Abstract
An accurate mapping of Internet traffic to applications can be important for a broad range of network management and measurement tasks, including traffic engineering, service differentiation, performance/failure monitoring and security. Traditional mapping approaches have become increasingly inaccurate because many applications use non-default or ephemeral port numbers, use well-known port numbers associated with other applications, change application signatures or use traffic encryption. In this paper we will demonstrate that multiscale traffic analysis based on multi-order wavelet spectrum can be used as a discriminator of Internet applications traffic profiles. By performing clustering analysis over the multiscale wavelet spectrum coefficients that are inferred from the measured traffic, the proposed methodology is able to efficiently differentiate different IP applications without using any payload information. This characteristic will allow the differentiation of traffic flows in unencrypted and encrypted scenarios. In order to compare the differentiating potential of different traffic application data, upload, download and joint upload and download flow statistics are considered to evaluate the identification approach for each selected protocol. Moreover, we also evaluate which timescales and spectrum orders are more relevant for the traffic differentiation. From the analysis of the obtained results we can conclude that the proposed methodology is able to achieve good identification results using a small set of timescales of a single order wavelet spectrum of a general raw traffic statistic.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
McGregor, A., Hall, M., Lorier, P., & Brunskill, J. (2004). Flow clustering using machine learning techniques. In Proceedings of the passive and active measurement workshop (PAM2004), April 2004.
Nogueira, A., de Oliveira, M., Salvador, P., Valadas, R., & Pacheco, A. (2005). Classification of Internet users using discriminant analysis and neural networks. In Next generation Internet networks, 2005 (pp. 341–348), April 2005.
Erman, J., Arlitt, M., & Mahanti, A. (2006). Traffic classification using clustering algorithms. In MineNet’06: proceedings of the 2006 SIGCOMM workshop on mining network data (pp. 281–286). New York: ACM.
Riedi, R. H., & Véhel, J. (1997). Multifractal properties of tcp traffic: a numerical study. Tech. Rep.
Rocha, E., Salvador, P., & Nogueira, A. (2009). Discriminating Internet applications based on multiscale analysis. In Proceedings of the 5th Euro-NGI conference on next generation Internet networks.
Madhukar, A., & Williamson, C. (2006). A longitudinal study of p2p traffic classification. In 14th IEEE international symposium on modeling, analysis, and simulation of computer and telecommunication systems, 2006. MASCOTS 2006 (pp. 179–188). Sept. 2006.
Sen, S., Spatscheck, O., & Wang, D. (2004). Accurate, scalable in-network identification of p2p traffic using application signatures. In WWW’04: Proceedings of the 13th international conference on World Wide Web. (pp. 512–521). New York: ACM.
Karagiannis, T., Broido, A., Brownlee, N., Claffy, K., & Faloutsos, M. (2004). Is p2p dying or just hiding? [p2p traffic measurement]. In Global telecommunications conference, 2004. GLOBECOM’04. IEEE (Vol. 3, pp. 1532–1538), Nov.–Dec. 2004.
Haffner, P., Sen, S., Spatscheck, O., & Wang, D. (2005). Acas: automated construction of application signatures. In MineNet’05: proceedings of the 2005 ACM SIGCOMM workshop on mining network data (pp. 197–202). Philadelphia: ACM.
Karagiannis, T., Papagiannaki, K., & Faloutsos, M. (2005). Blinc: multilevel traffic classification in the dark. In SIGCOMM’05: proceedings of the 2005 conference on applications, technologies, architectures, and protocols for computer communications (pp. 229–240). New York: ACM.
Hu, Y., Chiu, D.-M., & Lui, J. (2008). Application identification based on network behavioral profiles. In 16th international workshop on quality of service, 2008. IWQoS 2008 (pp. 219–228). June 2008.
Karagiannis, T., Broido, A., Faloutsos, M., & Claffy, K. (2004). Transport layer identification of p2p traffic. In IMC’04: proceedings of the 4th ACM SIGCOMM conference on Internet measurement (pp. 121–134). New York: ACM.
Zander, S., Nguyen, T., & Armitage, G. (2005). Automated traffic classification and application identification using machine learning. In The IEEE conference on local computer networks, 2005. 30th anniversary (pp. 250–257). Nov. 2005.
Abry, M. S. T. P., & Flandrin P. (2000). Wavelets for the analysis, estimation and synthesis of scaling data [Online]. Available: http://citeseer.ist.psu.edu/395082.html.
Enescu, B., Ito, K., & Struzik, Z. R. (2004). Wavelet-based multifractal analysis of real and simulated time-series of earthquakes. In Annuals of disaster prevention research institute annuals (Vol. 47 B), Kyoto University.
Leland, W. E., Taqqu, M. S., Willinger, W., & Wilson, D. V. (1994). On the self-similar nature of ethernet traffic (extended version). IEEE/ACM Transactions on Networking, 2(1), 1–15.
Darryl veitch (2008). http://www.cubinlab.ee.unimelb.edu.au/darryl/. December 2008.
Kline, P. B. J., Plonka, D., & Amos, R. (2002). A signal analysis of network traffic anomalies. In IMW’02: proceedings of the 2nd ACM SIGCOMM workshop on Internet measurement (pp. 71–82). New York: ACM.
Alarcon-Aquino, V., & Barria, J. (2001). Anomaly detection in communication networks using wavelets. IEE Proceedings Communications, 148(6), 355–362.
Ramanathan, A. (2002). Wades: a tool for distributed denial of service attack detection. Master’s thesis, TAMU-ECE-2002-02.
Feldmann, A., Gilbert, A., Huang, P., & Willinger, W. (1999). Dynamics of IP traffic: a study of the role of variability and the impact of control. In SIGCOMM, 1999 (pp. 301–313). [Online]. Available: citeseer.nj.nec.com/feldmann99dynamics.html.
Feldmann, A., Gilbert, A. C., & Willinger, W. (1998). Data networks as cascades: investigating the multifractal nature of Internet wan traffic. In SIGCOMM’98: proceedings of the ACM SIGCOMM’98 conference on applications, technologies, architectures, and protocols for computer communication (pp. 42–55). New York: ACM.
Veitch, D., Abry, P., Flandrin, P., & Chainais, P. (2000). Infinitely divisible cascade analysis of network traffic data. In Proceedings of the international conference on acoustics, speech, and signal processing, June 2000.
Kaufman, L., & Rousseeuw, P. J. (1990). Finding groups in data: an introduction to cluster analysis. New York: Wiley.
MacQueen, J. B. (1967). Some methods for classification and analysis of multivariate observations. In L. M. L. Cam, J. Neyman (Eds.), Proceedings of the fifth Berkeley symposium on mathematical statistics and probability (Vol. 1, pp. 281–297). University of California Press.
Tcpdump/libpcap public repository (2009). [Online]. Available: http://www.tcpdump.org. March 2009.
Rocha, E., Veiga, H., Valadas, R., Salvador, P., & Nogueira, A. (2007). Module for identifying Internet applications and its integration in a peer-to-peer measurement tool. In Proceedings of the IADIS international conference.
Cochran, D. (1988). A consequence of signal normalization in spectrum analysis. In International conference on acoustics, speech, and signal processing, 1988. ICASSP-88 (Vol. 4, pp. 2388–2391), Apr. 1988.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Rocha, E., Salvador, P. & Nogueira, A. Can multiscale traffic analysis be used to differentiate Internet applications?. Telecommun Syst 48, 19–30 (2011). https://doi.org/10.1007/s11235-010-9331-1
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11235-010-9331-1