Network Traffic
Classification Based on
Flow Characteristics
Pavel Piskač
piskac@mail.muni.cz
DTEDI Presentation, November 14, 2011
Part I
Introduction
Pavel Piskač Network Traffic Classification Based on Flow Characteristics 2 / 18
Usage of Protocol Detection
Protocol detection is used in many situations
Suspicious activity detection
Pavel Piskač Network Traffic Classification Based on Flow Characteristics 3 / 18
Protocol Detection Methods
Port numbers DPI Behavior Flows
Fast
Precise
Power consuming
Encryption
Groups /
Probability
Pavel Piskač Network Traffic Classification Based on Flow Characteristics 4 / 18
Work Goals
Port numbers DPI Behavior Flows
Fast
Precise
Power consuming
Encryption
Groups /
Probability
Pavel Piskač Network Traffic Classification Based on Flow Characteristics 5 / 18
Work Goals
Achieved in the following steps
One protocol detection
Explore one protocol
Detect selected protocol
Implement detection method
General protocol detection
Take advantage from previous research
Find and test clustering algorithm
Implement detection method
Pavel Piskač Network Traffic Classification Based on Flow Characteristics 6 / 18
Flow Statistics
An ordinary flow with packets and inter-packet gaps
Statistics consist of
Flow length
Information about inter-packet gap sizes
Infomation about packet sizes
Basic expectation: statistics are application dependent
Pavel Piskač Network Traffic Classification Based on Flow Characteristics 7 / 18
Part II
One Protocol Detection
Pavel Piskač Network Traffic Classification Based on Flow Characteristics 8 / 18
Detection Methods
Based on vector comparison
Only time characteristics
Used methods
Average distance between vectors
Root-mean-square distance
Euclidean distance
Angle between vectors
Decision according to threshold value
Pavel Piskač Network Traffic Classification Based on Flow Characteristics 9 / 18
SSH Protocol Detection
First step of our work
Training and learning phase
Based only on time characteristics
Results:
+ Dictionary attack detection
+ Accuracy about 90 %
+ Usefulness of time characteristics
- Unable to detect all situations
Pavel Piskač Network Traffic Classification Based on Flow Characteristics 10 / 18
0
50
100
150
200
250
18:00 20:00 22:00 00:00 02:00 04:00 06:00 08:00 10:00 12:00
Numberofpossibleattacks
Time
Average distance method
RMS method
Euclidean distance method
Angle between vectors method
Pavel Piskač Network Traffic Classification Based on Flow Characteristics 11 / 18
Part III
General Protocol Detection
Pavel Piskač Network Traffic Classification Based on Flow Characteristics 12 / 18
Clustering Algorithms
Automatized division into groups
Based on vector comparison
QT clustering algorithm
+ First evaluation
+ Nonrandom
- Slow
K-Means clustering algorithm
+ Widespread
+ Faster than QT
- Random
- Cannot detect number of clusters
Pavel Piskač Network Traffic Classification Based on Flow Characteristics 13 / 18
Main Issues
Minimal set of vector components
Minimizing influences in time characteristics caused by
network
Finding the core of flows
Pavel Piskač Network Traffic Classification Based on Flow Characteristics 14 / 18
Part IV
Future Work and Conclusion
Pavel Piskač Network Traffic Classification Based on Flow Characteristics 15 / 18
Future Work
Precise protocol detection
Programmable hardware probes
All data in IPFIX format
Pavel Piskač Network Traffic Classification Based on Flow Characteristics 16 / 18
Conclusion
Dictionary attacks on SSH protocol detection
Minimizing influences in time characteristics cased by network
The main issue finding the core of flows
Pavel Piskač Network Traffic Classification Based on Flow Characteristics 17 / 18
Thank You For Your Attention!
Pavel Piskač
piskac@mail.muni.cz
Network Traffic
Classification Based on
Flow Characteristics
Pavel Piskač Network Traffic Classification Based on Flow Characteristics 18 / 18