Early Application idendification

Early Application Identification

INTRODUCTION

"Early Application Identifcation" is a method to identify the application using a TCP connection as early as possible. This method uses only the size of the first few packets of a TCP connection combined with the port number to identify applications.

PUBLICATIONS

Early Recognition of Encrypted Applications. Laurent Bernaille, Renata Teixeira. Passive and Active Measurement Conference (PAM). April, 2007. Louvain-la-neuve, Belgium
Early Application Identification. Laurent Bernaille, Renata Teixeira and Kavé Salamatian. Conference on Future Networking Technologies (CONEXT 2006)
Traffic Classification on the fly. Laurent Bernaille, Renata Teixeira, Ismael Akodjenou, Augustin Soule and Kavé Salamatian. ACM SIGCOMM Computer Communication Review, Vol. 36, Issue 2 - April, 2006
Blind Application Recognition Through Behavioral Classification. Laurent Bernaille, Augustin Soule, Ismael Akodjenou and Kavé Salamatian. Technical Report, 2005

PRESENTATIONS

Early Application Identification. Presentation given at CONEXT 2006
Early Recognition of Encrypted Applications. Presentation given PAM2007

SOFTWARE

MATLAB LIBRARY

The matlab scripts used in this work are available here. For details on the method please refer to the conext paper. You can find detailled explanations about these scripts in the README included in the tarball.

Download

PCAP CLASSIFIER

This classifier relies on model generated with the Matlab library. This tarball contains models using the size of the first three packets for the following applications: bittorent, edonkey, ftp, http, msn, nntp, pop3, smtp, ssh, ssl. To generate models for other sets of applications, please use the tools from our Matlab Library.

Download

DATA SETS

The Matlab Tools tarball contains a few sample data sets to discover our tool. Here, you can download these data sets as well as specific ones for some applications. We plan to add other data sets shortly. These data sets use the following format:

Appname Dport Size1 Size2 Size3 Size4

http 80 570 -1448 -1448 -1448
Each line corresponds to a connection. Appname is the name of the application that generated the connection. Dport is the TCP server port used in the connection. SizeX is the payload size of the Xth packet containing application data. SizeX is positive when packet X is sent by the client of the connection, and negative when it is sent by the server.

It is difficult to gather traces including TCP payloads (which we need during the training process to establish the ground truth about the application that generated a given connection).
Therefore, we would be really interested in other datasets at the same format (i.e. not including TCP payload but simply: application names, TCP server port and size of the first TCP payloads).

WHO ARE WE?

CONTACT

If you use these tools, or have any comments or questions about them, please let us know: laurent.bernaille@lip6.fr

AKNOWLEDGEMENTS

These tools were developped with financial support from RNRT grants through the projects METROPOLIS and OSCAR and from the ACI Sécurité Informatique grant through the project METROSEC.