On the Accuracy of Signature-based Traffic Identification Technique in IP Networks

The accurate identification of network traffic associated with application layer protocols is important to a broad range of network operations including application-specific traffic engineering, capacity planning, provisioning, and service differentiation. However well-known port numbers can no longer be used to reliably identify network applications since there is a variety of new Internet applications that either do not use well-known port numbers or use other protocols, such as HTTP, to evade firewalls that prevent using specific applications such as P2P or instant messenger. In this article we present a framework for identifying network traffic based on application level signatures. We first identify the application level signatures by investigating protocols and packet level traces. Then we express the identified signatures in regular expressions and apply them to an IP traffic monitoring system. Since the identification of network traffic based on packet payload characteristics is a resource-intensive job, it is required to resolve several issues to measure and analyze traffic on high-speed links. In addition we analyze the accuracy of traffic identification using application layer signatures comparing with the traditional port-based method. Our measurements show that the proposed technique improves the accuracy of traffic identification in that it decreases unidentified traffic by 11% compared with the port-based method. It also identifies several types of P2P and web folder traffic that would be otherwise classified incorrectly.