KR20150019280A - Apparatus and method for Internet traffic classification - Google Patents

Abstract

The purpose of the present invention is to provide an apparatus and method for classifying Internet traffic, which classify applications with a high classification difficulty level. The apparatus for classifying Internet traffic includes a connection information detecting unit configured to detect information on a network, an information calculating unit configured to calculate numerical values for determining groups based on the detected connection information, a group assigning unit configured to classify groups of packets that are the connection information based on the calculated numerical values, and an evaluation unit configured to measure a misclassification probability of the classified groups. The apparatus for classifying Internet traffic determines the degree of similarity between data on the network and discriminates similar data packets.

Description

[0001] Apparatus and method for Internet traffic classification [

The present invention relates to a packet classification technique using statistical characteristics of network traffic data, and more particularly to an Internet traffic classification technique using a Markov model and a Kullback Leibler information.

Traditional packet classification techniques are port or payload based. Port-based techniques classify packets based on the ports listed in the packet. Recently, however, the utility of this technique has been hampered by the fact that many applications, such as peer-to-peer applications, use dynamic or unpredictable port numbers. On the other hand, the payload-based technique or the deep packet inspection (DPI) technique captures the pattern of the application by deeply analyzing the contents of the packet. However, this method is also limited by frequent changes of packet format, packet encryption, and increase of packet analysis cost. Therefore, a packet classification technique using statistical characteristics of network traffic data is emerging.

Machine learning techniques can be divided into self-learning or instructional learning. A technique called autonomous learning or non-supervised learning or clustering works based only on the similarity of network traffic data. Clustering is used when there is insufficient or no training traffic data. Autonomous learning aggregates unlabeled packets into a cluster of related packets. The K-means technique that expresses the feature vectors of each flow as a point in the ρ-dimensional space and classifies flows that are close to each other in the space into the same cluster is an example of autonomous learning.

Supervised Learning is a technique that uses training traffic data that knows the application name. In this method, a pattern of the application packet data is grasped, and the application name is inferred through pattern matching for a packet whose name is unknown. Map learning begins with a packet class whose label is known. Packet size, packet direction, and inter-packet arrival time are extracted for each packet class and used to train a model that represents the class. Roughan et al. Proposed the use of modeling techniques such as NN (Nearest Neighbors), LDA (Linear Discriminate Analysis) and QDA (Quadratic Discriminant Analysis), and Moore and Zuev proposed naive And Crotti et al. Propose that lightweight and efficient traffic characteristics are expressed using PDF fingerprint of packet vector, packet vector, and packet arrival time for each packet class.

 In addition, there have been many attempts to improve the efficiency of map learning. Nguyen and Armitage proposed a technique to generate multiple subflows by sampling packets at various locations during the packet transmission period. Most packet classification techniques capture the entire flow or capture and sample the first few packets of a flow. Their claim is that capturing the entire packet is too time-consuming and it is not always possible to detect the beginning of the packet will be. Instead, the technique traverses the model with multiple sub-flows by capturing packets from here and there, even after the packet transfer has already begun.

Another effort to classify packets is to consider not only the statistical characteristics of the packets but also the time series characteristics. Dainotti et al., Or Mu and Wu express traffic class using Hidden Markov Models. In Munz et al., We propose a statistical and time-series technique for lightweight and efficient packets compared to HMMs using simple Markov models with 8 states and 4 stages. Zhang et al. Propose to create a bag of flows and classify the packets in this flowback unit. Classification of packets by flowback unit improves packet classification accuracy when flow rate of wrongly classified packets is small, compared to classifying each flow separately. This is because the flows that occupy a large number in the bag are classified into the classes that are properly matched, so that the class classification of the bag is correct and thus the flows that are misclassified are removed.

The proposed method combines the Bagof-Of-Flow (BOF) technique with Munz's Markov model. We believe that the Markov model of Munz is simple and effective to capture the characteristics of traffic, and the BOF concept plays an important role in improving the accuracy of the classification. However, applying BOF to packet classification soon does not always produce the best results if traffic classes have similar characteristics (for example, SMTP and IMAP classes). The present invention is proposed to solve such a problem.

[1] Akaike, H., Information theory and an extension of the maximum likelihood principle. 2nd International Symposium on Information Theory, Budapest, 267-281. 1973. [2] Bernaille, L. Teixeira, R., Salamatian, K., "Early application identification," Proc. of ACM International Conference on Emerging Network Experiments and Technologies (CoNEXT) 2006, Lisboa, Portugal 2006. [3] Cover, T. and THOMAS, J., "Elements of Information Theory," John Wiley and Sons, NY, 1991. [4] Crotti, M., Dusi, M., Gringoli, F., and Salgarelli, M., "Traffic classification through simple statistical fingerprinting," SIGCOMM Comput. Commun. Rev., vol. 37, no. 1, pp. 5-16, 2007. [5] Dainotti, A., Donato W. D., and Pescape, A., "TIE: A Community-oriented Traffic Classification Platform," Lecture Notes in Computer Science, Vol. 5537, pp 64-74, 2009. [6] Dainotti, A., Pescape, A., and Claffy, K. C., "Issues and Future Directions in Traffic Classification," IEEE Network, January, 2012. [7] Dainotti, A., Donato W. D., Pescape, A., and Rossi, P. S., "Classification of Network Traffic Via Packet-level Hidden Markov Models," Proc. of IEEE Global Telecommunications Conference, Nov. 2008. [8] Erman, J., Mahanti, A., Arlitt, M., Cohen, I., and Willamson, C. "Performance Evaluation, Vol. 64, pp. 1194 -1213, 2007. [9] Estevez-Tapiador, J. M., Garcia-Teodoro, P., and Diaz-Verdego, J.E., "Stochastic Protocol Modeling for Anormaly Based Network Intrusion Detection," Proc. of IEEE International Workshop on Information Assurance, March, 2003. [10] Heetal, S., Shinde, S., and Abhang, S. P., "State of Art Survey of Network Traffic Classification," International Journal of Computer Applications, 2011. [11] Karagiannis, T., Broido, A., Brownlee, N., Claffy, K., "Is P2P dying or just hiding ?," Proc. 47th annual IEEE Global Telecommunications Conference (Globecom 2004), Dallas, Texas, USA, November / December 2004. "A Network Traffic Classification Benchmark," ACM SIGCOMM Computer Communication Review, Vol., Vol. 12, No. 1, pp. . 4, No. 1, Jan. 2011. [13] Monrose, F. and Masson, G., "HMM Profiles for Network Traffic Classification," Proc. of Workshop on Visualization and Data Mining for Computer Security, pp 9-15, Oct. 2004. [14] Moore, A., and Zuev, D., "Internet traffic classification using Bayesian analysis techniques," ACM International Conference on Measurement and Modeling of Computer Systems (SIGMETRICS) 2005, Banff, Alberta, Canada, June 2005. [15] Mu., X., Wu, W., and Enabled C., "A Parallelized Netowrk Traffic Classification Based on Hidden Markov Model," Distributed Computing and Knowledge Discovery, Oct., 2011. [16] Munz, G., Dai, H., Braum, L., and Carle, G., "TCP Traffic Classification Using Markov Models," TMA'10 Proceedings of the Second International Conference, pp. 127-140, 2010. [17] Nguyen, T., and Armitage, G., "Training on multiple sub-flows to optimize the use of machine learning classifiers in real-world IP networks," Proc. IEEE 31st Conference on Local Computer Networks, Tampa, Florida, USA, November 2006. [18] Nguyen Thuy T. and Armitage, G., "Survey of Techniques for Internet Traffic Classification Using Machine Learning," IEEE Communications Surveys and Tutorials, Vol. 10, No. 4, 2008. [19] Roughan, M., Sen, S., Spatscheck, O., and Duffield, N., "Class-of-service mapping for QoS: A statistical signature-based approach to IP traffic classification," Proc. ACM / SIGCOMM Internet Measurement Conference (IMC) 2004, Taormina, Sicily, Italy, October 2004. [20] Zhang J., Xiang, Y. Wang Y., Zhou, W., Xiang, Yong, and Guan, Y., "Network Traffic Classification Using Correlation Information," IEEE Trans. on parallel and distributed systems, Vol. 24, No. 1, pp. 104-117, Jan., 2013.

 SUMMARY OF THE INVENTION It is an object of the present invention to provide an Internet traffic classification apparatus and method for classifying applications having a high classification difficulty.

It is another object of the present invention to provide an Internet traffic classification apparatus that solves the problem that the classification performance drops sharply when traffic patterns overlap at a high rate.

A connection information detecting unit for detecting connection information of a network, an information calculating unit for calculating a value for determining a group based on the detected connection information, a group dividing unit for dividing the group of packets, which are the connection information, It can include government.

Wherein the information operation unit comprises: a bag forming unit for forming a bag based on the connection information; a Markov model generating unit for generating a Markov model based on the formed bag; And a Markov model calculation unit for calculating a value of the Markov model.

The bag forming unit may form bags on the basis of the first four packets detected by the connection information detecting unit.

The Markov model generation unit may generate a training Markov model of the application based on the formed bag, and generate a verification Markov model for comparison with the training Markov model of the generated application based on the formed bag And a verification model generation unit.

The Markov model generating unit may generate a Markov model by using a transition probability matrix and an initial probability distribution of a finite state space.

The training model generation unit may generate a Markov model of an SMTP application and an IMAP application based on the formed bag.

The verification model generation unit may form a Markov model corresponding to relevant connections based on the formed bag.

The Markov model operation unit includes an observation value operation unit for calculating an observation value, which is a frequency at which a certain pattern is observed in the Markov model based on the Markov model generated by the Markov model generation unit, a predetermined pattern in the Markov model based on the observation value And a likelihood calculator for calculating a likelihood that is likely to be observed.

The group allocator may measure a divergence value based on a value for determining the group, and may include a group calculator for selecting a group based on the calculated divergence value .

The cool bag librer information calculation unit may calculate the cool bag librer information based on the possibility of the training Markov model calculated by the information calculation unit and the likelihood of the verification Markov model to measure the divergence value.

The group calculator may select a group by comparing the measured divergence values.

And an evaluation unit for measuring a misclassification probability of the classified group.

Detecting connection information of the network, computing a value based on the connection information to determine a group, and classifying the group based on the calculated numerical value.

The step of calculating the group value includes the steps of: forming a bag based on the network information; generating a Markov model based on the formed bag; calculating, based on the generated Markov model, And calculating a value for the operation.

The step of forming the bag may form a bag based on the first four packets detected in the step of detecting connection information of the network.

The step of generating the Markov model may include generating a training Markov model of the application based on the formed bag and generating a verification Markov model for comparison with the training Markov model of the generated application based on the formed bag Step < / RTI >

The step of generating the Markov model may include a step of generating a Markov model based on the transition probability matrix and the initial probability distribution of the finite state space.

The step of generating the training Markov model may include generating a Markov model of an SMTP application and an IMAP application based on the formed bag.

The generating the verification Markov model may form a Markov model of related connections based on the formed bag.

The step of calculating the value for the cool bag librer information calculation may include calculating an observation value that is a frequency at which a certain pattern is observed in the Markov model based on the Markov model generated at the step of generating the Markov model, And calculating a likelihood that a certain pattern is observed in the Markov model based on the observed value.

The step of classifying the group may include a step of measuring a cool-white-libler divergence value based on the values for determining the group, and a step of selecting a group based on the calculated divergence value.

The step of measuring the cool-white-libler divergence value may include calculating a cool-white-libler information based on the likelihood of the training Markov model calculated in the step of calculating the group to determine the group and the likelihood of the verification Markov model, And measuring the temperature of the liquid.

In the step of selecting the group, the group can be selected by comparing the measured divergence values.

The method may further include measuring a misclassification probability of the classified group.

According to the Internet traffic classification apparatus and method of the present invention, it is possible to provide an Internet traffic classification apparatus capable of classifying applications having high classification difficulty by using a Markov model-based classification scheme using a Koolback Leibler distance.

The proposed method combines the Markov model based classification scheme using Koolbag liebler information and the technique of including the traffic related to the same back into the same bag so that even if the traffic pattern overlaps at a high rate, have.

1 is a block diagram illustrating a configuration of an Internet traffic classification apparatus according to an embodiment of the present invention.
2 is a block diagram illustrating the configuration of an information determination unit of an Internet traffic classification apparatus according to an embodiment of the present invention.
3 is a block diagram illustrating a configuration of a Markov model generation unit of an Internet traffic classification apparatus according to an embodiment of the present invention.
4 is a block diagram illustrating a configuration of a Markov model operation unit of an Internet traffic classification apparatus according to an embodiment of the present invention.
5 is a block diagram illustrating the configuration of a grouping unit of an Internet traffic classification apparatus according to an embodiment of the present invention.
FIG. 6 is a table showing evaluation measures in the evaluation unit of the Internet traffic classification apparatus according to the embodiment of the present invention. FIG.
FIG. 7 is a table in which a virtual model for implementing a simulator of an Internet traffic classification apparatus according to an embodiment of the present invention is set.
8 is a table showing comparison of performance measurement results of actual traffic data in the Internet traffic classification apparatus according to an embodiment of the present invention.
FIG. 9 is a flowchart illustrating a process of performing an Internet traffic classification method according to an embodiment of the present invention.

Hereinafter, an Internet traffic classification apparatus and method according to the present invention will be described in detail with reference to the accompanying drawings. The structure and operation of the present invention shown in the drawings and described by the drawings are described as at least one embodiment, and the technical ideas and the core structure and operation of the present invention are not limited thereby.

Although the terms used in the present invention have been selected in consideration of the functions of the present invention, it is possible to use general terms that are currently widely used, but this may vary depending on the intention or custom of a person skilled in the art or the emergence of new technology. Also, in certain cases, there may be a term selected arbitrarily by the applicant, in which case the meaning thereof will be described in detail in the description of the corresponding invention. Therefore, it is to be understood that the term used in the present invention should be defined based on the meaning of the term rather than the name of the term, and on the contents of the present invention throughout.

에 의하여 정해진다.In the Markov model, a discrete Markov model {M (t), t = 1, ..., m} having a finite state space S = {1, ..., n} The matrix P = {p _ij } and the initial probability distribution of the state space S

Lt; / RTI >

The Kullback Libler information is well known as a dissimilarity measure between two probability distributions. Assume that n observations randomly extracted from the unknown true probability distribution G (x) are {x ₁ , ..., x _n } and F (x) is an arbitrary probability distribution. The fit of the model defined by F (x) is assumed to be evaluated as the similarity as the probability distribution with G (x), the true distribution. Akaike proposed to use [Equation 2] as the coolbag libler information (or divergence).

Where E _G is the expected value for the probability distribution G. The relative entropy for the Kullbacker information or F for G is given by Equation (3) in the discrete distribution.

Where g and f represent the probability mass function of F of the distribution function G, respectively.

In the evaluation of classification methods, the performance of classification can be calculated by measuring error rate or misclassification probability. In the binary classification, the total classification probability (TPM) is defined as [Equation 4].

Pr (? ₁ ) in Equation (4) represents the prior probability of class k.

And recall and precision defined in Munz and Zhang as shown in [Equation 5] and F - Measurements are used to evaluate performance per class.

Let N be the total number of observations belonging to one class. Then, the evaluation measure can be represented by a simple 2 × 2 frequency distribution table as shown in [Table 1].

predicted class 1 predicted class 2 Total True Class 1 n ₁₁ n ₁₂ n ₁ . True Class 2 n ₂₁ n ₂₂ n ₂ . Total n. _One n. ₂ N

Thus, recall ₁ is the correct ratio of application 1 to application 1, and precision ₂ is the correct ratio of all connections classified as application 2. The F-measure represents the overall accuracy as a harmonic average of recall and precision. Based on the empirical measure above, the TPM is estimated as: " (7) "

1 is a block diagram illustrating a configuration of an Internet traffic classification apparatus according to an embodiment of the present invention.

Referring to FIG. 1, the Internet traffic classification apparatus 1 may include a control unit 10 and a network interface unit 20.

The network interface unit 20 receives packets from the network. The network may consist of a backbone network and a subscriber network. The backbone network may be composed of one or a plurality of integrated networks of X.25 network, Frame Relay network, ATM network, MPLS (Multi Protocol Label Switching) network and GMPLS (Generalized Multi Protocol Label Switching) network. The subscriber network may be a fiber to the home (FTTH), an asymmetric digital subscriber line (ADSL), a cable network, a wireless LAN (IEEE 802.11b, IEEE 802.11a, IEEE 802.11g, IEEE 802.11n), WIBro HSDPA (High Speed Downlink Packet Access). In some embodiments, the network may be an Internet network and may be a mobile communication network.

The Internet traffic classification device 1 may be a personal computer system such as a network device, a server desktop, a laptop, a tablet or a handheld computer. Network devices include routers, switching equipment, gateways, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS)

The control unit 10 may be implemented on a single chip, a plurality of chips, or a plurality of electrical components. Various architectures may be used for the control unit 10, including, for example, a dedicated or embedded processor, a single purpose processor, a controller, an ASIC,

The control unit 10 may include a connection information detecting unit 100, an information calculating unit 200, a grouping unit 300, and an evaluating unit 400.

The connection information detection unit 100 can detect information transmitted on the network and transmit the information to the information operation unit 200.

The connection information may be information transmitted over a Transmission Control Protocol (TCP) connection over the Internet. The connection information may be information transmitted from the client to the server and information transmitted from the server to the client. Also, the connection information may be network traffic data.

The information operation unit 200 can calculate and determine information by the operation method input to the information operation unit 200 based on the transmitted connection information. The information computing unit 200 can generate a Markov model and calculate the generated Markov model. The Markov model calculated by the information operation unit 200 may be transmitted to the group assignment unit 300.

The group assignment unit 300 can select a group based on the calculated Markov model. The group may be a group that distinguishes Internet traffic information. The determined group may be transmitted to the evaluation unit 400. [

The evaluation unit 400 may calculate the error rate or the misclassification probability of the determined group.

2 is a block diagram illustrating the configuration of an information determination unit of an Internet traffic classification apparatus according to an embodiment of the present invention.

Referring to FIG. 2, the information operation unit 200 may include a bag forming unit 210, a Markov model generating unit 220, and a Markov model calculating unit 230.

The bag forming unit 210 may form a bag with the first four packets of the connection information transmitted from the connection information detecting unit 100. [ The packet may be a port number.

The bag forming unit 210 places emphasis on application SMTP (port 25) and IMAP (port 143), in which the tendency of traffic is difficult to classify by existing classification methods. Since Bernaille said that the first four packets in the TCP connection can accurately classify known applications, the bag forming unit 210 can form a bag with only the first four packets exchanged.

There are several ways to form a bag of connections. Zhang et al. Used a "flow" concept consisting of five highly similar packets with the same values (source IP, source port, destination IP, destination port, protocol). They created a BOF instead of an individual connection and assigned assignments to the BOF group.

The bag forming unit 210 has created the bag concept only by the port number. Formation of a bag having the same five values is time-consuming and may not be suitable for real-time classification. Therefore, the method of the present invention can be used quickly and conveniently although the correlation is slightly lower than that of BOF.

The state space in the back is defined by a combination of four directions ([0, 99], [100, 299], [300, MSS-1], [MSS]) of packet direction and payload length. The value of the maximum sequence size (MSS) is exchanged at the transmission control protocol connection. Since there are two directions in the direction of a client from a server or from a server to a client, each step has n different states. Thus, the model of the present invention is a 4-step left-to-right model and the state space is S = {0, 1, ..., 7}. The state from 0 to 3 indicates the payload length interval from the client to the server, and the states from 4 to 7 indicate the length of the client to server direction.

For example, in the status sequence 0-4-1-4, if the client sends a packet of size [0, 99] bytes for the first time (after handshake), the server responds with a packet of [0, 99] bytes, If you send a packet of size [100, 299], the server may be the last to respond with a packet of size [0, 99].

Examining the status sequences of SMTP and IMAP in the training data of the present invention, it was confirmed that 0-4-1-4 is the most frequent sequence in both applications. In addition, they share the sequence of 1-4-1-4 and 0-4-0-4. In an embodiment of the present invention, the classification model can be described as having only two shared sequences (0-4-1-4, 1-4-1-4). And can be extended as a result of including a unique sequence for each application thereafter.

The Markov model generation unit 220 can generate a Markov model based on bags grouped in the bag formation unit 210. [ The Markov model may be a training Markov model and a Verification Markov model.

For the formed bag, Markov models M ^TE , M ^k Can be generated. M ^TE May be a verification Markov model, ^Mk Can be a training Markov model.

The generated Markov model may be transmitted to the Markov model operation unit 230.

The Markov model operation unit 230 can calculate an observation value that is a frequency at which a certain pattern is observed based on the Markov model transmitted from the Markov model generation unit 220. [ Also, it is possible to calculate the likelihood that the observed value is likely to be observed in the Markov model based on the observed value. The calculated likelihood may be transmitted to the cool bag librer information calculation unit 240.

3 is a block diagram illustrating a configuration of a Markov model generation unit of an Internet traffic classification apparatus according to an embodiment of the present invention.

Referring to FIG. 3, the Markov model generation unit 220 may include a training model generation unit 222 and a verification model generation unit 224.

The training model generation unit 222 may be a training Markov model. The training Markov model may be a Markov model for a specific application.

The training model generation unit 222 can generate a separate Markov model for each known network application. The Markov model generated from the application k of the training model generation unit 222 may be M _k ^TR (t). Munz et al. Can use the transition probability and probability distributions for initial probability distributions.

The verification model generation unit 224 may be a verification Markov model. The verification model generation unit 224 can generate a Markov model for each connection or generate a Markov model for each group of related connections. It is possible to generate the Markov model M _k ^TR (t) as in the training model generation unit 222 for each connection group.

4 is a block diagram illustrating a configuration of a Markov model operation unit of an Internet traffic classification apparatus according to an embodiment of the present invention.

Referring to FIG. 4, the Markov model operation unit 230 may include an observed value operation unit 232 and a likelihood operation unit 234.

The sharing patterns in the training model generation unit 222 may be 0-4-1-4 and 1-4-1-4. M _k may be a Markov model of application k.

In the observed value calculation unit 232, the two patterns can be referred to as the observed values O ₁ (0-4-1-4) and O ₂ (1-4-1-4) of the Markov model. The proportions of O ₁ in App ₁ and App ₂ can be p ₁ and p ₂ , respectively. The initial state probability of each model can be expressed by Equation (8) according to k = 1, 2.

Since there are four steps in the present invention, an initial state probability distribution and three transition probability matrices are required to calculate the probability of the observed value of the Markov model. P _ij ^k is a step transition probability from the state i to the state j at M _k , and can be calculated from the following equation (9).

In each model, three transition matrices P ₁₂ ^k , P ₂₃ ^k and P ₃₄ ^k can be generated based on the frequencies of observations O ₁ and O ₂ . The first two transition matrices are as in Equation (10) and the remaining P ₃₄ ^k can be similarly obtained.

The likelihood calculator 234 can calculate the degree of likelihood based on the observed values calculated by the observed value calculator 232. Possible operation unit 234 when defined as when the O ₁ and O ₂ calculated from the observed value calculating section 232 be called only two observations of a Markov model, Equation 11, for each connection l _k (O _j ) Is a possible value of the observed value O _j in the model M _k .

Each likelihood can be [Equation 12].

5 is a block diagram illustrating the configuration of a grouping unit of an Internet traffic classification apparatus according to an embodiment of the present invention.

The group assigning unit 300 may include a cool bag librer information calculating unit 310 and a group calculating unit 320.

The cool back liebler information calculation unit 310 can measure the divergence value by calculating the cool back liebler information I (M ^TE ; M ₁ ) and I (M ^TE ; M ₂ ). That is, k = 1, 2 is expressed by Equation (13).

In Equation 13, l ^TE (O _j ) and l ^TR (O _j ) are likelihood values of the observed value O _{j in} the verification Markov model and the training Markov model. In the present invention, since the Markov model consists of 4 stages and 8 state spaces, the total number of possible observations can be 8 ⁴ = 4096. L _k ^TR (O _j ) = 0 and l _k ^TR (O _j ) = 10 ^-5 is used for j where ^TE (O _j ) ≠ 0 in order to avoid the case of dividing by 0 in Equation (13) .

The group calculating unit 320 may calculate the group by comparing the divergence values calculated by the coolbag reveler information calculating unit 310. [ If I (M ^TE ; M ₁ ) < I (M ^TE ; M ₂ ), then the verification connection group may be assigned M ₁ . If I (M ^TE ; M ₁ )> I (M ^TE ; M ₂ ), then the verification connection group can be assigned to M ₂ .

There may also be other methods of group assignment other than a cool bag librer. There may be a Majority method in these other ways. The Majority method can be a method of assigning the entire group to the most assigned of each individual assignment.

Another group assignment method is the 4096d assignment method. The 4096d assignment method is based on the Euclidean distance in the 4096 dimension. Since the present invention has 8 ⁴ = 4096 possible observations, one BOF of size n can be associated with a point on space of 4096 dimension. For example, if the verification BOF of size 10 consists of 4 O1, 2 O2, 1 O4, and 3 O5, then this BOF has 4096 dimensional spatial coordinates (4, 2, 0, 1, 3, 0 , ..., 0). After the appropriate standardization process, the class of the verification BOF can be determined using the Euclidean distance.

FIG. 6 is a table showing evaluation measures in the evaluation unit of the Internet traffic classification apparatus according to the embodiment of the present invention. FIG.

Referring to FIG. 6, the recall calculation formula can be applied even when the number of patterns is three or more. To get the precision, we need to know the ratio r between App1 and App2 and apply Bayes theorem. If you do not know the ratio of the two applications, you can assume r = 1.

Based on the above recall and precision, an F-measure can be obtained as shown in Equation (14).

Also, when the group is allocated by applying another method other than the cool bag librer information according to the embodiment of the present invention, the evaluation measure can be calculated.

In the case of majority, X _k is the number of observations O _{1 in} the group of size n in model M _k . At this time, X _k follows the binomial distribution. That is, X _k ~ Bin (n, p _k ). Then P (X ₁ > n / 2) can be the probability that the group is assigned to M ₁ . Therefore, recall and precision can be calculated as shown in [Table 2]. P (X _k = n / 2) is the probability to classify as undefined.

M1 M2 recall

precision

undecided

In the case of the 4096d method, the evaluation measure can be calculated using the polynomial distribution instead of the binomial distribution.

Also, evaluation measures can be calculated when classification as individual assignment as well as group assignment. Individual assignments are performed according to the likelihood of the observations. Therefore, the decision rule classifies O _j as [Equation 15].

이고

이므로 O₁이 관측되면 App1으로 O₂이면 App2로 배정한다. 확률은 희박하지만 만일 p₁ = p₂이면 undecided로 한다. 결정규칙이 주어지면 평가측도 recall은 [수학식 16]와 같다.For convenience of calculation, p ₁ > p ₂ .

ego

If so O ₁ is observed when O ₂ is assigned to the App1 App2. The probability is small, but if p ₁ = p _2, it is undecided. If a decision rule is given, the evaluation measure recall is as shown in [Equation 16].

Where P _k (O _j ) denotes the ratio of the observed value O _j in the model M _k and I _A is the indicator function of the set A. The above recall formula can be applied even if the pattern is three or more. To get the precision, we need to know the ratio r between App1 and App2 and apply Bayes theorem. If you do not know the ratio of the two applications, you can assume r = 1. The evaluation measures are summarized in [Table 3] below.

M1 M2 recall p1 1-p2
precision

FIG. 7 is a table in which a virtual model for implementing a simulator of an Internet traffic classification apparatus according to an embodiment of the present invention is set.

Referring to FIG. 7, in the following notation, capital letters are used to indicate an evaluation measure, and the suffix indicates an application as before.

R _k Is the recall _{k ,} P _k Is the precision _k , F _k Is an F-measure, U _k is undecided _k , Maj is Majority, and KL is a Kullback librer.

In the first simulation, p ₁ = 0.6, q ₁ = 0.4, p ₂ = 0.5, and q ₂ = 0.5 are set.

group

Performance measure

Maj 10 .6331 .6268 .6299 .2007 .3770 .6940 .4885 .2461 100 .9729 .6789 .7997 .0103 .4602 .9649 .6232 .0796 K-L 10 .6331 .6268 .6299 0 .6230 .6294 .6262 0 100 .8211 .8582 .8393 0 .8644 .8285 .8461 0 4096d 10 .6331 .6268 .6299 0 .6230 .6294 .6262 0 100 .8689 .8252 .8465 0 .8159 .8616 .8381 0 Individual Assignments .6 .5454 .5714 0 .5 .5555 .5263 0

The first simulation is when there are only two patterns. As expected, group assignments show better performance than individual assignments. And KL and 4096d show better results than Maj. In this case, the value of low R ₂ in individual doses (50%) and Maj (46%) increases to 86% in KL of size 100. In model M ₂ , O ₁ and O ₂ are 50% each, so in the case of individual assignment and Maj, the actual half of App 2 is incorrectly assigned to App 1. However, even in this case, KL improves performance when the group size increases.

In the second simulation, it is similar to the first simulation, but there are additional patterns in Application 2. In the second simulation, p ₁ = 0.6, q ₁ = 0.4, p ₂ = 0.5, and q ₂ = 0.4 are set.

group

Performance measure

Maj 10 One .5004 .6670 0 1.4e-04 One 2.9e-04 1.4e-03 100 One .5 .6667 0 6.3e-25 One 1.2e-24 5.1e-24 K-L 10 One .7415 .8515 0 .6513 One .7888 0 100 One .9999 .9999 0 .9999 One .9999 0 4096d 10 .6331 .6513 .6421 0 .6611 .6431 .6519 0 100 .9729 .9196 .9455 0 .9150 .9712 .8423 0 Individual Assignments One .5263 .6897 0 .One One .1818 0

In the second simulation, individual assignment is better than group assignment Maj, or both R ₂ and F ₂ show very poor performance. KL has a high performance of 99%.

In the third simulation, p ₁ = 0.6, q ₁ = 0.3, p ₂ = 0.5, and q ₂ = 0.4 are set.

group

Performance measure

Maj 10 .8497 .6927 .7632 1.0e-01 .3770 .8884 .5293 .2461 100 .9999 .6848 .8129 1.3e-05 .4602 .9999 .6303 .0796 K-L 10 .8463 .8973 .8710 0 .9031 .8546 .8782 0 100 .9999 .9999 .9999 0 .9999 .9999 .9999 0 4096d 10 .7704 .7866 .7784 0 .7910 .7750 .7830 0 100 .9857 .9808 .9832 0 .9807 .9856 .9831 0 Individual Assignments .7 .5833 .6363 0 .5 .6250 .5560 0

In the third simulation, a unique pattern is added for each application. K-L still has the best performance, but the difference from 4096d is reduced compared to the second simulation. That is, the K-L method shows relatively better performance when there is only one pattern on either side.

In the fourth simulation, p ₁ = 0.56, q ₁ = 0.11, p ₂ = 0.46, and q ₂ = 0.07 are set.

group

Performance measure

Maj 10 One .6884 .8155 0 .3057 One .4682 .2417 100 One .5909 .7429 0 .2413 One .3888 .0665 K-L 10 One .9982 .9991 0 .9983 One .9991 0 100 One One One 0 One One One 0 4096d 10 One .9830 .9914 0 .9827 One .9913 0 100 One One One 0 One One One 0 Individual Assignments One .6536 .7905 0 .47 One .6395 0

The fourth simulation is the closest to the actual network traffic situation. Maj has shown worse results than individual assignments in most cases. On the other hand, the K-L and 4096d show excellent performance as before.

8 is a table showing comparison of performance measurement results of actual traffic data in the Internet traffic classification apparatus according to an embodiment of the present invention.

Referring to FIG. 8, actual packet traces are collected to simulate the situation of a network according to an embodiment of the present invention. We then used the pcap library function to extract valid TCP connections from these traces. For purposes of the present invention, a valid TCP connection is a TCP connection where communication between a client and a server begins with a three-way TCP handshake and at least four packets are then exchanged. The present invention distinguished SMTP (port 25) and IMAP (port 143) connections among them. The trace files provided in the actual network environment are so large that the SMTP connection obtained in the above method reaches 160,000 and IMAP reaches 30,000 connections. These connections were classified into a training set and a testing set using a 10-point cross validation technique. In other words, arbitrary 10-point 9 linkages were extracted and used to train the target Markov model and the remaining 10-point 1 link was used for testing purposes. For each connection, the three-way TCP handshake (SYN, SYN / ACK, final ACK) was removed and only the first four packets of the packets after the handshake were extracted.

Table 8 shows the total number of IMAP packets and the number of SMTP packets observed for each observation period for a given time period.

........

........ Total IMAP

........

........

SMTP

........ ........

For each given O _j traffic observation, an empirical likelihood is calculated for each model M _k as: &lt; EMI ID = 17.0 &gt;

은 첫 단계에서 상태 s1의 비율이며

는 총 N_k개의 연결에 대한 전이행렬이다. 성능 측정치인 recall₁은 경험적 가능도

와

에 의해 계산된다. 다른 성능 측정치도 비슷한 방법으로 계산된다.

Is the ratio of state s1 in the first step

Is the transition matrix for a total of N _k connections. The performance measure, recall ₁ ,

Wow

Lt; / RTI &gt; Other performance measures are calculated in a similar way.

IMAP SMTP pattern ratio pattern ratio 0-4-1-4 0.5564 0-4-1-4 0.4611 0-4-1-0 0.2189 0-4-0-4 0.2870 1-4-1-4 0.1134 0-4-0-0 0.0906 0-4-0-0 0.0790 1-4-1-4 0.0687 0-4-1-1 0.0108 1-4-2-4 0.0150 0-4-0-4 0.0108 1-4-0-4 0.0141

Table 9 shows the result of sorting patterns of each application in decreasing order of frequency. Both applications have 0-4-1-4 patterns in the most frequent pattern, and 0-4-0-4, 0-4-0-0, 1-4-1-4, etc. Can be seen.

이고

이므로 SMTP의 패턴 0-4-1-4 와 1-4-1-4 는 IMAP으로 잘못 분류된다. 따라서 단순한 분류기법으로는 SMTP의 리콜 비율이 1-0.5298 을 넘을 수 없다. Maj 기법이 사용하는 그룹 기반 분류는 개별 분류보다 SMTP의 리콜 비율을 더 악화시킨다. SMTP 패턴의 반 이상이 잘못 분류되기 때문이다.[Table 9] shows why SMTP and IMAP applications are difficult to classify by existing methods such as Zhang's BOF technique or Munz's simple Markov model technique. As shown in [Table 9]

ego

, The SMTP patterns 0-4-1-4 and 1-4-1-4 are incorrectly classified as IMAP. Therefore, the simple reclassification technique can not exceed the recall rate of 1-0.5298. The group-based classification used by the Maj technique makes the recall rate of SMTP worse than individual classification. This is because more than half of the SMTP patterns are misclassified.

Using the CoolBag librer information shows the best performance. In this case, the SMTP Recall Ratio (R ₂ ) exceeds 90% for various bag sizes and approaches 100% for 100 size bags. The IMAP recall rate (R ₁ ) is also very high, but somewhat lower than the Maj technique. However, it should be kept in mind that the reason for the high recall rate of IMAP in the Maj technique is that many SMTP packets are misclassified as IMAP packets. The 4096d technique also shows a significantly higher recall rate of around 90% for SMTP. However, the recall rate drops to 65% for IMAP packets. It is considered that the reason is that sufficient information is not enough to distinguish applications in which the Euclidean distance information in the 4096 dimension is severely overlapped with each other. Furthermore, since the 4096d technique treats the distances in all dimensions equally, there is a problem that unique patterns appearing in a specific application can not be distinguished unless the distance difference is large.

FIG. 9 is a flowchart illustrating a process of performing an Internet traffic classification method according to an embodiment of the present invention.

Referring to FIG. 9, the TCP connection information detecting unit 100 detects TCP information on the network (S100). The TCP information may be Internet traffic information on an actual network. Also, the TCP information may be information detected in an application SMTP and an IMAP port that are difficult to classify by an existing classification method. The detected TCP information may be transmitted to the bag forming unit 210.

The bag forming unit 210 forms a bag (group) based on the first four packets of the detected TCP information (S110). The formed bag (group) may be formed of only the port number. The formed bag may be transmitted to the Markov model generation unit 220.

The information operation unit 200 generates a Markov model based on the formed bag and calculates a probability value corresponding to the cool bag librer information (S120). The Markov model may be an application 1, 2 and a verification Markov model.

The training model generation unit 220 generates a Markov model of the application 1 based on the formed bag (S121). The application 1 may be SMTP (port 25) or IMTP (port 143).

The observed value computing unit 232 computes an observation value based on the Markov model of the generated application 1 (S122). The calculated observation value may be transmitted to the likelihood calculator 234 for likelihood calculation.

The likelihood calculator 234 calculates a likelihood value based on the calculated observations (S123). The likelihood value may be a value for calculating the cool bag librer information.

The training model generation unit 220 generates a verification Markov model based on the formed bag (S124).

The observation value computing unit 232 computes an observation value based on the generated verification Markov model (S125). The calculated observation value may be transmitted to the likelihood calculator 234 for likelihood calculation.

The likelihood calculator 234 calculates a likelihood value based on the calculated observations (S126). The likelihood value may be a value for calculating the cool bag librer information.

The training model generation unit 220 generates a Markov model of the application 2 based on the formed bag (S127). The application 2 may be SMTP (port 25) or IMTP (port 143).

The observation value computing unit 232 computes observation values based on the Markov model of the generated application 2 (S128). The calculated observation value may be transmitted to the likelihood calculator 234 for likelihood calculation.

The likelihood calculator 234 calculates a likelihood value based on the calculated observation value (S129). The likelihood value may be a value for calculating the cool bag librer information.

The cool-back liebler information calculation unit 310 obtains the cool-white liebler divergence value based on the possibility calculated in step S123 and the degree of possibility calculated in step S126 (S130). The divergence value may be transmitted to the group calculator 320.

The cool-back liebler information calculation unit 310 obtains the cool-white liebler divergence value based on the possibility calculated in step S126 and the degree of possibility calculated in step S129 (S140). The divergence value may be transmitted to the group calculator 320.

The group calculator 320 compares the divergence value of the step S130 with the divergence value of the step S140 to calculate a group (S150). The calculated group is transmitted to the evaluation unit 400 for evaluating the error.

The evaluating unit 400 measures and calculates an error rate or a misclassification probability based on the calculated group (S160). The method of measuring the error can use the recall, precision and F-measure defined in Munz and Zhang.

The present invention can also be embodied as computer-readable codes on a computer-readable recording medium. A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored. Examples of the computer-readable recording medium include a ROM, a RAM, a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like, and may be implemented in the form of a carrier wave (for example, transmission via the Internet) . The computer-readable recording medium may also be distributed over a networked computer system so that computer readable code can be stored and executed in a distributed manner.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is clearly understood that the same is by way of illustration and example only and is not to be taken by way of limitation in the embodiment in which said invention is directed. It will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined in the appended claims.

20: Network interface unit 100: Connection information detection unit
200: information calculating unit 210: bag forming unit
220: Markov model generation unit 222: Training model generation unit
230: Markov model operation unit 224: Verification model generation unit
232: observed value arithmetic unit 234: likelihood arithmetic unit
310: Cool Bag Libra information calculation unit 320: Group calculation unit

Claims (24)

A connection information detector for detecting connection information of a network;
An information calculating unit for calculating a value for determining a group based on the detected connection information; And
And a grouping unit for classifying a group of packets which are the connection information based on the calculated values.
The method according to claim 1,
Wherein the information operation unit comprises:
A bag forming unit for forming bags on the basis of the connection information;
A Markov model generating unit for generating a Markov model based on the formed bag; And
And a Markov model operation unit for calculating a value for a cool bag librer information calculation based on the generated Markov model.
3. The method of claim 2,
The bag-
And forms a bag based on the first four packets detected by the connection information detecting unit.
3. The method of claim 2,
Wherein the Markov model generating unit comprises:
A training model generation unit for generating a training Markov model of the application based on the formed bag; And
And a verification model generator for generating a verification Markov model for comparison with a training Markov model of the generated application based on the formed bag.
3. The method of claim 2,
Wherein the Markov model generating unit comprises:
Wherein a Markov model is generated by a transition probability matrix and an initial probability distribution of a finite state space.
5. The method of claim 4,
Wherein the training-
And generates a Markov model of an SMTP application and an IMAP application based on the formed bag.
5. The method of claim 4,
The verification model generation unit generates,
And forms a Markov model corresponding to relevant connections based on the formed bag.
3. The method of claim 2,
The Markov model calculation unit calculates,
An observation value calculation unit for calculating an observation value that is a frequency at which a certain pattern is observed in the Markov model based on the Markov model generated by the Markov model generation unit; And
And a likelihood calculator for calculating likelihood that a certain pattern will be observed in the Markov model based on the observed value.
The method according to claim 1,
Wherein the group assignment unit comprises:
And a divergence value is measured based on a numerical value for determining the group. And
And a group calculation unit for selecting a group based on the calculated divergence value.
10. The method of claim 9,
The cool-bag librer information calculation unit may calculate,
And calculates a cool-white-liebler information based on the likelihood of the training Markov model calculated by the information calculating unit and the likelihood of the verification Markov model, and measures the divergence value.
10. The method of claim 9,
The group calculator calculates,
And comparing the measured divergence values to select a group.
The method according to claim 1,
Further comprising an evaluation unit for measuring an error classification probability of the classified group.
Detecting connection information of the network;
Calculating a value for determining a group based on the connection information; And
And classifying the group based on the calculated numerical values.
14. The method of claim 13,
The step of calculating by numerical value for judging the group includes:
Forming a bag based on the network information;
Generating a Markov model based on the formed bag; And
And calculating a value for a cool bag librer information calculation based on the generated Markov model.
15. The method of claim 14,
Wherein forming the bag comprises:
Wherein a bag is formed based on the first four packets detected in the step of detecting connection information of the network.
15. The method of claim 14,
Wherein the step of generating the Markov model comprises:
Generating a training Markov model of the application based on the formed bag; And
And generating a verification Markov model for comparison with a training Markov model of the generated application based on the formed bag.
15. The method of claim 14,
Wherein the step of generating the Markov model comprises:
And generating a Markov model based on the initial probability distribution of the transition probability matrix and the finite state space.
17. The method of claim 16,
Wherein the generating the training Markov model comprises:
And generating a Markov model of an SMTP application and an IMAP application based on the formed bag.
17. The method of claim 16,
Wherein the generating the verification Markov model comprises:
And forming a Markov model of related connections based on the formed bag.
15. The method of claim 14,
Wherein the step of calculating the value for the cool-
Calculating an observation value that is a frequency at which a certain pattern is observed in the Markov model based on the Markov model generated at the step of generating the Markov model; And
And computing a likelihood that a certain pattern will be observed in the Markov model based on the computed observations.
14. The method of claim 13,
Wherein classifying the group comprises:
Measuring a cool-white-libler divergence value based on the values for determining the group; And
And selecting a group based on the calculated divergence value.
22. The method of claim 21,
Wherein the step of measuring the cool-
Calculating a cool-leav- er information based on the likelihood of the training Markov model and the likelihood of the verification Markov model calculated in the step of calculating the group to determine the group, and measuring the divergence value Traffic classification method.
22. The method of claim 21,
Wherein the step of selecting the group comprises:
And comparing the measured divergence values to select a group.
14. The method of claim 13,
Further comprising the step of measuring a misclassification probability of the classified group.

Images