Can multiscale traffic analysis be used to differentiate Internet applications?

An accurate mapping of Internet traffic to applications can be important for a broad range of network management and measurement tasks, including traffic engineering, service differentiation, performance/failure monitoring and security. Traditional mapping approaches have become increasingly inaccurate because many applications use non-default or ephemeral port numbers, use well-known port numbers associated with other applications, change application signatures or use traffic encryption. In this paper we will demonstrate that multiscale traffic analysis based on multi-order wavelet spectrum can be used as a discriminator of Internet applications traffic profiles. By performing clustering analysis over the multiscale wavelet spectrum coefficients that are inferred from the measured traffic, the proposed methodology is able to efficiently differentiate different IP applications without using any payload information. This characteristic will allow the differentiation of traffic flows in unencrypted and encrypted scenarios. In order to compare the differentiating potential of different traffic application data, upload, download and joint upload and download flow statistics are considered to evaluate the identification approach for each selected protocol. Moreover, we also evaluate which timescales and spectrum orders are more relevant for the traffic differentiation. From the analysis of the obtained results we can conclude that the proposed methodology is able to achieve good identification results using a small set of timescales of a single order wavelet spectrum of a general raw traffic statistic.     

Identifying LDoS attack traffic based on wavelet energy spectrum and combined neural network

As a special type of denial of service (DoS) attacks, the TCP‐targeted low‐rate denial of service (LDoS) attacks have the characteristics of low average rate and strong concealment, so it is difficult to identify such attack traffic. As multifractal characteristics exist in network traffic, a new identification approach based on wavelet transform and combined neural network is proposed to classify normal network traffic and LDoS attack traffic. Wavelet energy spectrum coefficients extracted from the sampled traffic are used for multifractal analysis of traffic over different time scale. The combined neural network is designed to classify these multiscale spectrum coefficients that show different multifractal characteristics belonging to normal network traffic and LDoS attack traffic. Test results of test‐bed experiments indicate that the proposed approach can identify LDoS attack traffic accurately.     

基于多级分类的网络流量在线识别方法(英文)

Internet traffic classification plays an important role in network management. Many approaches have been proposed to classify different categories of Internet traffic. However, these approaches have specific usage contexts that restrict their ability when they are applied in the current network environment. For example, the port based approach cannot identify network applications with dynamic ports; the deep packet inspection approach is invalid for encrypted network applications; and the statistical based approach is time-consuming. In this paper, a novel technique is proposed to classify different categories of network applications. The port based, deep packet inspection based and statistical based approaches are integrated as a multistage classifier. The experimental results demonstrate that this approach has high recognition rate which is up to 98% and good performance of real-time for traffic identification.     

Method of unknown protocol classification based on autoencoder

Aiming at the problem that a large number of unknown protocols exist in the Internet,which makes it very difficult to manage and maintain the network security,a classification and identification method of unknown protocols was proposed.Combined with the autoencoder technology and the improved K-means clustering technology,the unknown protocol was classified and identified for the network traffic.The autoencoder was used to reduce dimensionality and select features of network traffic,clustering technology was used to classify the dimensionality reduction data unsupervised,and finally unsupervised recognition and classification of network traffic were realized.Experimental results show that the classification effect is better than the traditional K-means,DBSCAN,GMM algorithm,and has higher efficiency.     

基于小波变换的网络流量异常监测仿真实验

为有效定位识别和提取网络流量序列的暂态性异常特征,针对网络异常流量特征扰动性和暂态性特点,提出一种基于小波分解的二叉分类回归决策树主分量特征优化跟踪特征提取算法。利用训练集建立决策树模型,采用二叉分类回归决策树模型进行主分量特征优化跟踪建模,利用双正交提升小波分解得到的各层细节信号对暂态性扰动特征的敏感性,通过小波分解得到各层细节信号,将提取的小波分层细节信号的奇异值分解特征再返回到决策树主分量特征优化跟踪模型中,实现网络流量异常特征的定位提取和识别。仿真实验表明,改进算法的抗干扰能力和分辨率提高显著,暂态性异常特征谱图分辨能力提高,异常特征分布谱清晰可见,展示了较好的特征提取和状态识别性能。     

一种加密流量行为分析系统的设计研究

随着互联网安全形势的日益严峻,采用流量加密方式进行业务传输的比重越来越大,针对加密流量的监管成为挑战。面对加密流量难以监管的难题,提出了一种加密流量行为分析系统。系统基于加密业务的流量特征,采用机器学习算法,无需解密网络流量就能对流量进行行为分析,实现了加密流量的识别和分类,并对系统进行了试验测试。测试结果显示,该系统可以发现隐藏在加密流量中的攻击行为、恶意行为和非法加密行为,对于安全人员掌握网络安全态势、发现网络异常具有重要意义。     

LDDoS attack detection method based on wavelet decomposition and sliding windows

As a special type of distributed denial of service (DDoS) attacks, the low-rate DDoS (LDDoS) attacks have characteristics of low average rate and strong concealment, thus, it is hard to detect such attacks by traditional approaches. Through signal analysis, a new identification approach based on wavelet decomposition and sliding detecting window is proposed. Wavelet decomposition extracted from the traffic are used for multifractal analysis of traffic over different time scale. The sliding window from flow control technology is designed to identify the normal and abnormal traffic in real-time. Experiment results show that the proposed approach has advantages on detection accuracy and timeliness.     

Composite lightweight traffic classification system for network management

Accurate and real‐time classification of network traffic is significant to a number of network operation and management tasks such as quality of service differentiation, traffic shaping and security surveillance. However, with emerging P2P applications using dynamic port numbers, IP masquerading techniques and payload encryption, accurate and intelligent traffic classification continues to be a big challenge despite a wide range of research work on the topic. Since each classification method has its disadvantages and hardly could meet the specific requirement of Internet traffic classification, this paper innovatively presents a composite traffic classification system. The proposed lightweight system can accurately and effectively identify Internet traffic with good scalability to accommodate both known and unknown/encrypted applications. Furthermore, It promises to satisfy various Internet uses and is feasible for use in real‐time line speed applications. Our experimental results show the distinct advantages of the proposed classification system. Copyright © 2009 John Wiley & Sons, Ltd.     

DDoS Attack Detection and Wavelets

This paper presents a systematic method for DDoS attack detection. DDoS attack can be considered a system anomaly or misuse from which abnormal behavior is imposed on network traffic. Attack detection can be performed via abnormal behavior identification. Network traffic characterization with behavior modeling could be a good indication of attack detection. Aggregated traffic has been found to be strong bursty across a wide range of time scales. Wavelet analysis is able to capture complex temporal correlation across multiple time scales with very low computational complexity. We utilize energy distribution based on wavelet analysis to detect DDoS attack traffic. Energy distribution over time will have limited variation if the traffic keeps its behavior over time (i.e. attack-free situation) while an introduction of attack traffic in the network will elicit significant energy distribution deviation in a short time period. Our experimental results with typical Internet traffic trace show that energy distribution variance markedly changes, causing a spike when traffic behaviors are affected by DDoS attack. In contrast, normal traffic exhibits a remarkably stationary energy distribution. In addition, this spike in energy distribution variance can be captured in the early stages of an attack, far ahead of congestion build-up, making it an effective detection of the attack.     

HYBRID INTERNET TRAFFIC CLASSIFICATION TECHNIQUE1

Accurate and real-time classification of network traffic is significant to network operation and management such as QoS differentiation, traffic shaping and security surveillance. However, with many newly emerged P2P applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, traditional classification approaches turn to be ineffective. In this paper, we present a layered hybrid system to classify current Internet traffic, motivated by variety of network activities and their requirements of traffic classification. The proposed method could achieve fast and accurate traffic classification with low overheads and robustness to accommodate both known and unknown/encrypted applications. Furthermore, it is feasible to be used in the context of real-time traffic classification. Our experimental results show the distinct advantages of the proposed classification system, compared with the one-step Machine Learning (ML) approach.     

一种基于小波变换和FIR神经网络的广域网网络流量预测模型

该文提出了一种基于小波变换和FIR神经网络的广域网网络流量预测模型,首先采用小波分解把网络流量数据分解成小波系数和尺度系数,即高频系数和低频系数,将这些不同频率成分的系数单支重构为高频流量分量和低频流量分量,利用FIR神经网络对这些分量分别进行预测,将合成之后的结果作为原始网络流量的预测。实验结果表明:采用该模型对实际的广域网网络流量数据进行预测,不仅可以得到较快的收敛效果,而且预测性能比现有的小波神经网络和FIR神经网络要好得多。     

Header signature maintenance for Internet traffic identification

Various traffic identification methods have been proposed with the focus on application‐level traffic analysis. Header signature–based identification using the 3‐tuple (Internet Protocol address, port number, and L4 protocol) within a packet header has garnered a lot of attention because it overcomes the limitations faced by the payload‐based method, such as encryption, privacy concerns, and computational overhead. However, header signature–based identification does have a significant flaw in that the volume of header signatures increases rapidly over time as a number of applications emerge, evolve, and vanish. In this article, we propose an efficient method for header signature maintenance. Our approach automatically constructs header signatures for traffic identification and only retains the most significant signatures in the signature repository to save memory space and to improve matching speed. For the signature maintenance, we define a new metric, the so‐called signature weight, that reflects its potential ability to identify traffic. Signature weight is periodically calculated and updated to adapt to the changes of network environment. We prove the feasibility of the proposed method by developing a prototype system and deploying it in a real operational network. Finally, we prove the superiority of our signature maintenance method through comparison analysis against other existing methods on the basis of various evaluation metrics.     

Hybrid internet traffic classification technique

Accurate and real-time classification of network traffic is significant to network operation and management such as QoS differentiation, traffic shaping and security surveillance. However, with many newly emerged P2P applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, traditional classification approaches turn to be ineffective. In this paper, we present a layered hybrid system to classify current Internet traffic, motivated by variety of network activities and their requirements of traffic classification. The proposed method could achieve fast and accurate traffic classification with low overheads and robustness to accommodate both known and unknown/encrypted applications. Furthermore, it is feasible to be used in the context of real-time traffic classification. Our experimental results show the distinct advantages of the proposed classification system, compared with the one-step Machine Learning (ML) approach. Communication author: Li Jun, born in 1971, female, Ph.D. candidate, Associate Professor. Nanjing University of Posts and Telecommunications, Nanjing 210003, China.     

基于主动学习和SVM方法的网络协议识别技术

针对未知网络协议数据流的获取与标记工作主要依赖于领域专家。然而,样本数据量的增加会导致人工成本超过实际负荷。提出了一种新颖的未知网络协议识别方法。该方法基于主动学习算法,仅依靠原始网络数据流的载荷部分实现对未知网络协议的有效识别。实验结果表明,采用该方法设计的识别系统在保证识别准确率和召回率的前提下,能够有效地降低学习过程中标记的样本数目,更适用于实际的网络应用环境。     

Improved multipath routing with WNN for the open networks

Multipath routing mechanism is vital for reliable packet delivery, load balance, and flexibility in the open network because its topology is dynamic and the nodes have limited capability. This article proposes a new multipath switch approach based on traffic prediction according to some characteristics of open networks. We use wavelet neural network (WNN) to predict the node traffic because the method has not only good approximation property of wavelet, but also self-learning adaptive quality of neural network. When the traffic prediction indicates that the primary path is a failure, the alternate path will be occupied promptly according to the switch strategy, which can save time for the switch in advance. The simulation results show that the presented traffic prediction model has better prediction accuracy; and the approach based on the above model can balance network load, prolong network lifetime, and decrease the overall energy consumption of the network.     

基于机器学习和深度学习的网络流量分类研究

随着互联网技术的不断发展以及网络规模的不断扩大,应用的类别纷繁复杂,新型应用层出不穷。为了保障用户服务质量(QoS)并确保网络安全,准确快速的流量分类是运营商及网络管理者亟须解决的问题。首先给出网络流量分类的问题定义和性能指标;然后分别介绍基于机器学习和基于深度学习的流量分类方法,分析了这些方法的优缺点,并对现存问题进行阐述;接着围绕流量分类线上部署时会遇到的3个问题:数据集问题、新应用识别问题、部署开销问题对相关工作进行阐述与分析,并进一步探讨目前网络流量分类研究面临的挑战;最后对网络流量分类下一步的研究方向进行展望。     

基于小波域和BP分类器的舰船目标的分类研究

利用小波变换处理水下舰船的辐射噪声,提取舰船辐射噪声的小波子带能量,作为目标特征,结合BP神经网络分类器,实现目标分类.通过大量的实验仿真验证,使用小波子带能量作为目标的特征,将BP神经网络作为分类器识别目标的分类方法是有效的,具有良好的工程应用前景.     

Game Traffic Classification Using Statistical Characteristics at the Transport Layer

The pervasive game environments have activated explosive growth of the Internet over recent decades. Thus, understanding Internet traffic characteristics and precise classification have become important issues in network management, resource provisioning, and game application development. Naturally, much attention has been given to analyzing and modeling game traffic. Little research, however, has been undertaken on the classification of game traffic. In this paper, we perform an interpretive traffic analysis of popular game applications at the transport layer and propose a new classification method based on a simple decision tree, called an alternative decision tree (ADT), which utilizes the statistical traffic characteristics of game applications. Experimental results show that ADT precisely classifies game traffic from other application traffic types with limited traffic features and a small number of packets, while maintaining low complexity by utilizing a simple decision tree.     

An efficient method of P2P traffic identification based on wavelet packet decomposition and kernel principal component analysis

Peer‐to‐peer (P2P) traffic identification is currently an important challenge to network management and measurement. Many approaches based on statistics have been proposed to identify P2P traffic. However, flow features extracted by traditional methods are rough and one‐sided, which might lead to inaccuracy identification of network traffic. Besides, P2P traffic has too many statistical features, which is a challenge to the time complexity and space complexity of the classifier. This work focuses on the study of flow features. First, micro features of flow signals are extracted based on wavelet packet decomposition, and we combine them with the traditional features into combination features. The experimental results show that combination features have better performance than traditional features for P2P traffic identification, and 16 kinds of wavelet functions were tested to find the best one. Second, a feature reduction algorithm based on improved kernel principal component analysis is provided. The results show that the feature reduction algorithm proposed in this paper plays good performance to P2P traffic identification, because it could greatly reduced the number of features while having no affection on identification accuracy. Copyright © 2012 John Wiley & Sons, Ltd.     

Identifying online traffic based on property of TCP flow

Classification of network traffic using port-based or payload-based analysis is becoming increasingly difficult when many applications use dynamic port numbers, masquerading techniques, and encryption to avoid detection. In this article, an approach is presented for online traffic classification relying on the observation of the first n packets of a transmission control protocol (TCP) connection. Its key idea is to utilize the properties of the observed first ten packets of a TCP connection and Bayesian network method to build a classifier. This classifier can classify TCP flows dynamically as packets pass through it by deciding whether a TCP flow belongs to a given application. The experimental results show that the proposed approach performs well in online Internet traffic classification and that it is superior to naive Bayesian method.