Unexpected means of protocol inference

Justin Ma; Kirill Levchenko; Christian Kreibich; Stefan Savage; Geoffrey M. Voelker

doi:10.1145/1177080.1177123

Unexpected means of protocol inference

Justin Ma, Kirill Levchenko, Christian Kreibich, Stefan Savage, Geoffrey M. Voelker

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Network managers are inevitably called upon to associate network traffic with particular applications. Indeed, this operation is critical for a wide range of management functions ranging from debugging and security to analytics and policy support. Traditionally, managers have relied on application adherence to a well established global port mapping: Web traffic on port 80, mail traffic on port 25 and so on. However, a range of factors - including firewall port blocking, tunneling, dynamic port allocation, and a bloom of new distributed applications - has weakened the value of this approach. We analyze three alternative mechanisms using statistical and structural content models for automatically identifying traffic that uses the same application-layer protocol, relying solely on flow content. In this manner, known applications may be identified regardless of port number, while traffic from one unknown application will be identified as distinct from another. We evaluate each mechanism's classification performance using real-world traffic traces from multiple sites.

Original language	English (US)
Title of host publication	Proceedings of the 2006 ACM SIGCOMM Internet Measurement Conference, IMC 2006
Pages	313-326
Number of pages	14
DOIs	https://doi.org/10.1145/1177080.1177123
State	Published - 2006
Externally published	Yes
Event	6th ACM SIGCOMM on Internet Measurement Conference, IMC 2006 - Rio de Janeriro, Brazil Duration: Oct 25 2006 → Oct 27 2006

Publication series

Name	Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC

Other

Other	6th ACM SIGCOMM on Internet Measurement Conference, IMC 2006
Country/Territory	Brazil
City	Rio de Janeriro
Period	10/25/06 → 10/27/06

Keywords

Application signatures
Network data mining
Protocol analysis
Relative entropy
Sequence analysis
Statistical content modeling
Traffic classification

ASJC Scopus subject areas

General Engineering

Online availability

10.1145/1177080.1177123

Library availability

Discover UIUC Full Text

Cite this

Ma, J, Levchenko, K, Kreibich, C, Savage, S & Voelker, GM 2006, Unexpected means of protocol inference. in Proceedings of the 2006 ACM SIGCOMM Internet Measurement Conference, IMC 2006. Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC, pp. 313-326, 6th ACM SIGCOMM on Internet Measurement Conference, IMC 2006, Rio de Janeriro, Brazil, 10/25/06. https://doi.org/10.1145/1177080.1177123

@inproceedings{934831ab628e4025b91abe74c3d7cd5a,

title = "Unexpected means of protocol inference",

abstract = "Network managers are inevitably called upon to associate network traffic with particular applications. Indeed, this operation is critical for a wide range of management functions ranging from debugging and security to analytics and policy support. Traditionally, managers have relied on application adherence to a well established global port mapping: Web traffic on port 80, mail traffic on port 25 and so on. However, a range of factors - including firewall port blocking, tunneling, dynamic port allocation, and a bloom of new distributed applications - has weakened the value of this approach. We analyze three alternative mechanisms using statistical and structural content models for automatically identifying traffic that uses the same application-layer protocol, relying solely on flow content. In this manner, known applications may be identified regardless of port number, while traffic from one unknown application will be identified as distinct from another. We evaluate each mechanism's classification performance using real-world traffic traces from multiple sites.",

keywords = "Application signatures, Network data mining, Protocol analysis, Relative entropy, Sequence analysis, Statistical content modeling, Traffic classification",

author = "Justin Ma and Kirill Levchenko and Christian Kreibich and Stefan Savage and Voelker, \{Geoffrey M.\}",

year = "2006",

doi = "10.1145/1177080.1177123",

language = "English (US)",

isbn = "1595935614",

series = "Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC",

pages = "313--326",

booktitle = "Proceedings of the 2006 ACM SIGCOMM Internet Measurement Conference, IMC 2006",

note = "6th ACM SIGCOMM on Internet Measurement Conference, IMC 2006 ; Conference date: 25-10-2006 Through 27-10-2006",

}

TY - GEN

T1 - Unexpected means of protocol inference

AU - Ma, Justin

AU - Levchenko, Kirill

AU - Kreibich, Christian

AU - Savage, Stefan

AU - Voelker, Geoffrey M.

PY - 2006

Y1 - 2006

N2 - Network managers are inevitably called upon to associate network traffic with particular applications. Indeed, this operation is critical for a wide range of management functions ranging from debugging and security to analytics and policy support. Traditionally, managers have relied on application adherence to a well established global port mapping: Web traffic on port 80, mail traffic on port 25 and so on. However, a range of factors - including firewall port blocking, tunneling, dynamic port allocation, and a bloom of new distributed applications - has weakened the value of this approach. We analyze three alternative mechanisms using statistical and structural content models for automatically identifying traffic that uses the same application-layer protocol, relying solely on flow content. In this manner, known applications may be identified regardless of port number, while traffic from one unknown application will be identified as distinct from another. We evaluate each mechanism's classification performance using real-world traffic traces from multiple sites.

AB - Network managers are inevitably called upon to associate network traffic with particular applications. Indeed, this operation is critical for a wide range of management functions ranging from debugging and security to analytics and policy support. Traditionally, managers have relied on application adherence to a well established global port mapping: Web traffic on port 80, mail traffic on port 25 and so on. However, a range of factors - including firewall port blocking, tunneling, dynamic port allocation, and a bloom of new distributed applications - has weakened the value of this approach. We analyze three alternative mechanisms using statistical and structural content models for automatically identifying traffic that uses the same application-layer protocol, relying solely on flow content. In this manner, known applications may be identified regardless of port number, while traffic from one unknown application will be identified as distinct from another. We evaluate each mechanism's classification performance using real-world traffic traces from multiple sites.

KW - Application signatures

KW - Network data mining

KW - Protocol analysis

KW - Relative entropy

KW - Sequence analysis

KW - Statistical content modeling

KW - Traffic classification

UR - https://www.scopus.com/pages/publications/34249790654

UR - https://www.scopus.com/inward/citedby.url?scp=34249790654&partnerID=8YFLogxK

U2 - 10.1145/1177080.1177123

DO - 10.1145/1177080.1177123

M3 - Conference contribution

AN - SCOPUS:34249790654

SN - 1595935614

SN - 9781595935618

T3 - Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC

SP - 313

EP - 326

BT - Proceedings of the 2006 ACM SIGCOMM Internet Measurement Conference, IMC 2006

T2 - 6th ACM SIGCOMM on Internet Measurement Conference, IMC 2006

Y2 - 25 October 2006 through 27 October 2006

ER -

Unexpected means of protocol inference

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this