A statistical approach to TCP session classification

Government computer networks need a real-time network traffic monitoring tool to detect anomalies in network traffic patterns to improve security. Specifically, they need a tool to determine if a host is using a network connection for something other than the intended use. A key step in developing this tool is creating statistical models to accurately identify the application protocols of sessions in a network without relying on port numbers, which conventionally identify them. This paper outlines the construction of these models. Specifically, it focuses on the methods used to build them, which included: structuring network data in a database, aggregating packet level data into sessions, and then identifying the key variables. The models employ variables such as the inter-arrival time between packets, the variance of those times, the distribution of TCP control flags and other information available from the packet headers. The paper examines the significance of these explanatory variables and attempts to determine which would be useful in a real-time implementation.