Fine-grained behavioral classification in the core: the issue of flow sampling

This work studies the impact of flow sampling on the accuracy of behavioral traffic classification. More precisely, we consider the case where the traffic classification engine is located at different vantage points of the network. Usually, behavioral classification is performed close to the user access network - where all the traffic exchanged by an endpoint can be observed. In this work instead we take into account the case of a classifier placed deeper in the aggregation network - where, due to load balancing or routing issues, only part of the traffic is generally observed. We use the Abacus behavioral classification engine as our case study, as it has been shown to provide accurate classification of P2P applications, by relying only on the count of packets and bytes peers exchange during fixed-length time-windows. We further consider multiple policies of flow sampling, that either reflect real router forwarding table, or allow to assess parameter impact under controlled settings. An accurate measurement campaign shows that, provided that the signature definition does not rely on absolute counters of the traffic volume (e.g., which can be achieved by means of normalization), even when signatures are computed over a minority of the traffic (e.g., about 10%) the classification is still reliable (e.g, accuracy exceeds 75%).