Gaussian Fitting of Multi-scale Traffic Properties for Discriminating IP Applications

Rocha, Eduardo; Salvador, Paulo; Nogueira, António

Home // EMERGING 2010, The Second International Conference on Emerging Network Intelligence // View article

Gaussian Fitting of Multi-scale Traffic Properties for Discriminating IP Applications

Authors:
Eduardo Rocha
Paulo Salvador
António Nogueira

Keywords: Application identification, multiscale analysis, wavelets, licit and illicit applications.

Abstract:
In the last years, there has been an increasing need to accurately assign traffic to its originating application or protocol. Several new protocols and services have appeared, such as VoIP or file sharing, creating additional identification challenges due to their peculiar behaviors, such as the use of random ports or ports associated to other protocols. The number and variety of security vulnerabilities and attacks that are carried out over the Internet has also drastically increased in recent years. Besides, privacy and confidentiality are also growing concerns for Internet users: traffic encryption is becoming widely used and, therefore, access to the user payload is more and more difficult. Therefore, new identification methodologies that can be accurate when applied to different types of traffic and be able to operate in cyphered traffic scenarios are needed. In this paper, we present an identification methodology that relies on a multiscale analysis of the traffic flows, differentiating them based on the probability that their characteristic multiscale behavior estimators belong to specific probability distributions whose parameters are inferred from traffic flows of real applications. The classical concept of traffic flow was replaced by the definition of textit{data stream}, which consists of all traffic (in the upload or download directions) of a local IP address that is univocally identified by a numeric identifier. The results achieved so far show that the proposed methodology is able to accurately classify licit traffic and also identify some of the most common Internet security attacks. Besides, this approach can also circumvent some of the most important drawbacks of existing identification methodologies, namely their inability to work under strict confidentiality restriction scenarios.

Pages: 6 to 11

Copyright: Copyright (c) IARIA, 2010

Publication date: October 25, 2010

Published in: conference

ISSN: 2326-9383

ISBN: 978-1-61208-103-8

Location: Florence, Italy

Dates: from October 25, 2010 to October 30, 2010