Design, Measurement and Management of Large-Scale IP Networks Book contents
- Frontmatter
- Contents
- Acknowledgments
- 1 Introduction
- 2 Background and context
- I Network monitoring and management
- II Network design and traffic engineering
- III From bits to services
- 12 From bits to services: information is power
- 13 Traffic classification in the dark
- 14 Classification of multimedia hybrid flows in real time
- 15 Detection of data plane malware: DoS and computer worms
- 16 Detection of control-plane anomalies: beyond prefix hijacking
- Appendix A How to link original and measured flow characteristics when packet sampling is used: bytes, packets and flows
- Appendix B Application-specific payload bit strings
- Appendix C BLINC implementation details
- Appendix D Validation of direction-conforming rule
- References
- Index
13 - Traffic classification in the dark
from III - From bits to services
Published online by Cambridge University Press: 05 September 2012
- Frontmatter
- Contents
- Acknowledgments
- 1 Introduction
- 2 Background and context
- I Network monitoring and management
- II Network design and traffic engineering
- III From bits to services
- 12 From bits to services: information is power
- 13 Traffic classification in the dark
- 14 Classification of multimedia hybrid flows in real time
- 15 Detection of data plane malware: DoS and computer worms
- 16 Detection of control-plane anomalies: beyond prefix hijacking
- Appendix A How to link original and measured flow characteristics when packet sampling is used: bytes, packets and flows
- Appendix B Application-specific payload bit strings
- Appendix C BLINC implementation details
- Appendix D Validation of direction-conforming rule
- References
- Index
Summary
Classifying traffic flows according to the application that generates them is an important task for (a) effective network planning and design and (b) monitoring the trends of the applications in operational networks. However, an accurate method that can reliably identify the generating application of a flow is still to be developed. In this chapter and the next, we look into the problem of traffic classification; the ultimate goal is to provide network operators with algorithms that will provide a meaningful classification per application, and, if this is infeasible, with useful insight into the traffic behavior. The latter may facilitate the detection of abnormalities in the traffic, malicious behavior or the identification of novel applications.
State of the art and context
Currently, application classification practices rely to a large extent on the use of transport-layer port numbers. While this practice may have been effective in the early days of the Internet, port numbers currently provide limited information. Often, applications and users are not cooperative and, intentionally or not, use inconsistent ports. Thus, “reliable” traffic classification requires packet-payload examination, which is scarcely an option due to: (a) hardware and complexity limitations, (b) privacy and legal issues, (c) payload encryption by the applications.
Taking into account empirical application trends and the increasing use of encryption, we conjecture that traffic classifiers of the future will need to classify traffic “in the dark.”
- Type
- Chapter
- Information
- Design, Measurement and Management of Large-Scale IP NetworksBridging the Gap Between Theory and Practice, pp. 261 - 289Publisher: Cambridge University PressPrint publication year: 2008