ACK utilization for traffic classification Conference Paper uri icon

abstract

  • Network traffic classification is an essential feature for network users and administrators. It allows detailed information about the various applications traversing the network, thus enabling traffic shaping, accounting, anomaly detection, etc. In this paper, we suggest a novel fingerprinting technique to automatically classify ongoing TCP and UDP flows according to the various applications which created them, thus allowing classification with high accuracy. Specifically, for TCP flows, we suggest a fingerprint based on zero-length packets, which enables efficiently classifying flows based on a single Content-Addressable Memory (CAM) rule and a limited sample set, yet with very high accuracy. Moreover, our fingerprint is robust to network conditions such as congestion, fragmentation, delay, retransmissions, duplications and losses. For UDP flows, we utilize a similar approach based on the UDP length field. The fingerprinting schemes are evaluated on a variety of real traffic traces. Results show that the schemes attain very high accuracy. In particular, our scheme attains about 97% overall accuracy for a large variety of applications, by sampling small fraction of the trafik'. The UDP scheme attains over 98% accuracy, by sampling all the UDP traffic.

publication date

  • January 1, 2016