Unexpected means of protocol inference

Justin Ma, Kirill Levchenko, Christian Kreibich, Stefan Savage, Geoffrey M. Voelker

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Network managers are inevitably called upon to associate network traffic with particular applications. Indeed, this operation is critical for a wide range of management functions ranging from debugging and security to analytics and policy support. Traditionally, managers have relied on application adherence to a well established global port mapping: Web traffic on port 80, mail traffic on port 25 and so on. However, a range of factors - including firewall port blocking, tunneling, dynamic port allocation, and a bloom of new distributed applications - has weakened the value of this approach. We analyze three alternative mechanisms using statistical and structural content models for automatically identifying traffic that uses the same application-layer protocol, relying solely on flow content. In this manner, known applications may be identified regardless of port number, while traffic from one unknown application will be identified as distinct from another. We evaluate each mechanism's classification performance using real-world traffic traces from multiple sites.

Original languageEnglish (US)
Title of host publicationProceedings of the 2006 ACM SIGCOMM Internet Measurement Conference, IMC 2006
Pages313-326
Number of pages14
DOIs
StatePublished - Dec 1 2006
Externally publishedYes
Event6th ACM SIGCOMM on Internet Measurement Conference, IMC 2006 - Rio de Janeriro, Brazil
Duration: Oct 25 2006Oct 27 2006

Publication series

NameProceedings of the ACM SIGCOMM Internet Measurement Conference, IMC

Other

Other6th ACM SIGCOMM on Internet Measurement Conference, IMC 2006
CountryBrazil
CityRio de Janeriro
Period10/25/0610/27/06

Keywords

  • Application signatures
  • Network data mining
  • Protocol analysis
  • Relative entropy
  • Sequence analysis
  • Statistical content modeling
  • Traffic classification

ASJC Scopus subject areas

  • Engineering(all)

Fingerprint Dive into the research topics of 'Unexpected means of protocol inference'. Together they form a unique fingerprint.

  • Cite this

    Ma, J., Levchenko, K., Kreibich, C., Savage, S., & Voelker, G. M. (2006). Unexpected means of protocol inference. In Proceedings of the 2006 ACM SIGCOMM Internet Measurement Conference, IMC 2006 (pp. 313-326). (Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC). https://doi.org/10.1145/1177080.1177123