Predicting packet source and destination using data mining

The need to classify network traffic arises in a wide variety of applications ranging from intrusion detection and signature matching to improving Quality of Service. However, the classification step imposes high demands on resources such as CPU, memory and bandwidth, and often becomes a bottleneck in these applications. The resources consumed are greater if the classification is done at higher layers in the network architecture. This thesis explores the possibility of using data mining techniques to build classification models from network traffic, which can later be used for classification at low levels of the network architecture. In this research, it is shown that strong patterns can be uncovered in the IP address space corresponding to geographical origin. Preliminary tests done using only IP address and time of IP packet arrival indicate that traffic from at least certain regions can be differentiated with accuracies comparable with that achieved by much more complex systems. Patterns that can be used to identify web behavior and different autonomous systems were also found in the IP address space. The techniques described in this thesis are fast enough to enable classification at the packet level.