Dynamic application flow cluster based on traffic behavior distance

New network applications as well as security threats are emerging in an endless stream. However, existing methods cannot efficiently identify and classify the new-born application traffic, which makes it difficult for network administrators to learn about the status of current network. This paper presents a method to dynamically cluster application flows. In this method, an unsupervised classification algorithm, X-means is used to dynamically analyze network traffic, and cluster flows with similar behavior to one aggregation, which may be generated by the same application or malware. In this paper, we propose the concept of traffic behavior distance which is based on Euclidean Distance, in order to compute the similarity of flows. Based on the generated traffic clusters, administrators can easily learn about what applications are running and whether there´s a new application or anomaly. The results of the experiment show good performance of our proposed method.