Abstract

The problem of identifying applications online and directly from traffic flows recently has been a subject of great interest. Traditional techniques relying on port numbers or payload signatures are becoming less effective. In this paper, we present an approach to online identification of applications using statistical behavior analysis. We investigate both host- level identification and flow-level identification. For each level, we define the suitable metrics that can be computed fast and effectively exploited by the identification process. We propose to use decision trees to identify applications with low computation complexity, which is required for high-speed online processing. Our experimental results using BitTorrent, HTTP, SMTP and FTP traffic traces demonstrate that our technique can identify these applications with low error rates and short delay.