Identifying specific network applications is a critical step for detecting network intrusion or misuse. The conventional way to identify traffic flows uses port number and DPI (Deep Packet Inspection), but it is affected by growing use of dynamic ports and encrypted traffic. Recent classification studies primarily have proposed two alternatives to classify network applications, using the statistical properties of traffic or by inferring the behavioral patterns of network applications. The main challenge is how to fully describe the activity within and among network flows in order to understand application usage and behavior. The aim of this paper is to propose and investigate a novel mechanism to define application behavior as seen through the generated network traffic. As part of describing the application behavior, the research considered the timing and pattern of user events during respective application sessions, leading to an extended traffic feature set. The data collected from six users and each user asked to browse a predefined of six applications over three months to build ground data truth. Moreover, a novel features selection approach are introduced in the field for better characterization of network application based upon burstiness. The selected features were further used to train and test a supervised C5.0 machine learning classifier. As part of validation, all applications were classified using the proposed classifier yielding a significantly high traffic classification accuracy ranging between 90-98%.

Published in: World Congress on Internet Security (WorldCIS-2017)

  • Date of Conference: 11-14 December 2017
  • DOI: 10.2053/WorldCIS.2017.0008
  • ISBN: 978-1-908320-81-0
  • Conference Location: University of Cambridge, UK