| Network measurement is a technology to obtain the network operating parameters, providing important data support for network management and security. The traditional methods of network measurement treat the packets or the flows as measurement object and achieve the purpose of measurement by identifying and classifying them. However, with the popularity of encryption protocols and the increasing of proprietary protocols, more and more network traffic cannot be identified by packet-oriented or flow-oriented network measurement. By extracting the host property, classifying host behavior, the similarity of hosts belonging to the same class assists identifying the network traffic that cannot be identified by using traditional measurement methods. The host-oriented network measurement is able to use the laws of a host behavior and the similarity of hosts behavior in the same class, and then to solve the recognition performance degradation.The host-oriented network measurement involves the following three research areas. The first is the host property extraction and presentation methods research. The second is host behavior classification based on host property. The third is measurement results analysis. Among them, the extraction and presentation methods is the basis and prerequisite for the other two researches. And it is also the basis research for host-oriented measurement. This paper presents a detailed study of the host property extraction and presentation methods by analyzing the host traffic contents.First, the property of using plain text protocol network service host are measured and marked. Combined with existing research results and technologies, the host properties of traffic statistics, location, connection mode, operating system type, application type and other aspects are labeled. Second, the host property of using encryption protocol services and unknown network services host are measured and marked. Using machine learning algorithms to classify encryption traffic and long flows in unknown traffic, and extracting the relevant host properties according to the classification results. In addition, all the host properties are presented in three typical data type. And we develop rules to convert host properties into feature vectors in order to machine learning analysis and other analysis methods.Based on the above research, we design and implement a host properties label and clustering analysis prototype system. The system is able to process network traffic by host-level aggregation, extract the relevant host properties and classify the host by using density-based clustering method. To solve the performance bottleneck of large-scale network traffic processing, this paper optimizes the key data structure and improves the parallel ability of the system, stores host properties by using high-performance memory database. After the performance optimization, the throughput of the system increased3-fold and the system is able to process70,000packets per second. |
PDF Full Text Request