Probability density functions of the packet length for computer networks with bimodal traffic

ABSTRACT The research on Internet traffic classification and identification, with application on prevention of attacks and intrusions, increased considerably in the past years. Strategies based on statistical characteristics of the Internet traffic, that use parameters such as packet length (size) and inter-arrival time and their probability density functions, are popular. This paper presents a new statistical modeling for packet length, which shows that it can be modeled using a probability density function that involves a normal or a beta distribution, according to the traffic generated by the users. The proposed functions has parameters that depend on the type of traffic and can be used as part of an Internet traffic classification and identification strategy. The models can be used to compare, simulate and estimate the computer network traffic, as well as to generate synthetic traffic and estimate the packets processing capacity of Internet routers KEYWORD

Using host profiling to refine statistical application identification

International audienceThe identification of Internet traffic applications is very important for ISPs and network administrators to protect their resources from unwanted traffic and prioritize some major applications. Statistical methods are preferred to port-based ones and deep packet inspection since they don't rely on the port number, which can change dynamically, and they also work for encrypted traffic. These methods combine the statistical analysis of the application packet flow parameters, such as packet size and inter-packet time, with machine learning techniques. Other successful approaches rely on the way the hosts communicate and their traffic patterns to identify applications. In this paper, we propose a new online method for traffic classification that combines the statistical and host-based approaches in order to construct a robust and precise method for early Internet traffic identification. We use the packet size as the main feature for the classification and we benefit from the traffic profile of the host (i.e. which application and how much) to refine the classification and decide in favor of this or that application. The host profile is then updated online based on the result of the classification of previous flows originated by or addressed to the same host. We evaluate our method on real traces using several applications. The results show that leveraging the traffic pattern of the host ameliorates the performance of statistical methods. They also prove the capacity of our solution to derive profiles for the traffic of Internet hosts and to identify the services they provide