Network managers are inevitably called upon to associate network
traffic with particular applications. Indeed, this operation is critical for a
wide range of management functions ranging from debugging and security to
analytics and policy support. Traditionally, managers have relied on
application adherence to a well established global port mapping: Web traffic on
port 80, mail traffic on port 25 and so on. However, a range of factors --
including firewall port blocking, tunneling, dynamic port allocation, and a
bloom of new distributed applications -- has weakened the value of this
approach. We analyze three alternative mechanisms using statistical and
structural content models for automatically identifying traffic using the same
application-layer protocol, relying solely on flow content. In this manner,
known applications may be identified regardless of port number, while traffic
from one unknown application will be identified as distinct from another. We
evaluate each mechanism's classification performance using real-world traffic
traces from multiple sites.
Pre-2018 CSE ID: CS2006-0850