Classification of encrypted cloud computing service traffic using data mining techniques

Qian, Cheng

27 February 2012

In addition to the wireless network providers’ need for traffic classification, the need is more and more common in the Cloud Computing environment. A data center hosting Cloud Computing services needs to apply priority policies and Service Level Agreement (SLA) rules at the edge of its network. Overwhelming requirements about user privacy protection and the trend of IPv6 adoption will contribute to the significant growth of encrypted Cloud Computing traffic. This report presents experiments focusing on application of data mining based Internet traffic classification methods to classify encrypted Cloud Computing service traffic. By combining TCP session level attributes, client and host connection patterns and Cloud Computing service Message Exchange Patterns (MEP), the best method identified in this report yields 89% overall accuracy. / text

Internet traffic classification

Data mining

Cloud computing

Video Flow Classification : A Runtime Performance Study

Västlund, Filip

January 2017

Due to it being increasingly common that users' data is encrypted, the Internet service providers today find it difficult to adapt their service for the users' needs. Previously popular methods of classifying users data does not work as well today and new alternatives is therefore desired to give the users an optimal experience.This study focuses specifically on classifying data flows into video and non-video flows with the use of machine learning algorithms and with a focus on runtime performance. In this study the tested algorithms are created in Python and then exported into a C code implementation, more specifically the random forest and the gradient boosting trees algorithm.The goal is to find the algorithm with the fastest classification time relative to its accuracy, making the classification as fast as possible and the classification model to require as little space as possible.The results show that random forest was significantly faster at classification than gradient boosting trees, with initial tests showing it to be roughly 7 times faster after compiler optimization. After optimizing the C code random forest could classify more than 250,000 data flows each second with decent accuracy. Neither of the two algorithms required a lot of space (<3 megabyte). / HITS, 4707

Traffic classification

Network traffic

Machine learning

Code optimization

Video traffic classification

Computer Sciences

Datavetenskap (datalogi)

Monitoring of Video Streaming Quality from Encrypted Network Traffic : The Case of YouTube Streaming

Chebudie, Abiy Biru

January 2016

The video streaming applications contribute to a major share of the Internet traffic. Consequently, monitoring and management of video streaming quality has gained a significant importance in the recent years. The disturbances in the video, such as, amount of buffering and bitrate adaptations affect user Quality of Experience (QoE). Network operators usually monitor such events from network traffic with the help of Deep Packet Inspection (DPI). However, it is becoming difficult to monitor such events due to the traffic encryption. To address this challenge, this thesis work makes two key contributions. First, it presents a test-bed, which performs automated video streaming tests under controlled time-varying network conditions and measures performance at network and application level. Second, it develops and evaluates machine learning models for the detection of video buffering and bitrate adaptation events, which rely on the information extracted from packets headers. The findings of this work suggest that buffering and bitrate adaptation events within 60 second intervals can be detected using Random Forest model with an accuracy of about 70%. Moreover, the results show that the features based on time-varying patterns of downlink throughput and packet inter-arrival times play a distinctive role in the detection of such events.

Quality of Experience

Machine Learning

Encrypted video traffic classification

Video Streaming Quality

Towards a Low Latency Internet: Understanding and Solutions

Rajiullah, Mohammad

January 2015

Networking research and development have historically focused on increasing network throughput and path resource utilization, which particularly helped bulk applications such as file transfer and video streaming. Recent over-provisioning in the core of the Internet has facilitated the use of interactive applications like interactive web browsing, audio/video conferencing, multi- player online gaming and financial trading applications. Although the bulk applications rely on transferring data as fast as the network permits, interactive applications consume rather little bandwidth, depending instead on low latency. Recently, there has been an increasing concern in reducing latency in networking research, as the responsiveness of interactive applications directly influences the quality of experience. To appreciate the significance of latency-sensitive applications for today's Internet, we need to understand their traffic pattern and quantify their prevalence. In this thesis, we quantify the proportion of potentially latency-sensitive traffic and its development over time. Next, we show that the flow start-up mechanism in the Internet is a major source of latency for a growing proportion of traffic, as network links get faster. The loss recovery mechanism in the transport protocol is another major source of latency. To improve the performance of latency-sensitive applications, we propose and evaluate several modifications in TCP. We also investigate the possibility of prioritization at the transport layer to improve the loss recovery. The idea is to trade reliability for timeliness. We particularly examine the applicability of PR-SCTP with a focus on event logging. In our evaluation, the performance of PR-SCTP is largely influenced by small messages. We analyze the inefficiency in detail and propose several solutions. We particularly implement and evaluate one solution that utilizes the Non-Renegable Selective Acknowledgments (NR-SACKs) mechanism, which has been proposed for standardization in the IETF. According to the results, PR-SCTP with NR-SCAKs significantly improves the application performance in terms of low latency as compared to SCTP and TCP. / Interactive applications such as web browsing, audio/video conferencing, multi-player online gaming and financial trading applications do not benefit (much) from more bandwidth. Instead, they depend on low latency. Latency is a key determinant of user experience. An increasing concern for reducing latency is therefore currently being observed among the networking research community and industry. In this thesis, we quantify the proportion of potentially latency-sensitive traffic and its development over time. Next, we show that the flow start-up mechanism in the Internet is a major source of latency for a growing proportion of traffic, as network links get faster. The loss recovery mechanism in the transport protocol is another major source of latency. To improve the performance of latency-sensitive applications, we propose and evaluate several modifications in TCP. We also investigate the possibility of prioritization at the transport layer to improve the loss recovery. The idea is to trade reliability for timeliness. We particularly examine the applicability of PR-SCTP with a focus on event logging. In our evaluation, the performance of PR-SCTP is largely influenced by small messages. We analyze the inefficiency in detail and propose several solutions. We particularly implement and evaluate one solution that utilizes the Non-Renegable Selective Acknowledgments (NR-SACKs) mechanism, which has been proposed for standardization in the IETF. According to the results, PR-SCTP with NR-SCAKs significantly improves the application performance in terms of low latency as compared to SCTP and TCP.

An Investigation on Detecting Applications Hidden in SSL Streams using Machine Learning Techniques

McCarthy, Curtis

13 August 2010

The importance of knowing what type of traffic is flowing through a network is paramount to its success. Traffic shaping, Quality of Service, identifying critical business applications, Intrusion Detection Systems, as well as network administra- tion activities all require the base knowledge of what traffic is flowing over a network before any further steps can be taken. With SSL traffic on the rise due to applica- tions securing or concealing their traffic, the ability to determine what applications are running within a network is getting more and more difficult. Traditional methods of traffic classification through port numbers or deep packet inspection have been deemed inadequate by researchers thus making way for new methods. The purpose of this thesis is to investigate if a machine learning approach can be used with flow features to identify SSL in a given network trace. To this end, different machine learning methods are investigated without the use of port numbers, Internet Protocol addresses, or payload information. Various machine learning models are investigated including AdaBoost, Naive Bayes, RIPPER, and C4.5. The robustness of the results are tested against unseen datasets during training. Moreover, the proposed approach is compared to the Wireshark traffic analysis tool. Results show that the proposed ap- proach is very promising in identifying SSL traffic from a given network trace without using port numbers, Internet protocol addresses, or payload information.

SSL

Traffic Classification

Machine Learning

TLS

Secure Sockets Layer

Transport Layer Security

Video Traffic Classification : A Machine Learning approach with Packet Based Features using Support Vector Machine / Videotrafikklassificering : En Maskininlärningslösning med Paketbasereade Features och Supportvektormaskin

Westlinder, Simon

January 2016

Internet traffic classification is an important field which several stakeholders are dependent on for a number of different reasons. Internet Service Providers (ISPs) and network operators benefit from knowing what type of traffic that propagates over their network in order to correctly treat different applications. Today Deep Packet Inspection (DPI) and port based classification are two of the more commonly used methods in order to classify Internet traffic. However, both of these techniques fail when the traffic is encrypted. This study explores a third method, classifying Internet traffic by machine learning in which the classification is realized by looking at Internet traffic flow characteristics instead of actual payloads. Machine learning can solve the inherent limitations that DPI and port based classification suffers from. In this study the Internet traffic is divided into two classes of interest: Video and Other. There exist several machine learning methods for classification, and this study focuses on Support Vector Machine (SVM) to classify traffic. Several traffic characteristics are extracted, such as individual payload sizes and the longest consecutive run of payload packets in the downward direction. Several experiments using different approaches are conducted and the achieved results show that overall accuracies above 90% are achievable. / HITS, 4707

Supervised Machine Learning

SVM

Video traffic classification

Computer Sciences

Datavetenskap (datalogi)

Integrated transportation monitoring system for both pavement and traffic

Xue, Wenjing

12 June 2013

In the passing decades, the monitoring of pavements and passing vehicles was developed vigorously with the growth of information and sensing technology. Pavement monitoring is an essential part of pavement research and plays an important role in transportation system. At the same time, the monitoring system about the traffic, such as Weigh-in-Motion (WIM) system and traffic classification system, also attracted lots of attention because of their importance in traffic statistics and management. The monitoring system in this dissertation combines the monitoring for pavements and traffic together with the same sensing network. For pavement health monitoring purpose, the modulus of the asphalt layer can be back-calculated based on the collected mechanical responses under corresponding environmental conditions. At the same time, the actually strain and stress in pavements induced by each passing vehicle are also used for pavement distress prediction. For traffic monitoring purpose, the horizontal strain traces are analyzed with a Gaussian model to estimate the speed, wandering position, weight and classification of each passing vehicle. The whole system, including the sensing network and corresponding analysis method, can monitor the pavement and the traffic simultaneously, and is called transportation monitoring system. This system has a high efficiency because of its low cost and easy installation; multi-functionality to provide many important information of transportation system. Many related studies were made to improve the prototyped transportation monitoring system. With the assistance of numerical simulation software ABAQUS and 3D-Move, the effect of many loading and environmental conditions, including temperature, vehicle speed, tire configuration and inflation pressure, are taken into consideration. A method was set up to integrate data points from many tests of similar environmental and loading conditions based on Gaussian model. Another method for consistent comparison of variable field sensor data was developed. It was demonstrated that variation in field measurement was due to uncontrollable environmental and loading factors, which may be accounted for by using laboratory test and numerical simulation based corrections. / Ph. D.

Pavement Monitoring

Traffic Monitoring

Weigh-In-Motion System

Traffic Classification

Pavement Health Status

Sustaining the Performance of Artificial Intelligence in Networking Analytics

Zhang, Jielun

07 August 2023

No description available.

Electrical Engineering

Computer Engineering

Networking analytics

Artificial Intelligence

network traffic classification

network security

Internet-of-Things

Atlantic : a framework for anomaly traffic detection, classification, and mitigation in SDN / Atlantic : um framework para detecção, classificação e mitigação de tráfego anômalo em SDN

Silva, Anderson Santos da

January 2015

Software-Defined Networking (SDN) objetiva aliviar as limitações impostas por redes IP tradicionais dissociando tarefas de rede executadas em cada dispositivo em planos específicos. Esta abordagem oferece vários benefícios, tais como a possibilidade de uso de protocolos de comunicação padrão, funções de rede centralizadas, e elementos de rede mais específicos e modulares, tais como controladores de rede. Apesar destes benefícios, ainda há uma falta de apoio adequado para a realização de tarefas relacionadas à classificação de tráfego, pois (i) as características de fluxo nativas disponíveis no protocolo OpenFlow, tais como contadores de bytes e pacotes, não oferecem informação suficiente para distinguir de forma precisa fluxos específicos; (ii) existe uma falta de suporte para determinar qual é o conjunto ótimo de características de fluxo para caracterizar um dado perfil de tráfego; (iii) existe uma necessidade de estratégias flexíveis para compor diferentes mecanismos relacionados à detecção, classificação e mitigação de anomalias de rede usando abstrações de software; (iv) existe uma necessidade de monitoramento de tráfego em tempo real usando técnicas leves e de baixo custo; (v) não existe um framework capaz de gerenciar detecção, classificação e mitigação de anomalias de uma forma coordenada considerando todas as demandas acima. Adicionalmente, é sabido que mecanismos de detecção e classificação de anomalias de tráfego precisam ser flexíveis e fáceis de administrar, a fim de detectar o crescente espectro de anomalias. Detecção e classificação são tarefas difíceis por causa de várias razões, incluindo a necessidade de obter uma visão precisa e abrangente da rede, a capacidade de detectar a ocorrência de novos tipos de ataque, e a necessidade de lidar com erros de classificação. Nesta dissertação, argumentamos que SDN oferece ambientes propícios para a concepção e implementação de esquemas mais robustos e extensíveis para detecção e classificação de anomalias. Diferentemente de outras abordagens na literatura relacionada, que abordam individualmente detecção ou classificação ou mitigação de anomalias, apresentamos um framework para o gerenciamento e orquestração dessas tarefas em conjunto. O framework proposto é denominado ATLANTIC e combina o uso de técnicas com baixo custo computacional para monitorar tráfego e técnicas mais computacionalmente intensivas, porém precisas, para classificar os fluxos de tráfego. Como resultado, ATLANTIC é um framework flexível capaz de categorizar anomalias de tráfego utilizando informações coletadas da rede para lidar com cada perfil de tráfego de um modo específico, como por exemplo, bloqueando fluxos maliciosos. / Software-Defined Networking (SDN) aims to alleviate the limitations imposed by traditional IP networks by decoupling network tasks performed on each device in particular planes. This approach offers several benefits, such as standard communication protocols, centralized network functions, and specific network elements, such as controller devices. Despite these benefits, there is still a lack of adequate support for performing tasks related to traffic classification, because (i) the native flow features available in OpenFlow, such as packet and byte counts, do not convey sufficient information to accurately distinguish between some types of flows; (ii) there is a lack of support to determine what is the optimal set of flow features to characterize different types of traffic profiles; (iii) there is a need for a flexible way of composing different mechanisms to detect, classify and mitigate network anomalies using software abstractions; (iv) there is a need of online traffic monitoring using lightweight/low-cost techniques; (v) there is no framework capable of managing anomaly detection, classification and mitigation in a coordinated manner and considering all these demands. Additionally, it is well-known that anomaly traffic detection and classification mechanisms need to be flexible and easy to manage in order to detect the ever growing spectrum of anomalies. Detection and classification are difficult tasks because of several reasons, including the need to obtain an accurate and comprehensive view of the network, the ability to detect the occurrence of new attack types, and the need to deal with misclassification. In this dissertation, we argue that Software-Defined Networking (SDN) form propitious environments for the design and implementation of more robust and extensible anomaly classification schemes. Different from other approaches from the literature, which individually tackle either anomaly detection or classification or mitigation, we present a management framework to perform these tasks jointly. Our proposed framework is called ATLANTIC and it combines the use of lightweight techniques for traffic monitoring and heavyweight, but accurate, techniques to classify traffic flows. As a result, ATLANTIC is a flexible framework capable of categorizing traffic anomalies and using the information collected to handle each traffic profile in a specific manner, e.g., blocking malicious flows.

Redes : Computadores

Trafego : Redes : Computadores

Gerencia : Redes : Computadores

Anomaly detection

Traffic classification

Traffic monitoring

Management framework

Machine learning

Hierarchical TCP network traffic classification with adaptive optimisation

Wang, Xiaoming

January 2010

Nowadays, with the increasing deployment of modern packet-switching networks, traffic classification is playing an important role in network administration. To identify what kinds of traffic transmitting across networks can improve network management in various ways, such as traffic shaping, differential services, enhanced security, etc. By applying different policies to different kinds of traffic, Quality of Service (QoS) can be achieved and the granularity can be as fine as flow-level. Since illegal traffic can be identified and filtered, network security can be enhanced by employing advanced traffic classification. There are various traditional techniques for traffic classification. However, some of them cannot handle traffic generated by applications using non-registered ports or forged ports, some of them cannot deal with encrypted traffic and some techniques require too much computational resources. The newly proposed technique by other researchers, which uses statistical methods, gives an alternative approach. It requires less resources, does not rely on ports and can deal with encrypted traffic. Nevertheless, the performance of the classification using statistical methods can be further improved. In this thesis, we are aiming for optimising network traffic classification based on the statistical approach. Because of the popularity of the TCP protocol, and the difficulties for classification introduced by TCP traffic controls, our work is focusing on classifying network traffic based on TCP protocol. An architecture has been proposed for improving the classification performance, in terms of accuracy and response time. Experiments have been taken and results have been evaluated for proving the improved performance of the proposed optimised classifier. In our work, network packets are reassembled into TCP flows. Then, the statistical characteristics of flows are extracted. Finally the classes of input flows can be determined by comparing them with the profiled samples. Instead of using only one algorithm for classifying all traffic flows, our proposed system employs a series of binary classifiers, which use optimised algorithms to detect different traffic classes separately. There is a decision making mechanism for dealing with controversial results from the binary classifiers. Machining learning algorithms including k-nearest neighbour, decision trees and artificial neural networks have been taken into consideration together with a kind of non-parametric statistical algorithm — Kolmogorov-Smirnov test. Besides algorithms, some parameters are also optimised locally, such as detection windows, acceptance thresholds. This hierarchical architecture gives traffic classifier more flexibility, higher accuracy and less response time.

004.6