Abstract
Well-known port numbers can no longer be used to reliably identify network applications. There is a variety of new Internet applications that either do not use well-known port numbers or use other protocols, such as HTTP, as wrappers in order to go through firewalls without being blocked. One consequence of this is that a simple inspection of the port numbers used by flows may lead to the inaccurate classification of network traffic. In this work, we look at these inaccuracies in detail. Using a full payload packet trace collected from an Internet site we attempt to identify the types of errors that may result from port-based classification and quantify them for the specific trace under study. To address this question we devise a classification methodology that relies on the full packet payload. We describe the building blocks of this methodology and elaborate on the complications that arise in that context. A classification technique approaching 100% accuracy proves to be a labor-intensive process that needs to test flow-characteristics against multiple classification criteria in order to gain sufficient confidence in the nature of the causal application. Nevertheless, the benefits gained from a content-based classification approach are evident. We are capable of accurately classifying what would be otherwise classified as unknown as well as identifying traffic flows that could otherwise be classified incorrectly. Our work opens up multiple research issues that we intend to address in future work.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Moore, D., Keys, K., Koga, R., Lagache, E., Claffy, K.C.: CoralReef software suite as a tool for system and network administrators. In: Proceedings of the LISA 2001 15th Systems Administration Conference (2001)
Logg, C., Cottrell, L.: Characterization of the Traffic between SLAC and the Internet (2003), http://www.slac.stanford.edu/comp/net/slac-netflow/html/SLAC-netflow.html
Fraleigh, C., Moon, S., Lyles, B., Cotton, C., Khan, M., Moll, D., Rockell, R., Seely, T., Diot, C.: Packet-level traffic measurements from the sprint IP backbone. IEEE Network, 6–16 (2003)
Choi, T., Kim, C., Yoon, S., Park, J., Lee, B., Kim, H., Chung, H., Jeong, T.: Content-aware Internet Application Traffic Measurement and Analysis. In: IEEE/IFIP Network Operations & Management Symposium, NOMS 2004 (2004)
Moore, A., Hall, J., Kreibich, C., Harris, E., Pratt, I.: Architecture of a Network Monitor. In: Passive & Active Measurement Workshop, PAM 2003 (2003)
Roesch, M.: Snort - Lightweight Intrusion Detection for Networks. In: USENIX 13th Systems Administration Conference — LISA 1999, Seattle, WA (1999)
Orebaugh, A., Morris, G., Warnicke, E., Ramirez, G.: Ethereal Packet Sniffing. Syngress Publishing, Rockland (2004)
Moore, A.: Discrete content-based classification — a data set. Technical Report, Intel Research, Cambridge (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Moore, A.W., Papagiannaki, K. (2005). Toward the Accurate Identification of Network Applications. In: Dovrolis, C. (eds) Passive and Active Network Measurement. PAM 2005. Lecture Notes in Computer Science, vol 3431. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-31966-5_4
Download citation
DOI: https://doi.org/10.1007/978-3-540-31966-5_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-25520-8
Online ISBN: 978-3-540-31966-5
eBook Packages: Computer ScienceComputer Science (R0)