Efficient Methods for Early Protocol Identification

Abstract—To manage and monitor their networks in a proper way, network operators are often interested in automatic methods that enable them to identify applications generating the traffic traveling through their networks as fast (i.e., from the first few packets) as possible. State-of-the-art packet-based traffic classification methods are either based on costly inspection of the payload of several packets in each flow or on basic flow statistics without taking into account the packet content. In this paper, we consider an intermediate approach of analyzing only the first few bytes of the first (or first few) packet(s) of each flow and propose automatic, machine-learning-based methods with very low computational complexity and memory footprint. The performance of these techniques are thoroughly analyzed, showing that outstanding early classification accuracy can be achieved on traffic traces generated by a diverse set of applications (including P2P TV and file sharing) in a laboratory environment as well as on a real-world data set collected in the network of a large European ISP. Index Terms—Traffic classification, payload statistics, machine learning I