toward fine-grained traffic classification

IEEE Communications Magazine • July 2011104 0163-6804/11/$25.00 © 2011 IEEE

INTRODUCTION

Understanding traffic behavior is an importantpart of network operations and management.A decade of research on traffic classificationhas provided various techniques to identifytypes of traffic information. As the Internetcontinuously evolves in scope and complexity,its traffic characteristics are also changing interms of traffic composition and volume. Peer-to-peer (P2P) and multimedia traffic applica-tions have rapidly grown in popularity, andtheir traffic occupies a great portion of thetotal Internet traffic volume these days. Kim etal. [1] have shown that P2P applications gener-ate a substantial volume in enterprise net-works. In 2008, a study by a Japanese Internetservice provider (ISP) [2] observed that a sig-nificant portion of P2P traffic is recently beingreplaced by multimedia and web traffic. In par-ticular, a newer generation of P2P applicationsis incorporated with various obfuscation strate-gies, such as ephemeral port allocation andproprietary protocols, to avoid detection andfiltering. A popular communication applicationlike Skype eludes detection by payload encryp-tion or plain-text ciphers [3]. The dynamic

nature of Internet traffic adversely affects theaccuracy of traffic classification and makes it amore challenging task.

The previous studies have discussed variousclassification methodologies (e.g., well-knownport number matching, payload contents analy-sis, machine learning, etc.). Many variants ofsuch methodologies have been introduced con-tinuously to improve the classification accuracyand efficiency. However, it is extremely difficultfor any method to claim 100 percent accuracydue to fast-changing and dynamic nature of theInternet traffic. The classification accuracy isalso questionable since there is often no groundtruth dataset available. In another respect, eachresearch aims at different levels of classification.Some only had a coarse classification goal suchas classifying traffic protocol or application type;while others had more detailed classificationgoal such as identifying the exact applicationname. Therefore, it is often unfair to cross-com-pare each classification method in terms of accu-racy. To overcome this issue, we need toinvestigate how we can provide more meaningfulinformation with such limited traffic classifica-tion results rather than focusing on improving 1or 2 percent of classification accuracy.

This article proposes the concept of fine-grained traffic classification. A single applicationtypically has several functions and each functiontriggers a unique traffic characteristics. The fine-grained traffic classification can classify varioustypes of traffic, which are generated by a singleapplication. We investigated existing traffic clas-sification studies in terms of classificationschemes rather than classification methods.While previous studies focused on classificationmethods, we have focused on classification out-put itself. By analyzing the output categories ofthe other classification research, we propose anew traffic classification scheme. We also pre-sent an example of fine-grained traffic classifica-tion by applying it to real P2P application traffic.

The organization of the article is as follows.We present our related work and our motivationfor fine-grained traffic classification. We explainour proposed method, which utilizes a textretrieval technique. We then describe our exper-iments with the real-world traffic dataset. Final-ly, concluding remarks and possible future workare discussed.

ABSTRACT

A decade of research on traffic classificationhas provided various methodologies to investi-gate the traffic composition in data communica-tion networks. Many variants or combinations ofsuch methodologies have been introduced con-tinuously to improve the classification accuracyand efficiency. However, the level of classifica-tion details is often bounded to identifying pro-tocols or applications in use. In this article, wepropose a fine-grained traffic classificationscheme based on the analysis of existing classifi-cation methodologies. This scheme allows toclassify traffic according to the functionalities inan application. In particular, we present a trafficclassifier which utilizes a document retrievaltechnique and applies multiple signatures todetect the peer-to-peer application trafficaccording to different functionalities in it. Weshow that the proposed scheme can providemore in-depth classification results for analyzinguser contexts.

TOPICS IN NETWORK AND SERVICE MANAGEMENT

Byungchul Park and James Won-Ki Hong, POSTECH

Young J. Won, Internet Initiative Japan

Toward Fine-Grained Traffic Classification

PARK LAYOUT 6/20/11 4:19 PM 04

IEEE Communications Magazine • July 2011 105

BACKGROUND

In this section, we describe different traffic clas-sification research according to the level of clas-sification requirements and its analysis capability.

RELATED WORKApplication Protocol Breakdown Scheme —Traffic classification is a process of identifyingnetwork traffic based on the features that can bepassively observed in the traffic. The featuresand classification results may vary according tospecific classification requirements and analysisneeds. In early days, traffic classification wasperformed as part of traffic characterizationwork, often motivated by the dominance of acertain protocol in a network. Several studies [4,5] analyzed the packet and byte distributionsregarding transport and application layer proto-cols. TCP/UDP port numbers mapped to a well-known TCP/UDP protocol. The applicationprotocol breakdown scheme shows a rough esti-mation of the traffic composition and is still apopular solution at the Internet backbonebecause of its high and even increasing trafficvolumes and limited computing resources fortraffic analysis.

Borgnat et al. [2] showed that a significantportion of P2P traffic is replaced by multimediaand Web traffic by analyzing longitudinal trafficcharacteristics of trans-Pacific backbone links.Although they aggregated the P2P traffic withother unknown protocols, they also utilized well-known port numbers for application protocolbreakdown.

Traffic Clustering Scheme — Straight-forwardclassification approaches (e.g., protocol or port-based) cannot provide in-depth classification ofsimilar traffic type generated by different proto-cols. Traffic clustering scheme refers to trafficworkload characteristics rather than protocoltraffic decomposition. McGregor et al. [6] pro-posed a machine learning-based classificationmethod which can break down into clusters:Bulk transfer, small transactions, and multipletransactions. It allows us to understand themajor types of traffic in network.

Application Breakdown Scheme — Thedominance of P2P traffic in the Internet hashad a huge influence on traffic classificationresearch and led to more sophisticated heuris-tics. In this context, many researchers havefocused on identifying the exact applicationrepresented by the traffic. Discovering bytesignatures [7] has been a popular solution.Regardless of its proven accuracy, the signa-ture-based solution possesses high processingoverhead and privacy-breaching issues becauseit requires a packet header and payload inspec-tion. Recently, machine learning techniqueswhich use statistical information of the trans-port layer [8] are introduced to overcome pri-vacy legislation related to packet payloadinspection. They focus on the fact that differ-ent applications have different communicationpatterns (behaviors). Moreover, Szabo et al.[9] introduced combinations of these existingmethods in order to balance between the level

of classification completeness and accuracy.All these efforts focused on classifying net-work traffic according to the name of applica-tion in use.

Application-type Breakdown Scheme —BLINC [10] is a connection pattern-based classi-fication method. The idea behind BLINC is toinvestigate the communication pattern generatedby a host and extract behavioral patterns whichmay represent distinct activities or applications.It categorizes network traffic according to appli-cation-type rather than a specific applicationname, such as Web, game, chat, P2P, streaming,mail, and attack activities. This scheme residesbetween former two schemes.

MOTIVATIONFigure 1 shows different traffic classificationschemes according to their classification level.The application protocol breakdown schemepresents network traffic into different proto-cols rather than application types or names.For example, all ftp traffic is classified underthe ftp protocol group although there are manydistinct ftp client programs since all clientsemploy the same ftp protocol for data transfer.The traffic clustering scheme was proposed indifferent perspective to traffic classification.While the application protocol breakdownfocuses on identifying certain protocol, theclustering scheme can capture common charac-teristics shared among the distinct applicationsusing a single or multiple protocols. In addi-tion, the application breakdown scheme canprovide more detailed classification results,especially for P2P applications. It would classi-fy distinct application names even if the corre-sponding traffic is generated from the sameprotocol. For example, there are many descen-dant applications which use the BitTorrentprotocol. While the application protocol break-down scheme cannot distinguish the trafficgenerated by different BitTorrent clients, theapplication breakdown scheme can classify thetraffic according to the exact client name rep-resented by the traffic.

The application-type breakdown schemeresides between the traffic clustering and appli-cation protocol breakdown schemes in terms ofclassification level. It characterizes the trafficbased on connection pattern or host profiles andclassifies into various application-types, such asWeb, game, chat, P2P, streaming, mail, andsecurity attack activities. One application-typecan be a superset of both application and appli-cation protocol.

The fine-grained traffic classification can clas-sify various types of traffic which are generatedby a single application. As shown in Fig. 1 a sin-gle application typically has several functionsand each function triggers a unique traffic char-acteristic. While top n protocol or applicationanalysis is possible with the other schemes, ourscheme enables new analysis categories, such asaverage browsing time to initialize a file down-load and popular functions in use among users.It is also a tool to analyze user behavior anddesign future applications in the Internet. Whenit applies to Web traffic, analyzing the most pop-

While the application

protocol breakdown

scheme cannot

distinguish the traffic

generated by

different BitTorrent

clients, the applica-

tion breakdown

scheme can classify

the traffic according

to the exact client

name represented

by the traffic.

PARK LAYOUT 6/20/11 4:19 PM Page 105

IEEE Communications Magazine • July 2011106

ular function of the Web site (e.g., Facebook) isalso possible. This will extend the traffic classifi-cation research from network administrative ori-ented research to user-context-dependentresearch.

FINE-GRAINED TRAFFICCLASSIFICATION

A key to fine-grained traffic classification is howto categorize single-application traffic into dif-ferent traffic groups. It is quite similar to thetraditional traffic classification problem exceptfor the degree of classification details. Accord-ingly, various existing methods can be applied tothis classification scheme. Most of them use aclassifier per application or protocol.

We simplify the fine-grained traffic classifi-cation problem as follows: to build arbitraryclassifiers (e.g., application signature, connec-tion behavior model, statistical model) perapplication where each classifier correspondsto a distinct function in the application. Amongmany classifiers, we have selected signature asthe classifier because a lot of other previouswork has demonstrated that the signature-based approach is by far the most reliable foraccuracy. Even some statistical approacheshave used signature as the ground truth forvalidation [8]. In addition, it is convenient toapply new fine-grained signatures into existingtraffic classification systems and commercialtraffic shapers, and intrusion detection devicesutilize application signatures for their classifi-cation .

Our methodology for fine-grained traffic clas-sification consists of three parts:1 Input data collection2 Extraction of fine-grained signatures3 Traffic classification using fine-grained sig-

naturesThis article focuses on generating fine-grainedclassifiers (steps 1 and 2). For signature extrac-tion, we used our previous work, the LASERalgorithm [3], which can generate an applica-tion signature automatically. Step 1 is not partof the actual signature extraction; however, it iscrucial for the entire signature generation pro-cess because the input data for the LASERalgorithm directly affects the reliability of thesignature.

INPUT DATA COLLECTIONThe LASER algorithm requires sanitized packetcollection as its input data. The sanitized rawpackets refer to the packets belonging to the tar-get application only. We have developed a con-tinuous packet dump agent using Libpcap tocollect the packet trace for every running pro-cess in the OS. The collecting agent divides thesanitized packets according to each flow andstores them in a separate packet dump filetagged with the origin process name. It is impor-tant to keep the datasets separate according toeach flow and process name because it canreduce unnecessary packet comparison overheadin the pattern extraction step. If the given datasetis a mixture of many different applications, itmay be difficult to discover a common pattern.Such a design decision is necessary to guaranteethe efficiency and accuracy of signature extrac-

Figure 1. Traffic classification schemes according to different classification levels.

App. j Application breakdownApp. 1

App. j

App. protocol n

Function. 1(e.g., login)

Function. 2(e.g., searching)

Function. k(e.g., downloading)

Fine-grainedclassification

App. i

Applicationprotocol 1

Application type 1

Transport layer Traffic clustering

IP layer

Applicationtype t

Application-typebreakdown

Applicationprotocol 2

Applicationprotocol n

Applicationprotocol breakdown

App. 1App. mApp. 1

A key to the

fined-grained traffic

classification is how

to categorize single

application traffic

into different traffic

groups. It is quite

similar to the

traditional traffic

classification problem

except for the

degree of

classification details.



tion; thus, we remove any uncertainty of trafficbeing fed to the signature extraction algorithm.

It increases the possibility of finding a reli-able application signature to extract it from simi-lar traffic types in the pool of sanitized traffic.As many functions are embedded in networkapplications, an application generates differenttypes of traffic according to its function or pur-pose. For example, a P2P application has variousfunctions such as login, searching, downloading,advertisement, and chatting. In some cases, evenWeb browsing is included. In order to resolvethis issue, we developed a fine-grained flow clas-sifier that could group sanitized flows into sever-al subtypes according to traffic type.

Figure 2 illustrates the workflow of the inputdata collection process. When n different appli-cations are running on a host, each applicationexecutes mi different functional modules (thesubscript i indicates that the value of mi differsfrom application to application) and each mod-ule in an application generates different types oftraffic. The traffic dump agent monitors the net-work interface continuously and captures alltraffic data passing through the network inter-face. The agent aggregates the traffic data intoflows and stores each flow in a separate file.Every flow is tagged with the application or pro-cess name acquired from the OS. The stored ngroups of sanitized traffic, labeled with an appli-cation name, is fed into the fine-grained trafficclassifier. The fine-grained traffic classifier clas-sifies the sanitized traffic into mi subcategoriesaccording to flow type. Finally, we can get n × migroups of flow data. Each group of flow data isused as input data for LASER. In this case, anumber of LASER’s output is n × mi and a sin-

gle application can have at most mi signatures.Most of the prior research on signature-basedtraffic classification used a single signature perapplication. However, this may lead to anincrease in the false negative ratio as well. Moredetails on the fine-grained traffic classifier are inthe upcoming section.

TRAFFIC CLASSIFIERIn order to build the fine-grained traffic classifi-er, we adopted a document retrieval technique[11] which is one of the main research areas inthe natural language processing field. The ideabehind document retrieval is that the similaritybetween documents can be measured by the fre-quency of keywords in the documents. We havedefined several terms to apply document similar-ity to traffic classification. The following pro-vides our payload vector conversion, vectorcomparison, and flow comparison methodolo-gies.

Payload Vector Conversion — To representnetwork traffic as a text document, we used vec-tor space modeling (VSM). VSM is an algebraicmodel which represents text documents as vec-tors. The objective of document retrieval is tofind a subset of documents from a set of storedtext documents D that satisfy certain informationrequests or queries Q. Considering a documentspace consists of documents Di, each identifiedby one or more index terms Tj; the terms may beweighted according to their importance [11]. Atypical way to determine the significance of aterm is measuring the occurrence of the term Tj.When t different index terms are presented indocument Di, each document Di is represented

Figure 2. Input data collection process.

Traffic type 1(e.g., login)

: Separated packet dump file

: Traffic : Process information

Traffic type 2(e.g., searching)

Traffic type mi(e.g., downloading)

Sanitized traffic trace

Functionmodule 1

App. 1

Network interface

Network interface

Login

App. 2

Host

App. n

App. 1 App. 2 App. n

Traffic dump agent

Fined-grained traffic classifier

Functionmodule 2

Application n

Searching

Functionmodule m

Downloading

Fine-grained traffic trace

The idea behind

document retrieval is

that the similarity

between documents

can be measured by

the frequency of

keywords in the

documents. We have

defined several terms

to apply document

similarity to traffic

classification.



by a t-dimensional term-frequency vector Di =(di1, di2, ⋅ ⋅ ⋅, dij) where dij represents the frequen-cy of the jth term. While text documents arecomposed of terms (words), which are units oflanguage as a principal carrier of meaning, apacket does not have basic units containing cer-tain meanings. We have defined the term of apayload as follows to come up with this problem:A term is a payload data within an i-bytes slidingwindow where the position of the sliding windowcan be 1, 2, ⋅ ⋅ ⋅, n – i+1 with n bytes payload.The size of the term set is 28×i, and the length ofa term is i.

If the word length i is too short, the wordcannot reflect the sequence of the byte patternsin the payload. In this case, we cannot recognizethe differences among permutations of byte pat-terns, such as “0 × 01 0 × 02 0 × 03” and “0 × 030 × 01 0 × 02.” If the word length is too long, thenumber of whole representative words increasesexponentially. With the definition of term, apacket can be represented as a term-frequencyvector called a payload vector.

When wi is the occurrence of the i-th termthat appears repeatedly in a payload, the pay-load vector is

Payload Vector = [w1w2 ⋅ ⋅ ⋅ wn]T, (1)

where n is the size of a whole representativeterm set.

We set the sliding window size i to 2 becauseit is the simplest case for representing the orderof content in payloads. When the term size is 2bytes, the size of all terms is 216. Therefore, thepayload vector is represented as a 216-dimen-sional term-frequency vector.

Payload Vector Comparison — Once packetsare converted into vectors, the similarity betweenpackets can be calculated by measuring the dis-tance between vectors. We used Jaccard similari-ty [12] as a distance metric. In our previous work[13], we compared three different similarity met-rics: Jaccard similarity, Cosine similarity, and

RBF. Jaccard similarity showed the best perfor-mance without using any sophisticated tech-niques. The Jaccard similarity J(X, Y) uses wordsets from the comparison instances to evaluatesimilarity. J(X, Y) is defined as the size of theintersection of the word sets divided by the sizeof the union of the sample sets X and Y:

One strength of using Jaccard similarityinstead of Euclidean distance is that the similari-ty value can be normalized and then the similari-ty calculated by the dot product, and itapproaches one if the vectors are similar andzero otherwise. If two payload vectors are gener-ated by different applications, the contents ofeach payload consist of distinct binary sequencesand their vectors are also very different.

Flow Similarity Comparison — Formula 3defines the payload flow matrix (PFM). The i-throw of a PFM is the payload vector of the i-thpacket in the flow. PFM is a k × n matrix, wherek is the number of packets and n is the dimen-sion of payload vectors.

Payload flow matrix (PFM) is

where →pi is the payload vector defined in formu-la 1.

The similarity score between PFMs can becalculated by simple summation addition of thepacket similarity values (Similarity Score = Σk

i=1J(pi, p′i), where pi and p′i are i-th packet of thefirst and second flow accordingly).

Algorithm 1 describes the flow grouping pro-cess to generate fine-grained flows. The flowgrouping procedure reads sanitized flows andgroups them into flow groups based on similarityscores. If a flow group set is empty, the first flowf1 creates a new flow group FG[0] (lines 5–6).

PMF p p pkT

= ⎡⎣ ⎤⎦1 2

��

� ��,

J X YX Y

X Y( , ) .=

∩

∪

Algorithm 1. Flow grouping using similarity.

1: procedure FLOW GROUPING()2: FG = {[ ], [ ], ⋅ ⋅ ⋅ , [ ]} // empty flow group (each group consists of flows)3: Flow = {f1, f2, ⋅ ⋅ ⋅ , fn} // sanitized flows4: while 1 ≤ i ≤ n do5: if i = 1 then6: FG[0] ← fi

7: else8: F = PMF(fi) // convert flow into PFM9: while 1 ≤ j ≤ number of flow group do10: Similarity{} ← Similarity_Score(FG[j], F)11: end while12: if Max(Similarity) ≥ threshold then13: FG[Max index] ← fi

14: else15: FG ← fi //Create new flow group16: end if17: end if18: end while19: return FG20: end procedure

One strength of

using Jaccard

similarity instead of

Euclidean distance is

that the similarity

value can be

normalized and then

the similarity

calculated by the dot

product, and it

approaches one if

the vectors are

similar and zero

otherwise.


Otherwise, the input flow is compared with exist-ing flow groups and inserted into the flow groupwhich has the maximum flow similarity score(lines 10–12). When the maximum similarityscore is less than threshold, a new group is creat-ed, and flow fi becomes a member of this newgroup (line 14). Our flow grouping is motivatedby an unsupervised machine learning approachsince it relies on unlabeled payload vectors tofind natural groups, functional clusters in thiscontext. On the contrary, the supervisedapproach requires pre-labeled datasets to con-struct a classifier for each cluster. It is difficultto determine the number of functionalities ofapplication in advance. Thus, unsupervised clus-tering is suitable for fine-grained classifier whichintends to identify functional characteristics.

EXPERIMENTSIn this section, we provide fine-grained trafficclassification results of two representative appli-cations as validation of our proposed classifica-tion scheme. We selected P2P applications forverification because of its behavioral (or func-tional) complexity and popularity in network.We feel that our selection of P2P applicationsstrongly represents the complexity of Internetapplications. First, we choose a regionally popu-lar P2P application, called Fileguri, which pro-vides multiple functions — web browsing,searching, downloading, messenger, and com-mercial advertisement. Second, BitTorrent, aglobally favored application especially in Europeand the United States, provides mostly a down-loading function. We generated each signatureusing fine-grained classifier and LASER. Toshow the advantage of the fine-grained approach,we also analyze the average search counts ofuser, which cannot be obtained by protocol orapplication breakdown schemes. For dataset, wecollected a full packet trace from our campusnetwork — 3 hours (450 Gbytes) on 16 August,2007. No port blocking or filtering policy was ineffect at the time of measurement.

CLASSIFIER GENERATION PROCESS

To generate the input dataset (training data) forfine-grained classifier, we ran our target applica-tion while the packet dump agent, describedearlier, continuously captures the sanitizedtrace. Using this sanitized trace as input data,our fine-grained classifier groups flows intoclusters. Since there is no ground truth from theperspective of application’s functionality, wemanually analyzed flows in each group. ForFileguri, it was possible to determine the func-tionality by examining the URI fields andrequested objects in HTTP “GET” message.After labeling each cluster with functionality,LASER was applied to capture the commonpatterns shared by clusters. For BitTorrent, thefine-grained classifier grouped the sanitizedtraffic into nine clusters, which were seeminglymany since BitTorrent is simply known fordownload functionality. We examine the packetpayload accordingly to BitTorrent protocolspecification and labeled each cluster as down-loading, tracker access 1, tracker access 2, dis-tributed hash table (DHT) management 1, DHTmanagement 2, and so on. Note that, DHT man-aging traffic is not generated by all availableBitTorrent clients. It only applies to clients,such as BitTorrent, μTorrent, Transmission,rTorrent, KTorrent, BitComet, and Deluge.However, LASER was not able to generate sig-natures for one of six DHT clusters. So, wemade a simple heuristic to detect the DHTmanagement cluster based on packet size andIP address which generates other BitTorrenttraffic as an alternative classifier.

CLASSIFICATION RESULTSWe classified our target application traffic usingboth fine-grained traffic classification and tradi-tional application breakdown methods which usean application signature as a classifier. Figure 3shows the traffic volume identified by fine-grained classification and application break-down. There is about 10–40 percent difference

Figure 3. Traffic volume: fine-grained traffic classification vs. application breakdown: a) Fileguri; b) BitTorrent.

Hours

(a)

1

1250

0

Mby

tes

2 3

2500

3750

5000

Hours

(b)

1

1750

0

Mby

tes

2 3

3500

5250

7000

Signature (application breakdown)Fined-grained traffic classification

Signature (application breakdown)Fined-grained traffic classification




where the fine-grained approach discovers moretraffic than signature-based application break-down in each hour. Figure 4 shows the function-al decomposition of traffic. Note that weaggregated two tracker access clusters and sixDHT management clusters into one functionalityfor BitTorrent. The downloading portion is dom-inant (74 and 90 percent) and its volume is closeto the volume identified by application break-down. It implies that application breakdown,which employs signatures, is incapable of detect-ing other than downloading traffic. Moreover,the web browsing traffic of Fileguri occupiesabout 12–14 percent, and the same traffic iswrongfully classified as normal HTTP traffic bywell-known port matching. It does not evenappea under the signature-based method. Whileprevious work has focused on detecting down-load traffic, it is worthwhile to highlight that thetraffic volume of the other traffic in P2P applica-tions is not negligible.

The ground truth was verified by the trafficmeasurement agent (TMA) [3]. It collects pro-cess and traffic information in allocation fromthe host operating system (OS) directly; thus,the information may be the closest possibleground truth available. While verifying theaccuracy of fine-grained approach against TMA,there exists a small false positive/negative. Wemade a few interesting observations on misclas-sified traffic portions. First, every false positiveof Fileguri traffic was caused by unclear bound-ary to the Web traffic. Although Fileguri pro-vides a limited web browsing function by fixingthe “user agent” as Mozilla, users can accessthe same websites via other Mozilla-based webbrowsers, such as Firefox, which also sets “useragent” as Mozilla. Second, a false negative isnot caused by search or download functionalitybut an update patch. Both P2P clients updatecopyrights and prohibited search keywords reg-ularly. We could not easily capture this updatetraffic for sanitized traffic generation becauseof its temporal and sporadic communicationbehavior.

EXAMPLE OF USER BEHAVIOR ANALYSIS

We provide a simple user behavior analysisusing fine-grained traffic classification results.With the fine-grained classification results, wecan analyze the average search counts when auser initializes downloading in our packettrace. The ratio of searching to downloading interms of transaction number was 56,392:1. Wehave empirically confirmed that the Fileguriclient generated about 6,000 TCP transactionsin a single keyword search. Thus, we concludethat a Fileguri user performs about 9.398searches on average before downloading fromthe P2P network. The goal of this simple analy-sis is to provide the average searching countsof users. However, we believe that the fine-grained traffic classification has a much widerapplication.

CONCLUDING REMARKSVarious traffic classification methods have beensuggested in order to offer better classificationaccuracy and information about traffic compo-sition in target networks. In this article, wehave proposed a new traffic classificationscheme which can classify different traffic typeswithin a single application. In particular, wehave presented a fine-grained traffic classifierwhich utilizes a text retrieval technique andapplies multiple signatures to detect P2P trafficaccording to different functionalities. Our pro-posed scheme can provide more in-depth classi-fication results for analyzing user contexts. Italso benefits network operators who need toview the detailed traffic composition of net-work, and researchers who want to study theuser behavior.

For future work, we plan to analyze the flexi-bility of our approach by applying different clas-sification methodologies instead of multiplesignatures. We also plan to conduct various userbehavior and context analysis based on fine-grained traffic classification.

Figure 4. Traffic composition of each functionality: a) Fileguri; b) BitTorrent.

Hours

(a)

1

25

0

Perc

ent

2 3

DownloadingTracker access

DHT managementDownloadingSearchingMessenger

Web browsingAdvertisement

20

75

100

Hours

(b)

1

25

0

Perc

ent

2 3

20

75

100



ACKNOWLEDGMENTS

This research was supported by the World ClassUniversity (WCU) program through the Nation-al Research Foundation of Korea funded by theMinistry of Education, Science and Technology(R31-2010-000-10100-0) and the Korea Commu-nications Commission (KCC) under the NovelStudy on Highly Manageable Network and Ser-vice Architecture for the New Generation sup-port program supervised by the KoreaCommunications Agency (KCA; KCA-2011-10921-05003).

REFERENCES[1] M.-Sup Kim, Y. J. Won, and J. W. Hong, “Characteristic

Analysis of Internet Traffic from the Perspective ofFlows,” J. Comp. Commun., vol. 29, no. 10, June 19,2006, pp. 1639–52.

[2] P. Borgnat et al., “Seven Years and One Day: Sketchingthe Evolution of Internet Traffic,” IEEE INFOCOM 2009, Rio de Janeiro, Brazil, Apr. 19–25, 2009, pp.711–19.

[3] B.-C. Park et al., “Towards Automated Application Sig-nature Generation for Traffic Identification,” IEEE/IFIPNOMS 2008, Salvador, Bahia, Brazil, Apr. 7–11, 2008,pp. 160–67.

[4] K. Thompson, G. J. Miller, and R. Wilder, “Wide-AreaInternet Traffic Patterns and Characteristics,” IEEE Net-work, vol. 11, no. 6, 1997, pp. 10–23.

[5] D. Moore et al., “The CoralReef Software Suite as aTool for System and Network Administrators,” 15thUSENIX Conf. System Administration, San Diego, CA,USA, Dec. 2001, pp. 133–44.

[6] A. McGregor et al., “Flow Clustering Using MachineLearning Techniques,” PAM Wksp. 2004, Antibes Juan-les-Pins, France, Apr. 19–20, 2004, pp. 205–14.

[7] S. Sen, O. Spatscheck, and D. Wang, “Accurate, Scal-able In-Network Identification of P2P Traffic UsingApplication Signatures,” WWW Conf. 2004, New York,NY, USA, May 17–20, 2004, pp. 512–21.

[8] H. Kim et al., “Internet Traffic Classification Demystified:Myths, Caveats, and the Best Practices,” ACM CoNEXTConf., Madrid, Spain, Dec. 9–12, 2008, pp. 1–12.

[9] G. Szabó, I. Szabó, and D. Orincsay, “Accurate TrafficClassification,” IEEE WOWMOM 2007, Helsinki, Finland,June 18–21, 2007, pp. 1–8.

[10] T. Karagiannis, K. Papagiannaki, and M. Faoutsos,“BLINC: Multilevel Traffic Classification in the Dark,”ACM SIGCOMM 2005, Philadelphia, PA, USA, Aug.22–26, 2005, pp. 229–40.

[11] G. Salton, A. Wong, and C.-S. Yang, “A Vector SpaceModel for Automatic Indexing,” Commun. ACM, vol.18, no. 11, 1975, pp. 613–20.

[12] L. Hamersa et al., “Similarity Measures in Scientomet-ric Research: The Jaccard Index Versus Salton’s CosineFormula,” Info. Processing and Mgmt.: An Int’l. Jour-nal, vol. 25, no. 3, May 1989, pp. 315–18.

[13] J. Y. Chung et al., “An Effective Similarity Metric forApplication Traffic Classification,” IEEE/IFIP NOMS 2010,Osaka, Japan, Apr. 19–23, 2010, pp. 286–92.

BIOGRAPHIESBYUNGCHUL PARK [S] ([email protected]) received his B.Sc.degree in computer science from POSTECH, Korea, in 2006.He is a Ph.D. student in the Department of Computer Sci-ence and Engineering, POSTECH. His research interestsinclude Internet traffic measurement and analysis, andintelligent traffic classification.

YOUNG J. WON [M] ([email protected]) is a researcher at IIJResearch Laboratory, Tokyo, Japan. Prior to IIJ, he was apostdoctoral researcher at INRIA, France. He received hisB.Math (2003) from the University of Waterloo, Canada,and M.S. (2006) and Ph.D. (2010) from POSTECH.

JAMES WON-KI HONG [SM] ([email protected]) is a pro-fessor and head of the Division of IT Convergence Engi-neering at POSTECH. He received a Ph.D. degree from theUniversity of Waterloo in 1991. His research interestsinclude network management, network monitoring andanalysis, convergence engineering, ubiquitous computing,and smartphonomics. He has served as Chair (2005–2009)of the IEEE ComSoc Committee on Network Operationsand Management (CNOM). He is serving as Director ofOnline Content for IEEE ComSoc. He is a NOMS/IM SteeringCommittee Member and a Steering Committee Member ofAPNOMS. He was General Chair of APNOMS 2006, andGeneral Co-Chair of APNOMS 2008 and APNOMS 2011. Hewas General Co-Chair of IEEE/IFIPS NOMS 2010. He is anAssociate Editor-in-Chief of IJNM and an editorial boardmember of IEEE TNSM, JNSM, JCN, and JTM.


toward fine-grained traffic classification

Documents