We present a novel approach for timely classification and verification of network traffic using Gaussian Mixture Models (GMMs). We generate a separate GMM for each class of applications using component-wise expectation-maximization (CEM) to match the network traffic distribution generated by these applications. We apply our models for both traffic classification, where the goal is to identify the source application from which the traffic originates, by evaluating the maximum posterior probability, and for traffic verification, where the goal is to verify whether the application that claims to be the source of the traffic is as expected, by likelihood testing. Our models use only the first initial packets of truncated flows in order to provide more efficient and timely traffic classification and verification. This allows for triggering timely countermeasures before the end of flows. We demonstrate the effectiveness of our approach by experiments on a public dataset collected from a real network. Our traffic classification approach outperforms other state-of-the-art approaches that are based on machine learning, and achieves up to 97.7% flow classification accuracy when using only 9 first initial packets of flows. We show that 96.6% flow classification accuracy can still be obtained when training the GMMs using only 0.5% of all flows. Our traffic verification approach achieves a minimum Half Total Error Rate (HTER) of 7.65% when using only 6 first initial packets of flows.
Full Text Finder