A statistical approach to IP-level classification of network traffic

Correct classification of traffic flows according to the application layer protocols that generated them is essential for most network-management, resource allocation and intrusion detection systems in TCP/IP networks. With the ever increasing number of network protocols and services running on non-standard TCP ports, the classification methods based on the analysis of the transport layer header are rapidly becoming ineffective. On the other hand, mechanisms based on full payload analysis are too computationally demanding to be run on most high-bandwidth links. Here we present a novel classification technique based on the statistical analysis of network traffic performed at the IP-level. The key idea behind our approach is to build a set of protocol fingerprints that we believe summarize, in a compact and efficient way, the main IP-level statistical properties of application layer protocols. By means of a simple, lightweight algorithm based on the notion of anomaly scores, also presented in this paper, an unknown flow can be compared against known protocol fingerprints, detecting the application that generated the flow. Our methodology is completely based on IP-level analysis: no payload analysis or port analysis is required for the classification of an unknown flow. Besides introducing our approach, we describe preliminary experimental results that show how this technique is effective in correctly classifying network traffic in a real network environment.