Abstract: Despite the increasing interest in application identification, the
traditional approach based on transport layer port numbers has become less
effective due to several reasons including the increasing use of random or
non-standard port numbers and tunneling (e.g., HTTP tunnels). One approach to
overcome this is to inspect application payload information. While highly
accurate, it is limited and complicated for encrypted or obfuscated packets.
Another common approach is to utilize flow statistics, such as flow size and
duration, for classifying applications. Since it does not require to read
packet contents, this approach has no limitation to plain-text flows, but it is
known to be relatively less accurate. In this work, we develop a framework that incorporates those
multiple classification techniques to offer accurate identification of
applications with greater flexibility. In particular, we present our design of
the hybrid classifier that performs classification based on machine learning
with payload information and statistical flow-level features. With a recently
collected traffic data set with a diverse set of applications, our experimental
results show that our hybrid approach provides a high degree of accuracy for
application identification yielding an accuracy of 95% on average. In addition,
we propose an optimization technique with a novel binning method that
partitions the given application set into multiple subgroups to improve the
overall identification accuracy.
