Traffic Identification Based on Applications using Statistical Signature Free from Abnormal TCP Behavior

摘要

As network traffic becomes more complex and diverse from the existence of new applications and services, application-based traffic classification is becoming important for the effective use of network resources. To remedy the drawbacks of traditional methods, such as port-based or payload-based traffic classification, traffic classification methods based on the statistical information of a flow have recently been proposed. However, abnormal TCP behaviors, such as a packet retransmission or out-of-order packets, cause inconsistencies in the statistical information of a flow. Furthermore, the analysis results cannot be trusted without resolving the abnormal behaviors. In this paper, we analyze the limitations of traffic classification caused by abnormal TCP behavior, and propose a novel application-based traffic classification method using a statistical signature with resolving abnormal TCP behaviors. The proposed method resolves abnormal TCP behaviors and generates unique signatures for each application using the packet order, direction, and payload size of the first N packets in a flow, and uses them to classify the application traffic. The evaluation shows that this method can classify application traffic easily and quickly with high accuracy rates of over 99%. Furthermore, the method can classify traffic generated by applications that use the same application protocol or are encrypted.