Traffic classification
Traffic classification is an automated process. It categorises computer network traffic according to various parameters into a number of traffic classes. For example, port number or protocol.
Classification methods[change | change source]
Classification is achieved by various means.
Port numbers[change | change source]
- Fast
- Low resource-consuming
- Supported by many network devices
- Does not implement the application-layer payload, so it does not compromise the users' privacy
- Useful only for the applications and services, which use fixed port numbers
- Easy to cheat by changing the port number in the system
Deep Packet Inspection[change | change source]
- Inspects the actual payload of the packet
- Detects the applications and services regardless of the port number, on which they operate
- Slow
- Requires a lot of processing power
- Signatures must be kept up to date, as the applications change very frequently
- Encryption makes this method impossible in many cases
A comprehensive comparison of various network traffic classifiers. It depends on Deep Packet Inspection in the Independent Comparison of Popular DPI Tools for Traffic Classification.[1]
Statistical classification[change | change source]
- Relies on statistical analysis of attributes such as byte frequencies, packet sizes and packet inter-arrival times.
- Very often uses Machine Learning Algorithms, as K-Means, Naive Bayes Filter, C4.5, C5.0, J48, or Random Forest
- Fast technique (compared to deep packet inspection classification)
- It can detect the class of yet unknown applications
Implementation[change | change source]
The Linux network scheduler and Netfilter, both contain logic. It helps to identify and mark or classify network packets.
Typical traffic classes[change | change source]
There are three broad types of network traffic:
- Sensitive traffic: Sensitive traffic is traffic the operator has an expectation to deliver on time. This includes VoIP, online gaming, video conferencing, and web browsing.
- Best-effort traffic: Best effort traffic is all other kinds of non-detrimental traffic. This is traffic that the ISP isn't sensitive to Quality of Service metrics (jitter, packet loss, latency). A typical example would be peer-to-peer and email applications.
- Undesired traffic: This category is generally limited to the delivery of spam and traffic created by worms, botnets, and other malicious attacks.
Sources[change | change source]
- ↑ Tomasz Bujlow; Valentín Carela-Español; Pere Barlet-Ros. "Independent Comparison of Popular DPI Tools for Traffic Classification". In press (Computer Networks). Retrieved 2014-11-10.