Method for real time network traffic classification

US 7,684,320 B1
Filed: 12/22/2006
Issued: 03/23/2010
Est. Priority Date: 12/22/2006
Status: Active Grant

First Claim

Patent Images

1. A method for classifying a network traffic flow of a network, the method comprising:

providing a first subspace, corresponding to a first classification, from a first training traffic flow;

representing content independent parameters of the network traffic flow in a stochastic process model, wherein the content independent parameters comprise packet arrival time and packet size of each packet of a plurality of packets in the network traffic flow;

extracting, using a computer, a first power spectral density (PSD) feature vector from the network traffic flow according to a spectral analysis of the stochastic process model;

measuring, using the computer, a first similarity of the first PSD feature vector with the first subspace according to a first similarity metric; and

identifying the first classification of the network traffic flow according to the first similarity wherein providing the first subspace comprises;

representing content independent training parameters of the first training traffic flow in another stochastic process model, wherein the content independent training parameters of the first training traffic flow comprise packet arrival time and packet size of each training packet of a plurality of training packets in the first training network traffic flow;

extracting using a computer, a plurality of PSD feature vectors from the first training traffic flow according to the spectral analysis of the other stochastic process model;

composing the first subspace using the plurality of PSD feature vectors;

decomposing the first subspace into one or more segments; and

identifying one or more bases each representing a structure of a segment.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided to classify network traffic flows in real-time using spectral analysis techniques to extract regularities inside the network traffic flows. In one embodiment of the invention, subspace decomposition on power spectral density feature vectors and minimum coding length criterion are utilized for training traffic flows of different classifications. Experimental results are shown to demonstrate the effectiveness and robustness of the invention.

41 Citations

View as Search Results

16 Claims

1. A method for classifying a network traffic flow of a network, the method comprising:
- providing a first subspace, corresponding to a first classification, from a first training traffic flow;
  
  representing content independent parameters of the network traffic flow in a stochastic process model, wherein the content independent parameters comprise packet arrival time and packet size of each packet of a plurality of packets in the network traffic flow;
  
  extracting, using a computer, a first power spectral density (PSD) feature vector from the network traffic flow according to a spectral analysis of the stochastic process model;
  
  measuring, using the computer, a first similarity of the first PSD feature vector with the first subspace according to a first similarity metric; and
  
  identifying the first classification of the network traffic flow according to the first similarity wherein providing the first subspace comprises;
  
  representing content independent training parameters of the first training traffic flow in another stochastic process model, wherein the content independent training parameters of the first training traffic flow comprise packet arrival time and packet size of each training packet of a plurality of training packets in the first training network traffic flow;
  
  extracting using a computer, a plurality of PSD feature vectors from the first training traffic flow according to the spectral analysis of the other stochastic process model;
  
  composing the first subspace using the plurality of PSD feature vectors;
  
  decomposing the first subspace into one or more segments; and
  
  identifying one or more bases each representing a structure of a segment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - providing a second subspace, corresponding to a second classification, from a second training traffic flow;
      
      measuring a second similarity of the first PSD feature vector with the second subspace according to a second similarity metric; and
      
      identifying the second classification of the network traffic flow according to the second similarity.
  - 3. The method of claim 1 wherein the first subspace is decomposed according to minimizing a coding length of the one or more segments.
  - 4. The method of claim 1 wherein the first similarity is measured by a normalized distance from the first PSD feature vector to the subspace, and wherein the normalized distance is defined according to the one or more bases of the first subspace.
  - 5. The method of claim 1,wherein the stochastic process model comprises a continuous time stochastic process;
    - wherein extracting the first power spectral density (PSD) feature vector comprises;
      
      processing the continuous time stochastic process through a low pass filter;
      
      sampling the low pass filtered continuous time stochastic process at a sampling frequency to produce a discrete time sequence; and
      
      extracting the PSD feature vector from a plurality of PSDs estimated from the discrete time sequence.
  - 6. The method of claim 5, wherein the sampling frequency corresponds to a period of substantially 0.5 milliseconds.
  - 7. The method of claim 2, wherein at least one of the first and second classifications is one from the list consisting of audio traffic and video traffic.
  - 8. The method of claim 1, further comprising:
    - obtaining the first training traffic flow from the network during a training phase prior to a classification phase; and
      
      obtaining the network traffic flow from the network during the classification phase,wherein the network traffic flow is a hybrid flow comprising a plurality of classifications.
  - 9. The method of claim 1, further comprising:
    - extracting a sub flow of the network traffic flow according to the packet size of each packet of the plurality of packets in the network traffic flow;
      
      comparing a variance of packet sizes in the sub flow to a predetermined threshold; and
      
      identifying a third classification of the network traffic according to the comparison.
  - 10. The method of claim 9, wherein the third classification is file transfer traffic.

11. A non-transitory computer readable medium, embodying instructions executable by the computer to perform method steps for classifying a network traffic flow of a network, the instructions comprising functionality to:
- provide a first subspace, corresponding to a first classification, from a first training traffic flow;
  
  represent content independent parameters of the network traffic flow in a stochastic process model, wherein the content independent parameters comprise packet arrival time and packet size of each packet of a plurality of packets in the network traffic flow;
  
  extract a first power spectral density (PSD) feature vector from the network traffic flow according to a spectral analysis of the stochastic process model;
  
  measure a first similarity of the first PSD feature vector with the first subspace according to a first similarity metric; and
  
  identify the first classification of the network traffic flow according to the first similarity.
- View Dependent Claims (12, 13)
- - 12. The computer readable medium of claim 11, wherein the instructions further comprises functionality to:
    - provide a second subspace, corresponding to a second classification, from a second training traffic flow;
      
      measure a second similarity of the first PSD feature vector with the second subspace according to a second similarity metric; and
      
      identify the second classification of the network traffic flow according to the second similarity,wherein at least one of the first and second classifications is one from the list consisting of audio traffic and video traffic.
  - 13. The computer readable medium of claim 12, wherein the instructions further comprises functionalities to:
    - extract a sub flow of the network traffic flow according to the packet size of each packet of the plurality of packets in the network traffic flow;
      
      compare a variance of packet sizes in the sub flow to a predetermined threshold; and
      
      identify a file transfer traffic classification of the network traffic based on the comparison,wherein the network traffic flow is a hybrid flow comprising at least two of the first, second, and third classifications.

14. A system for classifying a network traffic flow of a network, comprising:
- a subspace identification module configured to provide a first subspace, corresponding to a first classification, from a first training traffic flow;
  
  a power spectral density (PSD) feature extraction module configured to;
  
  represent content independent parameters of the network traffic flow in a stochastic process model, wherein the content independent parameters comprise packet arrival time and packet size of each packet of a plurality of packets in the network traffic flow; and
  
  extract a PSD feature vector from the network traffic flow according to a spectral analysis of the stochastic process model; and
  
  a processor and memory storing instruction when executed by the processor comprising functionalities formeasuring a first similarity of the PSD feature vector with the first subspace according to a first similarity metric; and
  
  identifying the first classification of the network traffic flow according to the first similarity.
- View Dependent Claims (15, 16)
- - 15. The system of claim 14,wherein the subspace identification module is further configured to provide a second subspace, corresponding to a second classification, from a second training traffic flow;
    - wherein the instructions when executed by the processor further comprising functionalities for;
      
      measuring a second similarity of the PSD feature vector with the second subspace according to a second similarity metric; and
      
      identifying the second classification of the network traffic flow according to the second similarity,wherein at least one of the first and second classifications is one from the list consisting of audio traffic and video traffic.
  - 16. The system of claim 15, further comprising:
    - a sub flow extraction module configured to extract a sub flow of the network traffic flow according to the packet size of each packet of the plurality of packets in the network traffic flow; and
      
      a file classifier configured to;
      
      compare a variance of the packet sizes in the sub flow to a predetermined threshold; and
      
      identify a file transfer traffic classification of the network traffic based on the comparison,wherein the network traffic flow is a hybrid flow comprising at least two of the first, second, and third classifications.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Boeing Co.
Original Assignee
Narus, Inc. (Gen Digital Inc.)
Inventors
Nucci, Antonio
Primary Examiner(s)
Ferris; Derrick W
Assistant Examiner(s)
BROCKMAN, ANGEL T

Application Number

US11/644,419
Time in Patent Office

1,187 Days
Field of Search

370/229, 370/232
US Class Current

370/229
CPC Class Codes

H04L 43/022   by sampling

H04L 43/026   using flow identification

Y02D 30/50   in wire-line communication ...

Method for real time network traffic classification

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

41 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method for real time network traffic classification

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links