Self-Learning IP Traffic Classification Based on Statistical Flow Characteristics

  • Sebastian Zander
  • Thuy Nguyen
  • Grenville Armitage
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3431)


A number of key areas in IP network engineering, management and surveillance greatly benefit from the ability to dynamically identify traffic flows according to the applications responsible for their creation. Currently such classifications rely on selected packet header fields (e.g. destination port) or application layer protocol decoding. These methods have a number of shortfalls e.g. many applications can use unpredictable port numbers and protocol decoding requires high resource usage or is simply infeasible in case protocols are unknown or encrypted. We propose a framework for application classification using an unsupervised machine learning (ML) technique. Flows are automatically classified based on their statistical characteristics. We also propose a systematic approach to identify an optimal set of flow attributes to use and evaluate the effectiveness of our approach using captured traffic traces.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Sen, S., Spatscheck, O., Wang, D.: Accurate, Scalable In-Network Identification of P2P Traffic Using Application Signatures. In: WWW 2004, New York, USA (May 2004)Google Scholar
  2. 2.
    Frank, J.: Machine Learning and Intrusion Detection: Current and Future Directions. In: Proceedings of the National 17th Computer Security Conference (1994)Google Scholar
  3. 3.
    Roughan, M., Sen, S., Spatscheck, O., Duffield, N.: Class-of-Service Mapping for QoS: A statistical signature-based approach to IP traffic classification. In: ACM SIGCOMM Internet Measurement Workshop 2004, Taormina, Sicily, Italy,Google Scholar
  4. 4.
    McGregor, A., Hall, M., Lorier, P., Brunskill, J.: Flow Clustering Using Machine Learning Techniques. In: Passive & Active Measurement Workshop 2004, France (April 2004)Google Scholar
  5. 5.
    Lan, K., Heidemann, J.: On the correlation of Internet flow characteristics, Technical Report ISI-TR-574, USC/Information Sciences Institute (July 2003)Google Scholar
  6. 6.
    Claffy, K., Braun, H.-W., Polyzos, G.: Internet Traffic Profiling, CAIDA, San Diego Supercomputer Center outreach/papers/1994/itf/ (1994),
  7. 7.
    Dunnigan, T., Ostrouchov, G.: Flow Characterization for Intrusion Detection, Oak Ridge National Laboratory, Tech Report (November 2000),
  8. 8.
    NetMate as of, (January 2005),
  9. 9.
    Cheeseman, P., Stutz, J.: Bayesian Classification (Autoclass): Theory and Results. In: Advances in Knowledge Discovery and Data Mining, AAAI/MIT Press, USA (1996)Google Scholar
  10. 10.
    Dempster, A., Laird, N., Rubin, D.: Maximum Likelihood from Incomplete Data via the EM Algorithm. Journal of Royal Statistical Society, Series B 30(1) (1977)Google Scholar
  11. 11.
    NLANR traces as of, (January 2005),

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Sebastian Zander
    • 1
  • Thuy Nguyen
    • 1
  • Grenville Armitage
    • 1
  1. 1.Centre for Advanced Internet Architectures (CAIA)Swinburne University of TechnologyMelbourneAustralia

Personalised recommendations