Personal and Ubiquitous Computing

, Volume 23, Issue 5–6, pp 777–791 | Cite as

Hybrid multicriteria fuzzy classification of network traffic patterns, anomalies, and protocols

  • F. Al-Obeidat
  • E.-S. M. El-AlfyEmail author
Original Article


Traffic classification in computer networks has very significant roles in network operation, management, and security. Examples include controlling the flow of information, allocating resources effectively, provisioning quality of service, detecting intrusions, and blocking malicious and unauthorized access. This problem has attracted a growing attention over years and a number of techniques have been proposed ranging from traditional port-based and payload inspection of TCP/IP packets to supervised, unsupervised, and semi-supervised machine learning paradigms. With the increasing complexity of network environments and support for emerging mobility services and applications, more robust and accurate techniques need to be investigated. In this paper, we propose a new supervised hybrid machine-learning approach for ubiquitous traffic classification based on multicriteria fuzzy decision trees with attribute selection. Moreover, our approach can handle well the imbalanced datasets and zero-day applications (i.e., those without previously known traffic patterns). Evaluating the proposed methodology on several benchmark real-world traffic datasets of different nature demonstrated its capability to effectively discriminate a variety of traffic patterns, anomalies, and protocols for unencrypted and encrypted traffic flows. Comparing with other methods, the performance of the proposed methodology showed remarkably better classification accuracy.


Decision trees Multicriterion fuzzy decision making Network traffic classification Encrypted traffic Intrusion detection Network management and security 



The first author thanks Zayed University for the support during this work. The second author would like to acknowledge funding provided by King Abdulaziz City for Science and Technology (KACST) through the Science and Technology Unit at King Fahd University of Petroleum and Minerals (KFUPM) during this work through project 11-INF1658-04.


  1. 1.
    Cup KDD (1999) Dataset for network-based intrusion detection systems. Available on:
  2. 2.
    Abt S, Wener S, Baier H (2013) Performance evaluation of classification and feature selection algorithms for netflow-based protocol recognition. GI-Jahrestagung 220:2184–2197Google Scholar
  3. 3.
    Al-Naymat G, Al-Kasassbeh M, Abu-Samhadanh N, Sakr S (2016) Classification of voip and non-voip traffic using machine learning approaches. J Theoretical Appl Inf Tech 92(2):403Google Scholar
  4. 4.
    Aljawarneh S, Aldwairi M, Yassein MB (2017) Anomaly-based intrusion detection system through feature selection analysis and building hybrid efficient model. Journal of Computational Science. (in press)Google Scholar
  5. 5.
    Alshammari R, Zincir-Heywood AN (2009) Machine learning based encrypted traffic classification: Identifying ssh and skype. In: IEEE Symposium on Computational Intelligence for Security and Defense Applications, vol. 9, pp 289–296Google Scholar
  6. 6.
    Altwaijry H, Algarny S (2012) Bayesian based intrusion detection system. J King Saud Univ - Comput Inf Sci 24(1):1–6CrossRefGoogle Scholar
  7. 7.
    Baig MM, Awais MM, El-Alfy ESM (2017) A multiclass cascade of artificial neural network for network intrusion detection. J Intell Fuzzy Syst 32(4):2875–2883CrossRefGoogle Scholar
  8. 8.
    Bakhshi T, Ghita B (2016) On internet traffic classification: A two-phased machine learning approach. Journal of Computer Networks and Communications 2016Google Scholar
  9. 9.
    Barker J, Hannay P, Szewczyk P (2011) Using traffic analysis to identify the second generation onion router. In: Proceedings IFIP 9th International Conference on Embedded and Ubiquitous Computing, pp 72–78Google Scholar
  10. 10.
    Belacel N (2000) Multicriteria assignment method proaftn: Methodology and medical application. Eur J Oper Res 125(1):175–183CrossRefGoogle Scholar
  11. 11.
    Belacel N, Boulassel M (2001) Multicriteria fuzzy assignment method: A useful tool to assist medical diagnosis. Artif Intell Med 21(1–3):201–207CrossRefGoogle Scholar
  12. 12.
    Belacel N, Wang Q, Richard R (2005) Web-integration of PROAFTN methodology for acute leukemia diagnosis. Telemedicine J e-Health 11(6):652–659CrossRefGoogle Scholar
  13. 13.
    Bolón-Canedo V, Sánchez-Maroño N, Alonso-Betanzos A (2011) Feature selection and classification in multiple class datasets: An application to KDD cup 99 dataset. Expert Syst Appl 38(5):5947–5957CrossRefGoogle Scholar
  14. 14.
    Cao Z, Xiong G, Zhao Y, Li Z, Guo L (2014) A survey on encrypted traffic classification. In: International Conference on Applications and Techniques in Information Security, pp 73–81CrossRefGoogle Scholar
  15. 15.
    Carela-Español V, Barlet-Ros P, Mula-Valls O, Solé-Pareta J. (2015) An autonomic traffic classification system for network operation and management. J Netw Syst Manag 23(3):401–419CrossRefGoogle Scholar
  16. 16.
    Conti M, Mancini LV, Spolaor R, Verde NV (2016) Analyzing android encrypted network traffic to identify user actions. IEEE Trans Inf Forensics Secur 11(1):114–125CrossRefGoogle Scholar
  17. 17.
    Dainotti A, Pescape A, Claffy KC (2012) Issues and future directions in traffic classification. IEEE Netw 26(1):35–40CrossRefGoogle Scholar
  18. 18.
    Depren O, Topallar M, Anarim E, Ciliz MK (2005) An intelligent intrusion detection system (ids) for anomaly and misuse detection in computer networks. Expert Syst Appl 29(4):713–722CrossRefGoogle Scholar
  19. 19.
    El-Alfy ESM, Al-Obeidat FN (2015) Detecting cyber-attacks on wireless mobile networks using multicriterion fuzzy classifier with genetic attribute selection. Mobile Information Systems 2015Google Scholar
  20. 20.
    Erman J, Arlitt M, Mahanti A (2006) Traffic classification using clustering algorithms. In: Proceedings SIGCOMM Workshop on Mining Network Data, pp 281–286Google Scholar
  21. 21.
    Este A, Gringoli F, Salgarelli L (2009) Support vector machines for tcp traffic classification. Comput Netw 53(14):2476–2490CrossRefGoogle Scholar
  22. 22.
    Fayyad U, Irani K (1993) Multi-interval discretization of continuous-valued attributes for classification learning. In: XIII International Joint Conference on Artificial Intelligence (IJCAI93), pp 1022–1029Google Scholar
  23. 23.
    Feng W, Zhang Q, Hu G, Huang JX (2013) Mining network data for intrusion detection through combining SVMs with ant colony networks. Future Generation Computer SystemsGoogle Scholar
  24. 24.
    Karagiannis T, Broido A, Faloutsos M et al (2004) Transport layer identification of p2p traffic. In: Proceedings of 4th ACM SIGCOMM Conference on Internet measurement, pp 121–134Google Scholar
  25. 25.
    Kharrazi M, Sen S, Spatscheck O (2007) Towards real-time performance monitoring for encrypted traffic. In: Proceedings of SIGCOMM Workshop on Internet Network Management, pp 287–292Google Scholar
  26. 26.
    Kim H, Claffy KC, Fomenkov M, Barman D, Faloutsos M, Lee K (2008) Internet traffic classification demystified: myths, caveats, and the best practices. In: Proceedings of ACM CoNEXT Conference, p 11Google Scholar
  27. 27.
    Kumano Y, Ata S, Nakamura N, Nakahira Y, Oka I (2014) Towards real-time processing for application identification of encrypted traffic. In: International Conference on Computing, Networking and Communications (ICNC), pp 136–140Google Scholar
  28. 28.
    li W, Liu Z (2011) A method of SVM with normalization in intrusion detection. Procedia Environ Sci 11:256–262. Part ACrossRefGoogle Scholar
  29. 29.
    Li W, Moore A (2007) A machine learning approach for efficient traffic classification. In: Proc. 15th International Sympos. Modeling, Analysis, and Simulation of Computer and Telecommunication Systems, pp 310–317Google Scholar
  30. 30.
    Moore A, Zuev D, Crogan M (2005) Discriminators for use in flow-based classification. Tech. rep., Queen Mary and Westfield College, Department of Computer ScienceGoogle Scholar
  31. 31.
    Moore A, Zuev D (2005) Internet traffic classification using bayesian analysis techniques. In: ACM SIGMETRICS Performance Evaluation Review, vol 33, pp 50–60CrossRefGoogle Scholar
  32. 32.
    Namdev N, Agrawal S, Silkari S (2015) Recent advancement in machine learning based internet traffic classification. Procedia Comput Sci 60:784–791CrossRefGoogle Scholar
  33. 33.
    Ndatinya V, Xiao Z, Manepalli VR, Meng K, Xiao Y (2015) Network forensics analysis using wireshark. Int J Secur Netw 10(2):91–106CrossRefGoogle Scholar
  34. 34.
    Nguyen T, Armitage G (2008) A survey of techniques for internet traffic classification using machine learning. IEEE Commun Surv Tutorials 10(4):56–76CrossRefGoogle Scholar
  35. 35.
    Okada Y, Ata S, Nakamura N, Nakahira Y, Oka I (2011) Comparisons of machine learning algorithms for application identification of encrypted traffic. In: 10th International Conf. Machine Learning and Applications and Workshops (ICMLA), vol 2, pp 358–361Google Scholar
  36. 36.
    Paredes-Oliva I, Castell-Uroz I, Barlet-Ros P, Dimitropoulos X, Sole-Pareta J (2012) Practical anomaly detection based on classifying frequent traffic patterns. In: IEEE Conf. Computer Communications Workshops, pp 49–54Google Scholar
  37. 37.
    Quinlan JR (1993) C4.5: Programs for Machine Learning. Morgan Kaufmann Publishers, San MateoGoogle Scholar
  38. 38.
    Quinlan JR (1996) Improved use of continuous attributes in c4.5. J Artif Intell Res 4:77–90CrossRefGoogle Scholar
  39. 39.
    Singh K, Agrawal S, Sohi B (2013) A near real-time ip traffic classification using machine learning. Int J Intel Syst Appl 5(3):83Google Scholar
  40. 40.
    Soysal M, Schmidt EG (2010) Machine learning algorithms for accurate flow-based network traffic classification: Evaluation and comparison. Perform Eval 67(6):451–467CrossRefGoogle Scholar
  41. 41.
    Valenti S, Rossi D, Dainotti A, Pescapè A, Finamore A, Mellia M (2013) Reviewing traffic classification. In: Data Traffic Monitoring and Analysis, pp 123–147CrossRefGoogle Scholar
  42. 42.
    Velan P, Ċermák M, Ċeleda P, Draṡar M (2015) A survey of methods for encrypted traffic classification and analysis. Int J Netw Manag 25(5):355–374CrossRefGoogle Scholar
  43. 43.
    Vilela DW, Ferreira ET, Shinoda AA, de Souza Araujo NV, de Oliveira R, Nascimento VE (2014) A dataset for evaluating intrusion detection systems in ieee 802.11 wireless networks. In: IEEE Colombian Conf. Communications and Computing (COLCOM), pp 1–5Google Scholar
  44. 44.
    Wang J, Kuang Q, Duan S (2015) A new online anomaly learning and detection for large-scale service of internet of thing. Pers Ubiquit Comput 19(7):1021–1031CrossRefGoogle Scholar
  45. 45.
    Wang Y, Xiang Y, Zhou W, Yu S (2012) Generating regular expression signatures for network traffic classification in trusted network management. J Netw Comput Appl 35(3):992–1000CrossRefGoogle Scholar
  46. 46.
    Wu SX, Banzhaf W (2010) The use of computational intelligence in intrusion detection systems: A review. Appl Soft Comput 10(1):1–35CrossRefGoogle Scholar
  47. 47.
    Xue Y, Wang D, Zhang L (2013) Traffic classification: Issues and challenges. In: Proc. IEEE International Conf. Computing, Networking and Communications (ICNC), pp 545–549Google Scholar
  48. 48.
    Yuan R, Li Z, Guan X, Xu L (2010) An svm-based machine learning method for accurate internet traffic classification. Inf Syst Front 12(2):149–156CrossRefGoogle Scholar
  49. 49.
    Zander S, Nguyen T, Armitage G (2005) Automated traffic classification and application identification using machine learning. In: IEEE Conf. Local Computer Networks 30th Anniversary (LCN’05), pp 250–257Google Scholar
  50. 50.
    Zuev D, Moore A (2005) Traffic classification using a statistical approach. In: International Workshop on Passive and Active Network Measurement, pp 321–324Google Scholar

Copyright information

© Springer-Verlag London Ltd., part of Springer Nature 2017

Authors and Affiliations

  1. 1.College of Technological InnovationZayed UniversityAbu DhabiUnited Arab Emirates
  2. 2.Information and Computer Science Department, College of Computer Sciences and EngineeringKing Fahd University of Petroleum and MineralsDhahranSaudi Arabia

Personalised recommendations