Network Traffic Identification and Classification with Machine Learning

A computer network should consist of four primary objectives: Fault tolerance, Scalability, Security, and Quality of Service (QoS). These objectives make computer networks efficient, reliable, and suitable to satisfy users' requirements. Network administrators try to continuously improve these properties to give a better experience for their customers. There are various practices network admins can implement to achieve these four main objectives related to computer networking. Knowing about the network is one of the initial and basic activities that we can commonly see in those practices. Network monitoring is the process we use to get to know about the network. Network traffic monitoring plays a significant part in computer networking. It has been used from network resources management to network security-related activities.  Network monitoring is an umbrella term that is used to combine a few other processes/techniques.

Network traffic identification and classification (TIC) is a sub-area under network traffic monitoring. TIC aims to identify network traffic based on characteristics that are embedded in network traffic packets. There are three main categories of traffic identification and classification techniques namely, Packet-based techniques, Connection patterns based techniques, Statistical based techniques. This article focuses on Statistical based techniques. However, it’s better to have some idea on Packet-based and Connection patterns-based techniques before moving on.

Packet-based TIC techniques make use of information extracted from packets' header or payload to match applications by using predefined values or rules. There are two methods in this approach: Port-based application identification and payload-signature based identification also called deep packet inspection (DPI). Both of these methods were very successful in the past but with the widespread use of dynamic ports in new applications and widespread use of encryption standards due to security concerns, these methods are not that effective in the current context. Another concern is high resource consumption, methods like DPI require high computational power due to its nature though it is concerned to be very effective for TIC activities. 

The idea behind the Connection patterns-based approach is, that each application communicates with an endpoint that has a connection pattern which can be used to identify the application. Therefore, this method does not need to consider information provided by individual packets to identify network traffic. Let's take client-server communication as an example, server and client will contact using two Ports. However, in a P2P application, a peer will connect with other peers by using multiple ports. The main issue of this approach is the lack of fine-grained application identification. However, this technique is still used in network monitoring in various situations.

Machine Learning based Traffic Classification Flow.

Statistical methods were developed to overcome issues with packet-based traffic identification techniques. In statistical methods, traffic classification is done by recognizing statistical properties that can be externally observed with data packets. Statistical methods use machine learning techniques to identify network traffic, mainly, supervised and unsupervised techniques. The statistical approach is based on the concept of flows. A flow is identified as an aggregation of data packets that have the same source IP, destination IP, source port, destination port, and protocol. Statistical properties are extracted from flow to train machine learning models. A trained model then can be deployed to identify traffic passing through the network. Applications of these techniques span a wider area in networking. Use cases can be found in intrusion detection, malware identification, DDoS protection, network capacity planning, and many more. By combining software-defined networking (SDN) with machine learning we could build networks that are dynamically configured based on the users’ requirements. Intent-based networking (IBN) could be considered as that type of an intelligent network solution. Therefore in near future, we will see a lot of machine learning-based intelligent networks in our day-to-day life.

References


Comments

  1. Santhoopa Jayawardhana6 December 2020 at 11:33

    Good article. It is interesting to see how these machine learning algorithms can be used in the field of networking.

    ReplyDelete
    Replies
    1. Osura Weerasinghe6 December 2020 at 17:05

      Thanks for the reading. Definitely, we could see cutting-edge technologies powered by AI in the very near future.

      Delete
  2. Rajitha Gamage10 December 2020 at 12:39

    Machine learning make the tasks easier. will next level be no people at organizations? Nicely written osura.

    ReplyDelete

Post a Comment

Popular posts from this blog

How Cloud Resiliency organized in Microsoft Azure

Image
Disaster avoidance and Disaster recovery are two concepts used in many industrial areas. The two terms look alike but they are somewhat different based on the situation that we use them in. Sometimes disaster avoidance is also called resiliency. In information technology, these two terms are mainly used in system engineering and system designing areas. So, what is meant by terms resiliency and recoverability? Resiliency expresses the ability to operate services even in a disruptive system event. Recovery means actions needed to perform to make a system work again when a disruption causes a system to fail. For example, resiliency is like building structures to stay stable in an earthquake situation, on the other hand, recoverability means if some disaster happens to the structure how we are going to correct that damage. So, now as we know the meaning of the two terms, let’s move to our main topic, How Cloud Resiliency is organized in Microsoft Azure. Cloud consists of a larger number of...
Read more

MalLocker.B

Image
New  Malware Affecting A ndroid Users. Malware has been there for a very long time from the beginning of computer systems. Any computer system could be a target for a malware attack. The common intention of any malware is to cause damage to computer systems. Before the era of smart devices, malware was mainly designed to attack servers, personal computers, and likewise. However, with the rapid increase of smart devices, malware attack surfaces grew rapidly. Smart devices became a comparably easy target for threat actors because of the extensive user base, less knowledge of users about the device, users trying to add various applications without checking their background, along with many other reasons. These reasons enable attackers to quickly and easily spread malware to smart devices. Ransomware is one type of malware that causes huge losses for both business and personal computer systems in current times. This type of malware holds the computer system in a captive state until t...
Read more