Automated network application classification: A competitive learning approach

The design of a sustainable application level classification system has, over the past few years, been the subject of much research by academics and industry alike. The methodologies proposed rely predominantly on predefined signatures for each protocol, applied to each passing flow in order to classify them. These signatures are often static, resulting in inaccuracies during the classification process. This problem is compounded by delays in signature update releases. This paper presents an approach toward automated signature generation, mitigating classification problems experienced with existing systems. A hierarchical system is proposed, where signatures are developed and deployed in real-time. The ideas set forth in this research are evaluated by experimentation in a live network environment. Discriminators of both encrypted and plain-text application protocol samples were recorded and automatically annotated by a Hierarchical Self-Organizing Map (HSOM). The clusters identified by the HSOM were used in a supervised training process that correctly identified protocols with an almost perfect (99% percent) success rate.