An Experimental Evaluation of the Computational Cost of a DPI Traffic Classifier

A common belief in the scientific community is that traffic classifiers based on deep packet inspection (DPI) are far more expensive in terms of computational complexity compared to statistical classifiers. In this paper we counter this notion by defining accurate models for a deep packet inspection classifier and a statistical one based on support vector machines, and by evaluating their actual processing costs through experimental analysis. The results suggest that, contrary to the common belief, a DPI classifier and an SVM-based one can have comparable computational costs. Although much work is left to prove that our results apply in more general cases, this preliminary analysis is a first indication of how DPI classifiers might not be as computationally complex, compared to other approaches, as we previously though

Comparing P2PTV Traffic Classifiers

Peer-to-Peer IP Television (P2PTV) applications represent one of the fastest growing application classes on the Internet, both in terms of their popularity and in terms of the amount of traffic they generate. While network operators require monitoring tools that can effectively analyze the traffic produced by these systems, few techniques have been tested on these mostly closed-source, proprietary applications. In this paper we examine the properties of three traffic classifiers applied to the problem of identifying P2PTV traffic. We report on extensive experiments conducted on traffic traces with reliable ground truth information, highlighting the benefits and shortcomings of each approach. The results show that not only their performance in terms of accuracy can vary significantly, but also that their usability features suggest different effective aspects that can be integrate

TIE: A Community-Oriented Traffic Classification Platform

Abstract — During the last years the research on network traffic classification has become very active. The research community, moved by increasing difficulties in the automated identification of network traffic and by concerns related to user privacy, started to investigate and propose classification approaches alternative to port-based and payload-based techniques. Despite the large quantity of works published in the past few years on this topic, very few implementations targeting alternative approaches were made available to the community. Moreover, most approaches proposed in literature suffer of problems related to the ability of evaluating and comparing them. In this paper we present a novel community-oriented software for traffic classification called TIE, which aims at becoming a common tool for the fair evaluation and comparison of different techniques and at fostering the sharing of common implementations and data. Moreover, TIE supports the combi-nation of more classification plugins in order to build multi-classifier systems, and its architecture is designed to allow online traffic classification. In this paper, we also present the implementation of two basic techniques as classification plugins, which are already distributed with TIE. Finally we report on the development of several classification plugins, implementing novel classification techniques, carried out through collaborations with other research groups. I

IP Traffic Classification for QoS Guarantees: the Independence of Packets

Abstract — The classification of IP flows according to the application that generated them has become a popular research subject in the last few years. Several recent papers based their studies on the analysis of features of flows such as the packet size and inter-arrival time, which are then used as input to classification techniques derived from various scientific areas such as pattern recognition. In this paper we analyze the impact on flow classification of a hypothesis that is often overlooked, i.e., the tenet that the features of consecutive packets of a given IP flow can be considered statistically independent. We compare two approaches, one based on a technique that considers consecutive packets statistically independent, and one that relies on the opposite assumption. These techniques are then applied to three different sets of traffic traces. Experimental results show that while assuming the independence of consecutive packets has relatively few effects on true positives, it can have a significant negative impact on the false positive and true negative rates, therefore lowering the precision of the classification process. I

On the Stability of the Information Carried by Traffic Flow Features at the Packet Level

This paper presents a statistical analysis of the amount of information that the features of traffic flows observed at the packet-level carry, with respect to the protocol that generated them. We show that the amount of information of the majority of such features remain constant irrespective of the point of observation (Internet core vs. Internet edge) and to the capture time (year 2000/01 vs. year 2008). We also describe a comparative analysis of how four statistical classifiers fare using the features we studied