量识别特征自动提取方法

提出了一种基于Apriori算法自动提取协议识别特征的方法,该方法可以自动提取2种最常用的协议识别特征--特征字符串和包长特征,提取特征的效率较传统方法有很大的提高.通过识别率、准确率、正误识别率和负误识别率等指标验证了所提取特征的准确性和完整性,并根据结果反馈指导特征提取的过程,保证了提取特征的可靠性.     

应用层流量识别方法的研究

网络上主要流量的动态性恶化了已存在的流量识别的方法,这些动态性的流量有P2P和多媒体流量等。为了识别这些流量,我们需要具有高效的准确性的识别方法。本文将特征识别和会话行为映射方法相结合,以进行精确的流量识别。创新点在于,对包进行基于优先级的特征匹配,而不是通常的特征匹配。并对没有识别出的流量采用会话行为映射的方法进行识别。     

基于行为特征学习的互联网流量分类方法

基于连接图的互联网流量分类方法能反映主机间的通信行为,具有较高的分类稳定性,但是经验式总结的启发式规则有限,难以获得高分类准确率.研究分析了主机间通信行为模式和BOF方法,从具有相同{目的IP地址,目的端口号,传输层协议}网络流量中,提取主机间连接相关的行为统计特征(HCBF),采用C4.5决策树算法学习基于行为特征的分类规则,其无需人工建立启发式规则.在传统互联网和移动互联网流量数据集上,从基本分类性能和分类稳定性方面,与现有的特征集进行比较分析,实验结果表明,HCBF特征集合的类间区分能力和稳定性较高.     

网络应用流类别不平衡环境下的SSL加密应用流识别关键技术

通过深入研究网络类别不平衡的原因,选择SMOTE（synthetic minority over-sampling technique）过抽样方法对数据集进行预处理,并充分利用特征匹配高准确性的优点识别和分拣出SSL 加密流,进而利用基于互信息最大化的聚类方法和SVM分类方法进一步识别SSL加密应用,这种混合方法有效地结合了静态特征匹配和机器学习方法的优点,达到识别分类方法在准确性和识别速度的均衡。     

基于卷积神经网络的Android流量分类方法

深度学习就是机器学习研究的过程,主要通过模拟人脑分析学习的过程对数据进行分析。目前,深度学习技术已经在计算机视觉、语音识别、自然语言处理等领域获得了较大发展,并且随着该技术的不断发展,为网络流量分类和异常检测带来了新的发展方向。移动智能手机与大家的生活息息相关,但是其存在的安全问题也日益凸显。针对传统机器学习算法对于流量分类需要人工提取特征、计算量大的问题,提出了基于卷积神经网络模型的应用程序流量分类算法。首先,将网络流量数据集进行数据预处理,去除无关数据字段,并使数据满足卷积神经网络的输入特性。其次,设计了一种新的卷积神经网络模型,从网络结构、超参数空间以及参数优化方面入手,构造了最优分类模型。该模型通过卷积层自主学习数据特征,解决了传统基于机器学习的流量分类算法中的特征选择问题。最后,通过CICAndmal2017网络公开数据集进行模型测试,相比于传统的机器学习流量分类模型,设计的卷积神经网络模型的查准率和查全率分别提高了2.93%和11.87%,同时在类精度、召回率以及F1分数方面都有较好的提升。     

基于随机森林算法的网络流量分类方法

精确的网络流量分类是实现互联网可控可管的关键,传统的单一分类算法需要构建基于特定假设的某种模型,算法对于待分类数据的分布要求高,不能满足复杂多变的网络流量的分类要求。基于此,采用多决策树组合的随机森林算法实现网络流量分类。通过实际网络流量数据实验表明,在各种情况下,随机森林算法都能显著改善网络流量特别是小比例样本的分类效果,算法降低了单一算法过于依赖特定假设模型的要求,对于待分类样本的分布要求低,随机森林算法具有良好的分类效果和鲁棒性。     

一种基于半监督学习的应用层流量分类方法

基于应用层的流量分类在用户行为识别、网络带宽管理等方面有着十分重要的应用.将机器学习应用到应用层流量分类问题中.首先提出了一种基于熵函数的组合式特征选择算法,提取了5种TCP连接的特征.针对监督学习中无法识别新流量类型的问题,提出了一种基于半监督学习的流量分类算法.实验结果表明,算法的检测率优于Kmeans方法.在少量标记样本的情况下,随着未标记样本数增加,算法的检测率在增加.     

P2P网络聚合流量识别技术研究

对等体网络P2P（Peer-to-Peer）应用系统中对等体主机的行为特征与P2P业务流量特征多样化、复杂化,使得单纯利用一种典型特征的P2P流量分类技术的识别精度不高。文中提出了一种新的P2P流量多阶段识别方法,该方法根据P2P应用流量的一系列固有特征,可以从聚合网络流中识别P2P流量。通过实验表明,丈中所提出的方法P2P流识别精度可达99．7％,同时错误分类精度0．3％。     

网络背景流量的分类与识别分析研究

识别网络应用和分类相应流量的过程就是互联网流量分类,同时也是现代网络安全管理系统中最基本的。网络安全的基础技术就是流量分类,流量分类识别方法包括基于端口的预测方法和基于有效载荷的深度检测方法。文章从基于端口的识别分类和深度包检测的识别分类方面介绍了传统流量识别分类方法;进一步从数据及采集方法、有监督方法、半监督方法等方面分析了机器学习的识别分类。     

基于节点行为特征分析的网络流量分类方法

针对基于加密分组数据的网络流量分类问题,该文提出两种基于行为特征的分析方法。结合流量矩阵和网络结构熵技术,定义了出入度熵指数等参数用于描述节点间的连接行为和数据传输特征,并利用多个周期和时间尺度下的熵指数分析不同流量特征。通过可视图建网方法将流量序列转化为连接网络,利用网络结构相关参数分析流量中蕴含的节点间交互行为的差异。实验表明不同业务流量矩阵的熵指数变化趋势差别较大,而流量序列对应连接网络的聚集系数等存在明显差异。两种方法对于不同业务流量具有较好的分类效果。     

IP骨干网流量的自动化预测

高效、可靠的网络流量预测是网络规划、扩容建设的基础。互联网流量目前缺乏完备的理论模型,行业内大多根据工程实践特点,设计简化可操作的预测模型以满足IP网络规划需求。首先根据中国电信自身IP骨干网流量预测工作的需求及特点,使用时间序列分析的多因子回归模型和函数自适应模型对IP骨干网流量进行分析和预测,基于大量现网实际数据的仿真运算,对比两种模型的特点、优劣和适用场景,提出了一种预测模型选择和参数优化的原则和方法。在此基础上,构建了可以满足百千量级时间序列要求的自动化流量预测系统,极大简化并提升了流量预测工作的效率。最后,展望了未来IP流量预测工作的延展方向和关注重点。     

A federated semi-supervised learning approach for network traffic classification

The classification of network traffic, which involves classifying and identifying the type of network traffic, is the most fundamental step to network service improvement and modern network management. Classic machine learning and deep learning methods have widely adopted in the field of network traffic classification. However, there are two major challenges in practice. One is the user privacy concern in cross-domain traffic data sharing for the purpose of training a global classification model, and the other is the difficulty to obtain large amount of labeled data for training. In this paper, we propose a novel approach using federated semi-supervised learning for network traffic classification, in which the federated server and clients from different domains work together to train a global classification model. Among them, unlabeled data are used on the client side, and labeled data are used on the server side. The experimental results derived from a public dataset show that the accuracy of the proposed approach can reach 97.81%, and the accuracy gap between the federated learning approach and the centralized training method is minimal.     

Method of data cleaning for network traffic classification

Network traffic classification aims at identifying the application types of network packets. It is important for Internet service providers （ISPs） to manage bandwidth resources and ensure the quality of service for different network applications However, most classification techniques using machine learning only focus on high flow accuracy and ignore byte accuracy. The classifier would obtain low classification performance for elephant flows as the imbalance between elephant flows and mice flows on Internet. The elephant flows, however, consume much more bandwidth than mice flows. When the classifier is deployed for traffic policing, the network management system cannot penalize elephant flows and avoid network congestion effectively. This article explores the factors related to low byte accuracy, and secondly, it presents a new traffic classification method to improve byte accuracy at the aid of data cleaning. Experiments are carried out on three groups of real-world traffic datasets, and the method is compared with existing work on the performance of improving byte accuracy. Experiment shows that byte accuracy increased by about 22.31% on average. The method outperforms the existing one in most cases.     

Research of the traffic characteristics for the real time online traffic classification

Aiming at the hysteretic characteristics of classification problem existed in current internet traffic identification field,this paper investigates the traffic characteristic suitable for the on-line traffic classification,such as quality of service (QoS).By the theoretical analysis and the experimental observation,two characteristics (the ACK-Len ab and ACK-Len ba) were obtained.They are the data volume which first be sent by the communication parties continuously.For these two characteristics only depend on data’s total length of the first few packets on the flow,network traffic can be classified in the early time when the flow arrived.The experiment based on decision tree C4.5 algorithm,with above 97% accuracy.The result indicated that the characteristics proposed can commendably reflect behavior patterns of the network application,although they are simple.     

FlowAntEater: network traffic automatic signature generator

In the areas of traffic classification, the payload signature-based classification method–deep packet inspection (DPI) shows the highest performance in terms of preciseness, reliability and practicality. The usual way, however, obtaining signatures for DPI is analyzing network traffic payload and find signatures by hand, which means inefficient and a heavy burden for researchers. Therefore, the research on network traffic automatic signatures generation (NTASG), which helps administrators and researcher find network signatures, becomes important. In this paper, a software framework on NTASG is proposed which uses the K-means cluster algorithm to purity the traffic flow and contains a systematic signatures management algorithm, sig-tree. Also, the feasibility of our design choices was proved via experimental evaluation on the campus traffic trace.     

面向卫星网络的流量工程路由算法

针对卫星网络链路长时延、拓扑时变等特征,将链路传输时延引入并基于MPLS网络中源-目的节点对已知这一先验知识,提出了一种面向卫星网络的MPLS流量工程路由算法。该算法基于卫星网络时变拓扑模型的卫星拓扑快照,定义链路初始权重为链路剩余带宽、传输时延的综合函数,在为当前节点对建路时考虑其余节点对将来建路的可能需求计算链路的关键度,在此基础上通过链路权重的动态调整及延期选用实现流量工程,从而优化卫星网络的链路利用。实验表明,此算法在请求拒绝数、吞吐量、平均跳数及平均时延等方面性能都有较理想的提升。     

Semi-supervised internet network traffic classification using a Gaussian mixture model

With a dramatic increase in the number and variety of applications running over the internet, it is very important to be capable of dynamically identifying and classifying flows/traffic according to their network applications. Meanwhile, internet application classification is fundamental to numerous network activities. In this paper, we present a novel methodology for identifying different internet applications. The major contributions are: (1) we propose a Gaussian mixture model (GMM)-based semi-supervised classification system to identify different internet applications; (2) we achieve an optimum configuration for the GMM-based semi-supervised classification system. The effectiveness of these proposed approaches is demonstrated through experimental results.     

Skype‐Hunter: A real‐time system for the detection and classification of Skype traffic

In the previous years, Skype has gained more and more popularity, since it is seen as the best VoIP software with good quality of sound, ease of use and one that works everywhere and with every OS. Because of its great diffusion, both the operators and the users are, for different reasons, interested in detecting Skype traffic. In this paper we propose a real‐time algorithm (named Skype‐Hunter) to detect and classify Skype traffic. In more detail, this novel method, by means of both signature‐based and statistical procedures, is able to correctly reveal and classify the signaling traffic as well as the data traffic (calls and file transfers). To assess the effectiveness of the algorithm, experimental tests have been performed with several traffic data sets, collected in different network scenarios. Our system outperforms the ‘classical’ statistical traffic classifiers as well as the state‐of‐the‐art ad hoc Skype classifier. Copyright © 2011 John Wiley & Sons, Ltd.     

基于AdaBoost的组合网络流量分类方法

针对单一分类方法在训练样本不足的情况下对于小样本网络流分类效果差的特点,通过自适应增强(Adaptive Boosting,AdaBoost)算法进行流量分类。算法首先使用CFS(Correlation-based Feature Selection)特征选择方法从大量网络流特征中提取出少量高效的分类特征,在此基础上,通过AdaBoost算法组合决策树、关联规则和贝叶斯等5种单一分类方法实现流量分类。实际网络流量数据测试表明,基于AdaBoost的组合分类方法的准确率在所选的几种算法中是最高的,其能够达到98192%,且相对于单一的分类算法,组合流量分类方法对于小样本网络流的分类效果具有明显提升。     

基于IP/MPLS网络的动态业务流量矩阵测量模型

IP网络动态业务流量矩阵的测量是业务量工程研究中的一个难点,本文提出了一种面向IP/MPLS骨干网络的基于LSP级的动态业务流量矩阵测量模型。该模型能够获取网络边界处对应于每一条LSP的路径转发信息,并根据每一条LSP上的测量结果,计算得知全网的业务流量矩阵。文中证明该测量模型是可行的,并给出了相关的算法及其性能分析。模型的优点是测量只在网络边界处进行而不涉及网络核心,故引起的网络开销较小。另外模型所需的算法复杂度低,仿真结果显示测量模型是有效的。