In network traffic classification,it is important to understand the correlation between network traffic and its causal application,protocol,or service group,for example,in facilitating lawful interception,ensuring the...In network traffic classification,it is important to understand the correlation between network traffic and its causal application,protocol,or service group,for example,in facilitating lawful interception,ensuring the quality of service,preventing application choke points,and facilitating malicious behavior identification.In this paper,we review existing network classification techniques,such as port-based identification and those based on deep packet inspection,statistical features in conjunction with machine learning,and deep learning algorithms.We also explain the implementations,advantages,and limitations associated with these techniques.Our review also extends to publicly available datasets used in the literature.Finally,we discuss existing and emerging challenges,as well as future research directions.展开更多
Deep Packet Inspection(DPI)at the core of many monitoring appliances,such as NIDS,NIPS,plays a major role.DPI is beneficial to content providers and censorship to monitor network traffic.However,the surge of network t...Deep Packet Inspection(DPI)at the core of many monitoring appliances,such as NIDS,NIPS,plays a major role.DPI is beneficial to content providers and censorship to monitor network traffic.However,the surge of network traffic has put tremendous pressure on the performance of DPI.In fact,the sensitive content being monitored is only a minority of network traffic,that is to say,most is undesired.A close look at the network traffic,we found that it contains many undesired high frequency content(UHC)that are not monitored.As everyone knows,the key to improve DPI performance is to skip as many useless characters as possible.Nevertheless,researchers generally study the algorithm of skipping useless characters through sensitive content,ignoring the high-frequency non-sensitive content.To fill this gap,in this literature,we design a model,named Fast AC Model with Skipping(FAMS),to quickly skip UHC while scanning traffic.The model consists of a standard AC automaton,where the input traffic is scanned byte-by-byte,and an additional sub-model,which includes a mapping set and UHC matching model.The mapping set is a bridge between the state node of AC and UHC matching model,while the latter is to select a matching function from hash and fingerprint functions.Our experiments show promising results that we achieve a throughput gain of 1.3-2.6 times the original throughput and 1.1-1.3 times Barr’s double path method.展开更多
Nowadays, using Deterministic Finite Automata (DFA) or Non-deterministic Finite Automata (NFA) to parse regular expressions is the most popular way for Deep Packet Inspection (DPI), and the research about DPI focuses ...Nowadays, using Deterministic Finite Automata (DFA) or Non-deterministic Finite Automata (NFA) to parse regular expressions is the most popular way for Deep Packet Inspection (DPI), and the research about DPI focuses on the improvement of DFA to reduce memory. However, most of the existing literature ignores a special kind of "overlap-matching expression", which causes states explosion and takes quite a large part in the DPI rules. To solve this problem, in this paper a new mechanism is proposed based on bitmap. We start with a simple regular expression to describe "overlap-matching expressions" and state the problem. Then, after calculating the terrible number of exploded states for this kind of expressions, the procedure of Bitmap-based Soft Parallel Mechanism (BSPM) is described. Based on BSPM, we discuss all the different types of "overlap-matching ex- pressions" and give optimization suggestions of them separately. Finally, experiment results prove that BSPM can give an excellent performance on solving the problem stated above, and the optimization suggestions are also effective for the memory reduction on all types of "overlap-matching expressions".展开更多
This paper rejuvenates the notion of conformance testing in order to assess the security of networks. It leverages the Testing and Test Control Notation Version 3 (TTCN-3) by applying it to a redefined notion of <i...This paper rejuvenates the notion of conformance testing in order to assess the security of networks. It leverages the Testing and Test Control Notation Version 3 (TTCN-3) by applying it to a redefined notion of <i>System under Test</i> (<i>SUT</i>). Instead of testing, as it is classically done, a software/firmware/ hardware element, an intangible object, namely the network, is tested in order to infer some of its security properties. After a brief introduction of TTCN-3 and Titan, its compilation and execution environment, a couple of use cases are provided to illustrate the feasibility of the approach. The pros and cons of using TTCN-3 to implement a scalable and flexible network testing environment are discussed.展开更多
文摘In network traffic classification,it is important to understand the correlation between network traffic and its causal application,protocol,or service group,for example,in facilitating lawful interception,ensuring the quality of service,preventing application choke points,and facilitating malicious behavior identification.In this paper,we review existing network classification techniques,such as port-based identification and those based on deep packet inspection,statistical features in conjunction with machine learning,and deep learning algorithms.We also explain the implementations,advantages,and limitations associated with these techniques.Our review also extends to publicly available datasets used in the literature.Finally,we discuss existing and emerging challenges,as well as future research directions.
基金This work was supported by National Natural Science Foundation of China under Grant(Nos.61771166,61771166,61402137)National Key Research&Development Plan of China under Grant 2016QY05X1000。
文摘Deep Packet Inspection(DPI)at the core of many monitoring appliances,such as NIDS,NIPS,plays a major role.DPI is beneficial to content providers and censorship to monitor network traffic.However,the surge of network traffic has put tremendous pressure on the performance of DPI.In fact,the sensitive content being monitored is only a minority of network traffic,that is to say,most is undesired.A close look at the network traffic,we found that it contains many undesired high frequency content(UHC)that are not monitored.As everyone knows,the key to improve DPI performance is to skip as many useless characters as possible.Nevertheless,researchers generally study the algorithm of skipping useless characters through sensitive content,ignoring the high-frequency non-sensitive content.To fill this gap,in this literature,we design a model,named Fast AC Model with Skipping(FAMS),to quickly skip UHC while scanning traffic.The model consists of a standard AC automaton,where the input traffic is scanned byte-by-byte,and an additional sub-model,which includes a mapping set and UHC matching model.The mapping set is a bridge between the state node of AC and UHC matching model,while the latter is to select a matching function from hash and fingerprint functions.Our experiments show promising results that we achieve a throughput gain of 1.3-2.6 times the original throughput and 1.1-1.3 times Barr’s double path method.
基金Supported by the National High Technology Development 863 Program of China (No. 2008AA01Z117)
文摘Nowadays, using Deterministic Finite Automata (DFA) or Non-deterministic Finite Automata (NFA) to parse regular expressions is the most popular way for Deep Packet Inspection (DPI), and the research about DPI focuses on the improvement of DFA to reduce memory. However, most of the existing literature ignores a special kind of "overlap-matching expression", which causes states explosion and takes quite a large part in the DPI rules. To solve this problem, in this paper a new mechanism is proposed based on bitmap. We start with a simple regular expression to describe "overlap-matching expressions" and state the problem. Then, after calculating the terrible number of exploded states for this kind of expressions, the procedure of Bitmap-based Soft Parallel Mechanism (BSPM) is described. Based on BSPM, we discuss all the different types of "overlap-matching ex- pressions" and give optimization suggestions of them separately. Finally, experiment results prove that BSPM can give an excellent performance on solving the problem stated above, and the optimization suggestions are also effective for the memory reduction on all types of "overlap-matching expressions".
文摘This paper rejuvenates the notion of conformance testing in order to assess the security of networks. It leverages the Testing and Test Control Notation Version 3 (TTCN-3) by applying it to a redefined notion of <i>System under Test</i> (<i>SUT</i>). Instead of testing, as it is classically done, a software/firmware/ hardware element, an intangible object, namely the network, is tested in order to infer some of its security properties. After a brief introduction of TTCN-3 and Titan, its compilation and execution environment, a couple of use cases are provided to illustrate the feasibility of the approach. The pros and cons of using TTCN-3 to implement a scalable and flexible network testing environment are discussed.
