Article

Unexpected means of protocol inference

Authors:

Kirill Levchenko,

Christian Kreibich,

Geoffrey M. VoelkerAuthors Info & Claims

IMC '06: Proceedings of the 6th ACM SIGCOMM conference on Internet measurement

Pages 313 - 326

https://doi.org/10.1145/1177080.1177123

Published: 25 October 2006 Publication History

Abstract

Network managers are inevitably called upon to associate network traffic with particular applications. Indeed, this operation is critical for a wide range of management functions ranging from debugging and security to analytics and policy support. Traditionally, managers have relied on application adherence to a well established global port mapping: Web traffic on port 80, mail traffic on port 25 and so on. However, a range of factors - including firewall port blocking, tunneling, dynamic port allocation, and a bloom of new distributed applications - has weakened the value of this approach. We analyze three alternative mechanisms using statistical and structural content models for automatically identifying traffic that uses the same application-layer protocol, relying solely on flow content. In this manner, known applications may be identified regardless of port number, while traffic from one unknown application will be identified as distinct from another. We evaluate each mechanism's classification performance using real-world traffic traces from multiple sites.

References

[1]

Ethereal: A network protocol analyzer. http://www.ethereal.com.

[2]

S. Baset and H. Schulzrinne. An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol. Technical report, Columbia University, New York, NY, 2004.

[3]

L. Bernaille, R. Teixeira, I. Akodkenou, A. Soule, and K. Salamatian. Traffic classification on the fly. ACM SIGCOMM Computer Communication Review, 36(2):23--26, April 2006.

Digital Library

[4]

K. Claffy, G. Miller, and K. Thompson. The nature of the best: Recent measurements from an Internet backbone. In Proc. of INET '98, jul, 1998.

[5]

T. M. Cover and J. A. Thomas. Elements of Information Theory. John Wiley & Sons, 1991.

Digital Library

[6]

C. Dewes, A. Wichmann, and A. Feldmann. An Analysis of Internet Chat Systems. In Proc. of the Second Internet Measurement Workshop (IMW), Nov 2002.

Digital Library

[7]

C. Fraleigh, S. Moon, B. Lyles, C. Cotton, M. Khan, D. Moll, R. Rockell, T. Seely, and C. Diot. Packet-level Traffic Measurements from the Sprint IP Backbone. IEEE Network, 17(6):6--16, 2003.

Digital Library

[8]

P. Haffner, S. Sen, O. Spatscheck, and D. Wang. ACAS: Automated construction of application signatures. In Proceedings of the 2005 Workshop on Mining Network Data, pages 197--202, 2005.

Digital Library

[9]

IANA. TCP and UDP port numbers. http://www.iana.org/assignments/port-numbers.

[10]

T. Karagiannis, A. Broido, N. Brownlee, K. Claffy, and M. Faloutsos. Is P2P dying or just hiding? In IEEE Globecom 2004 - Global Internet and Next Generation Networks, Dallas/Texas, USA, Nov, 2004. IEEE.

[11]

T. Karagiannis, A. Broido, M. Faloutsos, and K. Claffy. Transport Layer Identification of P2P Traffic. In Proc. of the Second Internet Measurement Workshop (IMW), Nov 2002.

Digital Library

[12]

T. Karagiannis, D. Papagiannaki, and M. Faloutsos. BLINC: Multilevel traffic classification in the dark. In Proceedings of the 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pages 229--240, 2005.

Digital Library

[13]

P. Maymounkov and D. Mazières. Kademlia: A peer-to-peer information system based on the xor metric. In Proceedings of the First International Workshop on Peer-to-Peer Systems (IPTPS), 2002.

Digital Library

[14]

A. Moore and D. Papagiannaki. Toward the Accurate Identification of Network Applications. In Proc. of the Passive and Active Measurement Workshop, mar 2005.

Digital Library

[15]

A. W. Moore and D. Zuev. Internet traffic classification using bayesian analysis techniques. In Proceedings of the 2005 Conference on Measurement and Modeling of Computer Systems, pages 50--60, 2005.

Digital Library

[16]

T. Oliver, B. Schmidt, and D. Maskell. Hyper customized processors for bio-sequence database scanning on fpgas. In FPGA '05: Proc. of the 2005 ACMSIGDA 13th international symposium on Field-programmable gate arrays, pages 229--237, New York, NY, USA, 2005. ACM Press.

Digital Library

[17]

V. Paxson. Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks (Amsterdam, Netherlands: 1999), 31(23-24):2435--2463, 1998.

Digital Library

[18]

D. Plonka. FlowScan: A Network Traffic Flow Reporting and Visualization Tool. In Proc. of USENIX LISA, jul, 2000.

Digital Library

[19]

A. Sanfeliu and K. Fu. A Distance Measure Between Attributed Relational Graphs for Pattern Recognition. IEEE Transactions on Systems, Man and Cybernetics, SMC-13(3):353--362, 1981.

[20]

S. Sen, O. Spatscheck, and D. Want. Accurate, Scalable In-network Identification of P2P Traffic Using Application Signatures. In Proc. of the 13th International World Wide Web Conference, may 2004.

Digital Library

[21]

T. F. Smith and M. S. Waterman. Identification of Common Molecular Subsequences. Journal of Molecular Biology, 147, 1981. http://gel.ym.edu.tw/~chc/AB_papers03/.pdf.

[22]

G. Voss, A. Schröder, W. Müller-Wittig, and B. Schmidt. Using Graphics Hardware to Accelerate Biological Sequence Analysis. In Proc. of IEEE Tencon, Melbourne, Australia, 2005.

[23]

S. Zander, T. Nguyen, and G. Armitage. Self-learning IP Traffic Classification based on Statistical Flow Characteristics. In Proc. of the 6th Passive and Active Network Measurement Workshop, March 2005.

Digital Library

Cited By

Islam MAl-Mukhtar MKhan MHossain M(2023)A Survey on SDN and SDCN Traffic Measurement: Existing Approaches and Research ChallengesEng10.3390/eng40200634:2(1071-1115)Online publication date: 6-Apr-2023
https://doi.org/10.3390/eng4020063
Ravindran KIannelli MAdiththan A(2023)Moving-Target-Defense based Security Mechanisms: A System Management Perspective2023 15th International Conference on COMmunication Systems & NETworkS (COMSNETS)10.1109/COMSNETS56262.2023.10041246(13-18)Online publication date: 3-Jan-2023
https://doi.org/10.1109/COMSNETS56262.2023.10041246
Shin CPark JBaek UKim M(2023)A Feasible and Explainable Network Traffic Classifier Utilizing DistilBERTIEEE Access10.1109/ACCESS.2023.329310511(70216-70237)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3293105
Show More Cited By

Index Terms

Unexpected means of protocol inference
1. Networks
  1. Network protocols

Recommendations

Class-of-service mapping for QoS: a statistical signature-based approach to IP traffic classification
IMC '04: Proceedings of the 4th ACM SIGCOMM conference on Internet measurement

The ability to provide different Quality of Service (QoS) guarantees to traffic from different applications is a highly desired feature for many IP network operators, particularly for enterprise networks. Although various mechanisms exist for providing ...
POSTER: Mining Elephant Applications in Unknown Traffic by Service Clustering
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Network traffic classification is of great importance for fine-grained network management and network security. However, with the rapid development of new network applications in recent years, traffic that cannot be identified by classifiers accounts ...
Robust network traffic identification with unknown applications
ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security

Traffic classification is a fundamental component in advanced network management and security. Recent research has achieved certain success in the application of machine learning techniques into flow statistical feature based approach. However, most of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '06: Proceedings of the 6th ACM SIGCOMM conference on Internet measurement

October 2006

356 pages

ISBN:1595935614

DOI:10.1145/1177080

General Chairs:
Jussara Almeida
Federal University of Minas Gerais, Brazil
,
Virgilio Almeida
Federal University of Minas Gerais, Brazil
,
Program Chair:
Paul Barford
University of Wisconsin -- Madison, USA

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 October 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

IMC06

Sponsor:

IMC06: Internet Measurement Conference

October 25 - 27, 2006

Rio de Janeriro, Brazil

Acceptance Rates

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

169
Total Citations
View Citations
670
Total Downloads

Downloads (Last 12 months)14
Downloads (Last 6 weeks)1

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Islam MAl-Mukhtar MKhan MHossain M(2023)A Survey on SDN and SDCN Traffic Measurement: Existing Approaches and Research ChallengesEng10.3390/eng40200634:2(1071-1115)Online publication date: 6-Apr-2023
https://doi.org/10.3390/eng4020063
Ravindran KIannelli MAdiththan A(2023)Moving-Target-Defense based Security Mechanisms: A System Management Perspective2023 15th International Conference on COMmunication Systems & NETworkS (COMSNETS)10.1109/COMSNETS56262.2023.10041246(13-18)Online publication date: 3-Jan-2023
https://doi.org/10.1109/COMSNETS56262.2023.10041246
Shin CPark JBaek UKim M(2023)A Feasible and Explainable Network Traffic Classifier Utilizing DistilBERTIEEE Access10.1109/ACCESS.2023.329310511(70216-70237)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3293105
Yang RYu ACai LMeng D(2022)Subspace clustering via graph auto-encoder network for unknown encrypted traffic recognitionCybersecurity10.1186/s42400-022-00131-y5:1Online publication date: 3-Dec-2022
https://doi.org/10.1186/s42400-022-00131-y
Jhaveri RRevathi ARamana KRaut RDhanaraj R(2022)A Review on Machine Learning Strategies for Real-World Engineering ApplicationsMobile Information Systems10.1155/2022/18335072022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/1833507
Izhikevich LTeixeira RDurumeric ZKuipers FOrda A(2022)Predicting IPv4 services across all portsProceedings of the ACM SIGCOMM 2022 Conference10.1145/3544216.3544249(503-515)Online publication date: 22-Aug-2022
https://dl.acm.org/doi/10.1145/3544216.3544249
Michel OSengupta SKim HNetravali RRexford JBarakat CPelsser CBenson TChoffnes D(2022)Enabling passive measurement of zoom performance in production networksProceedings of the 22nd ACM Internet Measurement Conference10.1145/3517745.3561414(244-260)Online publication date: 25-Oct-2022
https://dl.acm.org/doi/10.1145/3517745.3561414
Liang YXie YTang SYu SLiu XHu J(2022)Network Traffic Content Identification Based on Time-Scale Signal ModelingIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.3186665(1-19)Online publication date: 2022
https://doi.org/10.1109/TDSC.2022.3186665
Zhai LZheng QZhang XHu HYin WZeng YWu T(2021)Identification of Private ICS Protocols Based on Raw TrafficSymmetry10.3390/sym1309174313:9(1743)Online publication date: 19-Sep-2021
https://doi.org/10.3390/sym13091743
et al. M(2021)Nominate of significant features for unknown internet traffic applications filtering based on a neural network algorithmInternational Journal of ADVANCED AND APPLIED SCIENCES10.21833/ijaas.2021.02.0158:2(106-116)Online publication date: Feb-2021
https://doi.org/10.21833/ijaas.2021.02.015
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten