Abstract

In this paper we present a real-time automatic process to traffic classification and to the detection of abnormal behaviors in IP traffic. The proposed method aims to detect anomalies in the traffic associated to a particular service, or to automatically recognize the service associated to a given sequence of packets at the transport layer. Service classification is becoming a central issue because of the emergence of new services (P2P, VoIP, Streaming video, etc...) which raises new challenges in resource reservation, pricing, network monitoring, etc... In order to identify a specific signature to an application, we first of all model the sequence of its packets at the transport layer by means of a first order Markov chain. Then, we decide which service should be associated to any new sequence by means of standard decision techniques (Maximum Likelihood criterion, Neyman-Pearson test). The evaluation of our automatic recognition procedure using live GPRS Orange France traffic traces demonstrates the feasibility and the excellent performance of this approach.