Automatic Discovery and Classification of Network Applications

		Identifying network traffic into different applications is very challenging and is still an issue yet to be solved. In practice, traffic application classification relies to a large extent on the transport layer port numbers, which was an effective way in the early days of the Internet. Port numbers, however, provide very limited information nowadays. An alternative way, currently applied by QRadar, is to examine the payload of network flows and then create signatures for each application.
Current Members:		Mahbod Tavallaee
Previous Members:		Wei Lu

Overview

Identifying network traffic into different applications is very challenging and is still an issue yet to be solved with the development of unlimited number of applications in the next generation network. Port number and payload content based traffic classification were an effective way in the early days of the Internet. They, however, provide very limited information nowadays (e.g. empirical observation shows 40% network traffic is appeared to be unknown on a WiFi network). As a result, the main goal for this project is to build a back-end module working in parallel with the QRadar application detection engine, which focuses only on classifying those applications that the signature-based classifier cannot identify and that appear to the QRadar as unknown.

Related Publications

Mahbod Tavallaee, Wei Lu, and Ali A. Ghorbani. "Online Classification of Network Flows." In Proceedings of the 7th Annual Conference on Communication Networks and Services Research (CNSR 2009), Moncton, New Brunswick, Canada, May 11 - 13, 2009. pp. 78-85. [PDF]