Обзор задач и методов их решения в области классификации сетевого трафика

В статье рассматривается задача классификации сетевого трафика: характеристики, используемые для её решения, существующие подходы и области их применимости. Перечисляются прикладные задачи, требующие привлечения компонента классификации и дополнительные требования, проистекающие из особенности основной задачи. Анализируются свойства сетевого трафика, обусловленные особенностями среды передачи,а также применяемых технологий, так или иначе влияющие на процесс классификации. Рассматриваются актуальные направления в современных подходах к анализу и причины их развития.

Анализ сетевого трафика, сетевая безопасность, классификация сетевого трафика, машинное обучение, DPI

1. Cisco WAN and Application Optimization Solution Guide. http://www.cisco.com/c/en/us/td/docs/nsite/enterprise/wan/wan_optimization/wan_opt_sg/chap05.html, дата обращения 01.12.2015

2. А.И. Гетьман, Е.Ф. Евстропов, Ю.В. Маркин. Анализ сетевого трафика в режиме реального времени: обзор прикладных задач, подходов и решений. Препринт ИСП РАН, 28, 2015 г., стр. 1-52.

3. M.Mellia, A. Pescapè, L. Salgarelli. Traffic classification and its applications to modern networks. Elsevier Computer Networks, Dec. 2008

4. T. Farah, L. Trajkovic. Anonym: A tool for anonymization of the Internet traffic. In IEEE 2013 International Conference on Cybernetics (CYBCONF), 2013, pp. 261-266.

5. V. Carela-Español, T. Bujlow, P. Barlet-Ros. Is Our Ground-Truth for Traffic Classification Reliable? In Proceedings of the 15th International Conference on Passive and Active Measurement - Vol. 8362. Springer-Verlag New York Inc., New York, NY, USA, 2014, pp. 98-108.

6. F. Gringoli, L. Salgarelli, M. Dusi, N. Cascarano, F. Risso, and K. C. Claffy. GT: picking up the truth from the ground for internet traffic //SIGCOMM Computer Communication Review, Volume 39, Issue 5, October 2009, pp. 12-18.

7. J. Erman, M. Arlitt, and A. Mahanti. TrafficClassificaton Using Clustering Algorithms. In ACM SIGCOMM MineNet Workshop, September 2006.

8. N. Williams, S. Zander, and G. Armitage. Apreliminary performance comparison of five machinelearning algorithms for practical ip traffic flowclassification. In ACM SIGCOMM CCR, Vol. 36, No. 5, pp.7-15, October 2006.

9. A. Dainotti, A. Pescapé, C. Sansone. Early classification of network traffic through multi-classification. In Proceedings of the Third international conference on Traffic monitoring and analysis (TMA'11), 2011. Springer-Verlag, Berlin, Heidelberg, pp. 122-135.

10. Cascarano N, Ciminiera L, Risso F. Optimizing deep packet inspection for high-speed traffic analysis. Network System Manager. 2011 19(1), pp. 7–31.

11. S. Kumar and P. Crowley. Algorithms to Accelerate Multiple Regular Expressions Matching for Deep Packet Inspection. In Proceedings of the conference on Applications, technologies, architectures, and protocols for computer communications (SIGCOMM '06), 2006, New York, USA, pp. 339-350.

12. D. Ficara, S. Giordano, G. Procissi, F.Vitucci, G.Antichi, A. Di Pietro. An Improved DFA for Fast Regular Expression Matching. SIGCOMM Comput. Commun. Rev. 38, 5 (September 2008), pp. 29-40.

13. F. Yu, Z. Chen, Y. Diao, T. V. Lakshman, and R. H. Katz. Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection. In Proceedings of the ACM/IEEE symposium on Architecture for networking and communications systems (ANCS '06). 2006, New York, USA, pp. 93-102.

14. S. Kumar, B. Chandrasekaran, J. Turner, and G. Varghese. Curing Regular Expressions Matching Algorithms From Insomnia. In Proceedings of the 3rd ACM/IEEE Symposium on Architecture for networking and communications systems (ANCS '07). 2007,New York, USA, pp. 155-164

15. R. Smith, C. Estan, S. Jha, and S. Kong. Deflating the Big Bang: Fast and Scalable Deep Packet Inspection with Extended Finite Automata. In Proceedings of the ACM SIGCOMM conference on Data communication (SIGCOMM '08). 2008, New York, USA, pp. 207-218.

16. Cao Z., Cao S., Xiong G., Guo L.Progress in Study of Encrypted Traffic Classification. In Proceedings of International standard conference on trustworthy computing and services, 2012, Beijing, China, pp. 78-86

17. M. Sokolova, N. Japkowicz, S. Szpakowicz. Beyond accuracy, f-score and ROC: a family of discriminant measures for performance evaluation //In Proceedings of the 19th Australian joint conference on Artificial Intelligence: advances in Artificial Intelligence (AI'06), Berlin, Heidelberg, 2006, pp. 1015-1021.

18. S. Valenti, D. Rossi, A. Dainotti, A. Pescapè, A. Finamore, M. Mellia. Reviewing traffic classification. In DataTraffic Monitoring and Analysis, Springer-Verlag, Berlin, Heidelberg, 2013, pp. 123-147.

19. D. Maurizio. Observing routing asymmetry in Internet traffic. https://www.caida.org/research/traffic-analysis/asymmetry, дата обращения 01.12.2015

20. K. Fukuda. Difficulties of identifying application type in backbone traffic, 2010 International Conference on Network and Service Management, Niagara Falls, ON, 2010, pp. 358-361

21. H. Balakrishnan and V. Padmanabhan. How network asymmetry affects TCP. IEEE Communications Magazine,Vol. 39, pp. 60 -67, April 2001.

22. Applying Network Policy Control to Asymmetric Traffic: Considerations and Solutions. https://www.sandvine.com/downloads/general/whitepapers/applying-network-policy-control-to-asymmetric-traffic.pdf, дата обращения 01.12.2015

23. CAIDAFlowTypes. https://www.caida.org/research/traffic-analysis/flowtypes/, дата обращения 01.12.2015.

24. N. Borisov, D.J. Brumley, H.J. Wang, J. Dunagan, P. Joshi, C. Guo. A Generic Application-Level Protocol Analyzer and Its Language. In Proceedings of 14th Annual Network and Distributed System Security Symposium, 2007.

25. CiscoNBAR. http://www.cisco.com/c/en/us/products/ios-nx-os-software/network-based-application-recognition-nbar/index.html, дата обращения 01.12.2015.

26. RFC 2616. Hypertext Transfer Protocol -- HTTP/1.1. https://www.ietf.org/rfc/rfc2616.txt, дата обращения 01.12.2015.

27. RFC 7540. Hypertext Transfer Protocol Version 2 (HTTP/2). https://tools.ietf.org/html/rfc7540, дата обращения 01.12.2015.

28. Administering Cisco QoS in IP Networks. Including CallManager 3.0, QoS, and uOne. 1st Edition, Syngress 2001, eBook ISBN: 9780080481890, pp. 561

29. L. Deri, M. Martinelli, T. Bujlow, and A. Cardigliano, “ndpi: Opensource high-speed deep packet inspection,” in Wireless Communications and Mobile Computing Conference (IWCMC), 2014 International. IEEE, 2014, pp. 617–622.

30. Service Name and Transport Protocol Port Number Registry. http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml, дата обращения 01.12.2015

31. P. Haffner, S. Sen, O. Spatscheck, D. Wang. ACAS: automated construction of application signatures // In Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data (MineNet '05), ACM, New York, NY, USA, 2005, pp. 197-202.

32. Y. Wang, Y. Xiang, W. Zhou, S. Yu. Generating regular expression signatures for network traffic classification in trusted network management, Journal of Network and Computer Applications. Volume 35, Issue 3, May 2012, pp. 992-1000

33. G. Szabó, Z.Turányi, L. Toka, S. Molnár, A. Santos. 2011. Automatic protocol signature generation framework for deep packet inspection // In Proceedings of the 5th International ICST Conference on Performance Evaluation Methodologies and Tools, Brussels, Belgium, Belgium, 2011, pp. 291-299.

34. Перспективный мониторинг. http://amonitoring.ru/service/snort/, дата обращения 01.12.2015

35. G. Bossert, F. Guihéry, G. Hiet. Towards automated protocol reverse engineering using semantic information. In Proceedings of the 9th ACM symposium on Information, computer and communications security (ASIA CCS '14). ACM, New York, NY, USA, 2014, pp. 51-62.

36. Гетьман А.И., Маркин Ю.В., Обыденков Д.О., Падарян В.А., Тихонов А.Ю. Подходы к представлению результатов анализа сетевого трафика. Труды ИСП РАН, том 28, вып. 6, 2016, стр. 103-110. DOI: 10.15514/ISPRAS-2016-28(6)-7

37. O. Mula-Valls. A practical retraining mechanism for network traffic classification in operational environments // Master Thesis Universitat Poliecnica de Catalunya, 2011.

38. R. Wang, L. Shi, B. Jennings. Ensemble Classifier for Traffic in Presence of Changing Distributions. In Proceedings of the Symposium on Computers and Communications (ISCC 2013), Split, Croatia, 7-10 July, 2013, pp. 629-635

39. J. Zhang, C. Chen, Y. Xiang, .W. Zhou. Robust network traffic identification with unknown applications. In Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security (ASIA CCS '13), 2013, ACM, New York, NY, USA, pp. 405-414.

40. R. Wang. Advances in Machine-Learning-Based Traffic Classifiers. https://labs.ripe.net/Members/rwang/advances-in-machine-learning-based-traffic-classifiers, дата обращения 01.12.2015

41. A. White, S. Krishnan, M. Bailey, F. Monrose, P. Porras. Clear and Present Data: Opaque Traffic and its Security Implications for the Future. NDSS, 2013.

42. J. Olivain, J. Goubault-Larrecq. Detecting subverted cryptographicprotocols by entropy checking. Technical report, Laboratoire Spcificationet Verification, June 2006.

43. L.Bernaille, R. Teixeira. Early recognition of encrypted applications. In Proceedings of the 8th international conference on Passive and active network measurement (PAM'07), 2007, Springer-Verlag, Berlin, Heidelberg, 165-175.

44. Global Internet Phenomena Spotlight: Encrypted Internet Traffic. https://www.sandvine.com/downloads/general/global-internet-phenomena/2015/encrypted-internet-traffic.pdf, дата обращения 01.12.2015

45. IP Fragmentation Attacks on Checkpoint Firewalls. https://www.giac.org/paper/gsec/589/ip-fragmentation-attacks-checkpoint-firewalls/101350, дата обращения 01.12.2015

46. M. Handley, V. Paxson, C. Kreibich. Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. In Proceedings of the 10th conference on USENIX Security Symposium, vol. 10. USENIX Association, Berkeley, CA, USA, 2001, pp. 9-25.

47. M. Baldi, A. Baldini, N. Cascarano, F. Risso. Service-based traffic classification: Principles and validation. In Proceedings of the IEEE Sarnoff Symposium (SARNOFF’09), 2009. IEEE Press, Piscataway, NJ, pp. 115–120.

48. W. Moore, K. Papagiannaki. Toward the AccurateIdentification of Network Applications. International Workshop on Passive and Active Network Measurement (PAM 2005), 2005, Boston MA, USA, vol. 3431, pp. 41-54.

49. T. Karagiannis, A. Broido, M. Faloutsos, Kc. Claffy. Transport layer identification of P2P traffic. In Proceedings of 4th ACM SIGCOMM conference on Internet measurement, 2004, pp. 121 – 134.

50. QosmosixEngine. http://www.qosmos.com/products/deep-packet-inspection-engine/, дата обращения 01.12.2015

51. Ipoque PACE. https://www.ipoque.com/products/pace, дата обращения 01.12.2015

52. Windriver Content Inspection Engine. http://www.windriver.com/products/product-overviews/PO_Wind-River-Content-Inspection-Engine.pdf, дата обращения 01.12.2015

53. Procera PacketLogic Content Intelligence. https://www.proceranetworks.com/content-intelligence.html, дата обращения 01.12.2015

54. DPI-SSL. https://www.sonicwall.com/ssl-decryption-and-inspection/, дата обращения 01.12.2015

55. G. Aceto, A. Dainotti, W. de Donato, A. Pescap. PortLoad: Taking the Best of Two Worlds in Traffic Classification,” in IEEE INFOCOM 2010 – WIP Track, 2010.

56. L7-filter. http://l7-filter.sourceforge.net/, дата обращения 01.12.2015.

57. S. Alcock, R. Nelson, Libprotoident: Traffic Classification Using Lightweight Packet Inspection, Technical report, University of Waikato, 2013. http://www.wand.net.nz/publications/lpireport, дата обращения 01.12.2015

58. Wireshark. https://www.wireshark.org/, дата обращения 01.12.2015.

59. T.Karagiannis, K.Papagiannaki, M. Faloutsos. BLINC: multilevel traffic classification in the dark. In Proceedings of the SIGCOMM '05. 2005, ACM, New York, NY, USA, pp.229-240.

60. M. Iliofotou, H. Kim, M. Faloutsos, M.Mitzenmacher, P. Pappu, G. Varghese. Graph-based P2P traffic classification at the internet backbone. In Proceedings of the INFOCOM'09. 2009, IEEE Press, Piscataway, NJ, USA, pp. 37-42.

61. M.Iliofotou, M. Faloutsos, M.Mitzenmacher. Exploiting dynamicity in graph-based traffic analysis: techniques and applications. In Proceedings of the CoNEXT '09. 2009, ACM, New York, NY, USA, pp. 241-252.

62. S. Lee, H. Kim, D. Barman, S. Lee, C. Kim, T. Kwon, Y. Choi. NeTraMark: a network traffic classification benchmark. SIGCOMM Comput. Commun. Rev. 41, 1 (January 2011), pp. 22-30

63. A. Dainotti, W. Donato, A.Pescapé. TIE: A Community-Oriented Traffic Classification Platform. In Proceedings of the First International Workshop on Traffic Monitoring and Analysis (TMA '09), 2009, Springer-Verlag, Berlin, Heidelberg, pp. 64-74.

64. W. Donato, A. Pescape, A. Dainotti. Traffic identification engine: an open platform for traffic classification.In IEEE Network, vol. 28, no. 2, pp. 56-64, March-April 2014.

65. G. Szabo, I. Szabo, D. Orincsay. Accurate Traffic Classification. IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks, Espoo, Finland, 2007, pp. 1-8.