A statistical blind technique for recognition of internet traffic with dependence enforcement

The increasing demand of network security, access control, and service differentiation over IP networks drives Internet Service Providers and network administrators to deploy ever more sophisticated and faster traffic recognition mechanisms. Unfortunately this is complicated by the continuous development of new application protocols, increasing network bandwidth, and spreading of complicated tunneling and encryption techniques. In this paper we describe a statistical technique for blind recognition and classification of application sessions amongst aggregated traffic. Packets are assigned to known applications/protocols on the basis of a restricted set of information extracted from each packet: packet addresses, sizes, and timestamps. We analyzed three modes with different degrees of correlation among packets belonging to the same session. Albeit its simplicity, the studied technique has demonstrated very good performances, also when used for real-time classification