Skip to main content
Article thumbnail
Location of Repository

Detecting TCP-based applications using packet size distributions

By Bo Li


A Doctoral Thesis. Submitted in partial fulfilment of the requirements for the award of Doctor of Philosophy of Loughborough University.To know what applications are currently in operation across modem packet based\ud communication networks such as the Internet is always attractive to network\ud administrators, network service providers and security systems. The availability of this\ud information can contribute to preventing improper network use, which may include illegal\ud activities, consume a large amount of bandwidth, or may cause security problems or break\ud policies in network usage. In addition, using this information, the network may be able to\ud establish enhanced environments for the applications, which are in use.\ud Various techniques exist to perform network application detection. However difficulty is\ud encountered where the traditional techniques will fail in their task. For example, if the\ud application uses non-registered port numbers, the capture of certain specific packets is\ud impossible or the data portion of at least some of the packets is unavailable due to\ud encryption or processing overload.\ud In this Thesis an alternative approach to application detection, using packet size\ud distributions, is applied to TCP applications. This statistical property of the traffic stream\ud is found to be unique to certain kinds of network applications. The detection can be\ud achieved by simply comparing this "fingerprint" with pre-evaluated samples stored in a\ud database. Previous work has shown that packet size distributions can successfully identify\ud many types ofUDP application.\ud This Thesis suggests that for those TCP-based network applications that do not use the\ud Nagle Algorithm, the detection mechanism, which had been proved to be successful for\ud UDP-based applications, could be also adopted without any modification. For Naglebased\ud applications, the situation becomes more complicated, however, with some precomputation,\ud successful detection can be achieved as well. A prototype detector\ud implementing the suggested approaches has been designed in order to test the feasibility\ud and performance of the approach proposed. The tests carried out upon this prototype\ud platform indicate that the method is universally suitable for several of distributions and\ud give out satisfied detection success ratios

Publisher: © Bo Li
Year: 2008
OAI identifier:

Suggested articles

To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.