The Method Of Behavior-based Network Traffic Classification

At present the method of network traffic classification includes: network port-basedclassification, classification based on deep packet inspection, machine learning-basedclassification, behavior-based classification. P2P and other new types of networkapplications has made network port-based classification no longer applies to networktraffic classification; although the accuracy rate of deep packet inspection method isrelatively high, but the feature database maintenance and signature of the pattern matchingcost is extremely high, especially classifying the network traffic in the environment oflarge flow. Based on machine learning classification method although can also go to thehigher accuracy, but it consume more resources, the choice of sample have greatinfluences on the result of classification.Behavior-based classification just need to get the basic characteristics of the flow, aslong as analysis the NetFlow data, Through the establishment of various applicationbehavior model to identify the network flow type can achieve the purpose of theclassification of flow. Threshold of the behavior model will affect the accuracy of trafficclassification and identification. If the behavior threshold model control is very strict, theaccuracy rate of classification will be very high, but the recognition will decline.Similarity-based classification, it use known flow type to infer the application type ofother similar nodes or flow in the network, this method can be very good to solve theproblem of little recognition in the network traffic classification.Organizing flow information in accordance with efficient data structure and use fastsearch algorithm to classify the network traffic, achieving a behavior-based trafficclassification system. Corresponding domain names and IP in traffic classification system,not only classify network traffic in the domain name hierarchy but also can analysis of theflow from the site, achieve fine-grained traffic classification at the same time; and thetraffic is divided into two categories according to the application querying domain nameor not, then use different model of behavior indentify the type of flow, so this canaccelerate the speed of the process. Behavior-based method can accurately identify thenetwork traffic, the method of inferring the type of flow based on the nodes andconnections similarity can identify the unknown type of flow. Experiments show that thesystem is able to accurately most of the traffic classification.