Lightweight Bit Level Deep Packet Inspection Methods for Network Traffic Classification.
# 120
Abstract
With the growing population of Internet users, the number of applications is increasing on the Internet. This generate huge and heterogeneous network traffic by these internet users. Moreover, network traffic monitoring for security analysis, load balancing, and fault detection is challenging with such type of network traffic. Furthermore, network traffic classification is an important prerequisite to performing all such tasks. Network traffic classification is done by analyzing network traffic using either Shallow Packet Inspection (SPI) or Deep Packet Inspection (DPI) methods. DPI methods are more accurate than SPI based methods as these methods analyze packet payloads. However, these methods are computationally expensive. In recent state-of-the-art works, few ways use bit-level DPI-based methods to implement computationally cheap traffic classification. Also, with the number of proprietary protocols on the rise and network protocols using bit-level information for encoding, it has recently been shown that bit-level signatures are more effective for identifying applications. However, there is a requirement for methods that can classify text based, binary and proprietary application protocols simultaneously using one way without compromising classification accuracy. In order to fill this gap, we proposed two methods: BitCoding and BitProb which are the bit level network traffic classification methods that classifies applications using bit level application signatures. BitCoding is a supervised method of classification which generates signatures using invariant bits of application flows. Unlike other works, BitCoding uses only a small number of initial bits of flows to generate signature and signature bits are encoded using run length coding to reduce size; hence it is very inexpensive in storage and is light weight for signature matching. On the other hand, BitProb generates probabilistic bit signatures for traffic classification. It uses the probability of a bit at a particular position being either 0 or 1 and generates a space efficient signature represented as a state transition machine. Subsequently, it uses the overall probability of an n bit binary string extracted from a network flow to identify which application generated the flow. On experiments, we found that both the method showed high accuracy while tested on three different datasets. However, BitProb performed slightly better than BitCoding in terms of accuracy and efficiency.
Parthajit Mohapatra, IIT Tirupati
Dr. Mayank Swarnkar is currently an Assistant Professor in the Computer Science and Engineering Department at the Indian Institute of Technology (BHU) Varanasi. He completed his Ph.D. from the Indian Institute of Technology Indore in 2019. He completed his M.Tech in Wireless Communication and Computing from the Indian Institute of Information Technology Allahabad Prayagraj in 2013 and B.E. in Information Technology from Jabalpur Engineering College in 2011. He joined IIT(BHU) in 2020. He also worked as Software Engineer in NEC Japan during 2013-2014. His primary areas of interest are Network and System Security. He works mainly in Network Traffic Classification, Zero Day Attacks, Intrusion Detection Systems, IoT Security Analysis, Network Protocol Vulnerability Analysis, and VoIP Spam Detection. He has several publications, including IEEE/ACM Transaction on Networking, IEEE Transaction on Network and Service Management, and IEEE Globecom. He is a member of IEEE and ACM.