Computer Networks 55 (2011) 1909–1920
Contents lists available at ScienceDirect
Computer Networks journal homepage: www.elsevier.com/locate/comnet
Graption: A graph-based P2P traffic classification framework for the internet backbone Marios Iliofotou a,⇑, Hyun-chul Kim b, Michalis Faloutsos a, Michael Mitzenmacher c, Prashanth Pappu d, George Varghese e a
University of California, Riverside, CA, USA Seoul National University, Gwanak-gu, Seoul, Korea c Harvard University, Cambridge, MA, USA d Conviva, Inc., San Mateo, CA, USA e University of California, San Diego, San Diego, CA, USA b
a r t i c l e
i n f o
Article history: Received 6 February 2010 Received in revised form 18 November 2010 Accepted 29 January 2011 Available online 13 February 2011 Keywords: Traffic classification Behavioral-approach Peer-to-peer Graph mining
a b s t r a c t Monitoring network traffic and classifying applications are essential functions for network administrators. Current traffic classification methods can be grouped in three categories: (a) flow-based (e.g., packet sizing/timing features), (b) payload-based, and (c) host-based. Methods from all three categories have limitations, especially when it comes to detecting new applications, and classifying traffic at the backbone. In this paper, we propose the use of Traffic Dispersion Graphs (TDGs) to remedy these limitations. Given a set of flows, a TDG is a graph with an edge between any two IP addresses that communicate; thus TDGs capture network-wide interactions. Using TDGs, we develop an application classification framework dubbed Graption (Graph-based classification). Our framework provides a systematic way to classify traffic by using information from the network-wide behavior and flow-level characteristics of Internet applications. As a proof of concept, we instantiate our framework to detect P2P traffic, and show that it can identify 90% of P2P flows with 95% accuracy in backbone traces, which are particularly challenging for other methods. Ó 2011 Elsevier B.V. All rights reserved.
1. Introduction An important task when monitoring and managing large networks is classifying flows according to the application that generates them. Such information can be utilized for network planning and design, QoS and traffic shaping, and security. In particular, detecting P2P traffic is a potentially important problem for ISPs that want to manage such traffic, and for specific groups such as the entertainment industry in legal and copyright disputes. Detecting P2P traffic also has particular interest since it represents a large portion of the Internet traffic. In fact, a resent work by Labovitz et al. [27] shows that at least ⇑ Corresponding author. Tel.: +1 951 880 3699. E-mail address:
[email protected] (M. Iliofotou). 1389-1286/$ - see front matter Ó 2011 Elsevier B.V. All rights reserved. doi:10.1016/j.comnet.2011.01.020
20% of all Inter-domain traffic on the Internet is P2P. Even though percentage wise P2P traffic is not the dominant Internet traffic contributor today, its overall traffic volume is constantly increasing. In addition, other studies using advanced deep-packet inspection show P2P traffic to be up to 70% of the overall volume in some networks [20]. Most current application classification methods can be naturally categorized according to their level of observation: payload-based signature-matching methods [30,28], flow-level statistical approaches [10,32], or host-level methods [25,40]. Each existing approach has its own pros and cons, and no single method clearly emerges as a winner. Relevant problems that need to be considered include identifying applications that are new, and thus without a known profile; operating at backbone links [26,25]; and detecting applications that intentionally alter their
1910
M. Iliofotou et al. / Computer Networks 55 (2011) 1909–1920
behavior. Flow-level and payload-based classification methods require per application training and will thus not detect P2P traffic from emerging protocols. Behavioral-host-based approaches such as BLINC [25] can detect traffic from new protocols [25], but have weak performance when applied at the backbone [26]. In addition, most tools including BLINC [25] require fine-tuning and careful selection of parameters [26]. We discuss the limitations of previous methods in more detail in Section 4. In this paper, we use the network-wide behavior of an application to assist in classifying its traffic. To model this behavior, we use graphs where each node is an IP address, and each edge represents a type of interaction between two nodes. We use the term Traffic Dispersion Graph or TDG to refer to such a graph [19]. Intuitively, with TDGs we enable the detection of network-wide behavior (e.g., highly connected graphs) that is common among P2P applications and different from other traffic (e.g., Web). While we recognize that some previous efforts [6,9] have used graphs to detect worm activity, they have not explored the full capabilities of TDGs for application classification. This paper is an extension of a workshop paper [18] and the differences will be clarified in the related work section (Section 4). We propose a classification framework, dubbed Graption (Graph-based classification), as a systematic way to combine network-wide behavior and flow-level characteristics of network applications. Graption first groups flows using flow-level features, in an unsupervised and agnostic way, i.e., without using application-specific knowledge. It then uses TDGs to classify each group of flows. As a proof of concept, we instantiate our framework and develop a P2P detection method, which we call Graption-P2P. Compared to other methods (e.g., BLINC [25]), Graption-P2P is easier to configure and requires fewer parameters. The highlights of our work can be summarized in the following points: Distinguishing between P2P and client–server TDGs. We use real-world backbone traces and derive graph theoretic metrics that can distinguish between the TDGs formed by client–server (e.g., Web) and P2P (e.g., eDonkey) applications (Section 2.2). Practical considerations for TDGs. We show that even a single backbone link contains enough information to generate TDGs that can be used to classify traffic. In addition, TDGs of the same application seem fairly consistent across time (Section 2.3). High P2P classification accuracy. Our framework instantiation (Graption-P2P) classifies 90% of P2P traffic with 95% accuracy when applied at the backbone. Such traces are particularly challenging for other methods (Section 3.2.2). Comparison with a behavioral-host-based method. Graption-P2P performs better than BLINC [25] in P2P identification at the backbone. For example, Graption-P2P identifies 95% of BitTorrent traffic while BLINC identifies only 25% (Section 3.3). Identifying the unknown. Using Graption, we identified a P2P overlay of the Slapper worm. The TDG of Slapper was never used to train our classifier. This is a promis-
ing result showing that our approach can be used to detect both known and unknown P2P applications (Section 3.4). The rest of the paper is organized as follows. In Section 2 we define TDGs, and identify TDG-based metrics that differentiate between applications. In Section 3 we present the Graption framework and our instantiation, GraptionP2P. In Section 5 we discuss various practical issues. In Section 4 we discuss related work. Finally, in Section 6 we conclude the paper. 2. Studying the TDGs of P2P applications 2.1. Traffic dispersion graphs (TDGs) Definition. Throughout this paper, we assume that packets can be grouped into flows using the standard 5-tuple {srcIP, srcPort, dstIP, dstPort, protocol}. Given a group of flows S, collected over a fixed-length time interval, we define the corresponding TDG to be a directed graph G(V, E), where the set of nodes V corresponds to the set of IP addresses in S, and there is a link (u, v) 2 E from u to v if there is a flow f 2 S between them. In this paper, we consider bidirectional flows. We define a TCP flow to start on the first packet with the SYN-flag set and the ACK-flag not set, so that the initiator and the recipient of the flow are defined for the purposes of direction. For UDP flows, direction is decided upon the first packet of the flow. Visualization examples. In Fig. 1, we show TDG examples from two different applications. In order to motivate the discussion in the rest of the paper, we show the contrast between a P2P and a client–server TDG. From the figure we see that P2P traffic forms more connected and more dense graphs compared to client–server TDGs. In Section 2.2, we show how we can translate the visual intuition of Fig. 1 into quantitative measures that can be used to classify TDGs that correspond to different applications. Data set. To study TDGs, we use three backbone traces from a Tier-1 ISP and the Abilene (Internet2) network. These traces are summarized in Table 1. All data are IP anonymized and contain traffic from both directions of the link. The TR-PAY1 and TR-PAY21 traces were collected from an OC48 link of a commercial US Tier-1 ISP at the Palo Alto Internet eXchange (PAIX). To the best of our knowledge, these are the most recent backbone traces with payload that are available to researchers by CAIDA [5]. The TR-ABIL trace is a publicly available data set collected from the Abilene (Internet2) academic network connecting Indianapolis with Kansas City. The Abilene trace consists of five randomly selected five-minute samples taken every day for one month, and covers both day and night hours as well as weekdays and weekends. Extractingground truth. We used a Payload-based Classifier (PC) to establish the ground truth of flows for the 1 The authors thank CAIDA for providing this set of traffic traces. Additional information for these traces can be found in the DatCat, Internet Measurement Data Catalog [8], indexed under the label ‘‘PAIX’’.
1911
M. Iliofotou et al. / Computer Networks 55 (2011) 1909–1920 864 1337
1335
1330
710
1323
663 1257
1338
1245
1243
1336
1331
1324
502 1032
990
987
952
1271 1258
1246
1244
272 827
374
920 1033
991
988 865
102
953 1016 828
9 711
664 58
375 1003
503 853 267 903 103 641
506 273
499 1239 993
59
854
615
1312 46 398
1342
788
1108
1240
498 862
823 10
1234
473
45 973 240 200 208
353 507 904 863
492
983
207
509
824
150 284
956 971
241
1202 1038 177
151 559
115 236
984
190
759 1039
604
1259 275 264 887
532
199 1201
237
985
336 352 587 1040
21
901
114
981
588 1041
22 266 560 1144
1343
189 338
1311
982
533 265
621
70
1077
1344 783
535 23 468 337 1308 622 992
33
1102
346 332 949 1377 649 1300 71 638
771
607
943 1141
586 752
1280
19
688
639
1120
608
1188 89
1119 270 860 536
1096
1281
20 88 1184
34 24
467
1345
126 1362 798 297
738 1283
1232
1055
175 718 687 167 17
698
557 1284
1233 1154
1163
817
1252 91
1197 583
18
677
950
1292
1036 1329
92 462
818
290 1351
298
837
958 1079
1098
1250
996 152 797 932 1293
699
775 1008
719
112
514 960 573 1178
333 577 629
450
760
558 930
259
704 574
446 1191 515
1030 424 291
205
184
13 471 951 1315
1156
441 685 1157
563 193
729
1247
113 153 655
601 433
372
271 1261
959
1225 14
997
447 440
1162
907 825
636 488
740
776
1347
829 411
204
1113 315 659 258 308 656
57 1037 444
946
1169 891 351
1213 1207 1192
1182
631 472 1305
548 454
214
911
703 1348 397
1369
819 945
76 326
940
101
1374 701 1015
1327
131
1214 1100
869 368 1078 994
1014
1052 814
523
871
119 605
1371 1208 246 963 835
1058
260
1194 90
1222 169 466 602
564
309 1319 96 369
1328
528
192
412
594
875
962 582
1364
439 1215 1019
669
1340 795
226
972
725
1095
1339 35 585
762
661
147
2 1161
1074
1376
1290
327
905
1065 233
857
620
1326
842
1195
944 933
686 299
646
26
1174 282
106
1172
786
785 1277
1
1196
896
1231 926
42
542
845
144
883
154 1047 457
1159
745
384 180 442
886
262
965
670
660
363 1238
410 456
261
1200
1262
909 626
453 913 995
1235 215 730
234
320 1012
746
100 143 280 224
347
894
107
787
882 805
417
632
1212 747 672
826
872 1370 65
321 310
1341
136
1013 566 129 5
210
1017 404 1237 1093
170
1321 77
25 572
867
1094 881 247 279
850
658 41 673
328
36 578 64
463
801
634 399 322
1220
832
1021 155 8 181 934 377
7
520
879
1266
1153
436 1114
248
438 1224
884 1365
218
360
281 633 194 556 117
999 1206
176
128
361
302
111
209 118
62 627 355 125 1025
624 301
1066 967 408 183 804
497
1204 277
244
435
792 741 341
6
356 595
319 616
110
756 171 311 1075 593 749 496
1189
491 838
613
690 257
906
715
754 816
1140
735 576 538 511
1101 979 561
592 534
580 878
252 714 731
986
1285
1128 182 512
448
493
1166
198
83
109 1147 1011
693
206
706 276
373
295
1090
49
123 964
1359
1133
897 350 429
445
188
127
423
968
469
899
81
966
201
60
87
348
1164
980 461 568
420
889
628
159
674
890
888
1092
1127
1199
836
339
666 833 160
50
531
1278
609
1103
1264
936
570
1004
799
1050
393
464
1291 340 870
477
948
161
108
239 530
28
680 648
212
162
552 376
15
856 1048
874
914
413
575
51
1325 1057
82
1282
263
562
784
465 174
975
938 1001
61
915
137
1254 1056
841
313
245
614
211
1051 668
794
124
132
789
312
970
584
619
135
331
925
165
1049 1217
1248 545
1000
773
479
947 1260
343
1251
484
149 1099 403
590
1170
597 140
1373 32
69 292 16
317
758
640
227
567
1296
893 1106
342
748
1105
1009
500
31
364
449
1353
976
1205 1137
225
86
644
1272
571 1372
230
1190
1045
618
831 1241
635
187 1303 419
1176 768
148
537 122
755
303 318
1121 191
235 732
37
158
505 232
196
40
851
432
868
1183
782
27
485
39 316
421
630
1088
598
130
716 978
723
1097
1112
344
510
1352
278
1288
84 254 392 525
418
138
1216
808
774
475
383
1148
428 1129
63
222
612
844 324
1028
791
569 1046
596
85
394
414
255
253 1089
1255
812
52 164
1273 1022 728
242
139
898
1165 1116 1333
876
1267
1322
274
1356
443
1242
354 1210
653
689
378
1059
1151
1302 487
671
405
727 43
610 974 314
679
157
813
811 1173
855
961
902 1289
955
1142
1060
268
1203
489
684
163
1018 892
217
717
1256
98
529
843
494 793
751
809
365 551
540
231
852
1031
1069 451 724
1320 1005
486
866
349
599
68
908
1186
643
722 611
1269
858
1027 806
834 637
895
753
1136
1035
654
116
796
1334
810
579 495
1185
839 554
647
650
474
937
38
504 1086
939
1064
1209
422
591
989
478
734 1061
168
508
323
516
1053
134 396 517
1279
1375 603
916 1249 1349
1218
1363
1010
78
665
846
1117
452
105
733
1316
524 606
44 589
757 1076 969
935
362 678 1171
388
395
657
1198
1135
900
1043 1301
977
565
1346
800 1275
737
283
409
195
458 1024
381 387 807
186
1287
705
700
736
172
455
750
243
1070 1134
400
391 781 97
156 623
1054
1152
1044
145 73
1228 830
1350
790
1317
345
1085
642
720 166
1229
146 675
173
1081
1236 406
1354 847
1118
1087 539
1160 269
1274 104
815 216 555 402
1355
1268 1263 221 1297
676
820 401 1304
12 80
1062
803
694
726 848 721 617 849 1357
553
1313
927 1143
928
219 859 885
1270
121
1020 1042
922
1265 1080 99 778 29 840 300
238
780 1358
1126
1314 645 3
72
366 1286
1181 921 1219
223 861 779 600 998 79 1091 1332 220 702
407
581
434 912
821 667 1223 476 954
95
289
367
1115 917 482
1193
120 213
11
1067
761 1158
1227
1187
54 513 1107
1023
1211 652
877 185 359 697 802
1175 1130
133 1063 880
251
777
910
873 1253
931 480 30 197
67 66 929 695 1068 4
1155 481 1221 1072
53 625
772
483 1029 459 1007
696
142
1073
1026
770
1034
56
293 1082
763
460
651 1083 681
712 1368 742
74
430
490
1071
1104 1226 1084
1002
713 427 437 329
47 1006
93
707 296
1230 141 75 1109 1318 470 1110
325 522
382 822
739
957 541
256 431 501 94 521 769 55 294
1111
330
1360
249
48
285
287
178
202
228
1179
1177 1276 334
1361
250
304
286
306
288
370
179
203
229
379
1180
357
335
518
305
766
307
662
526
385
389
425
416
371
380
358
682
691
519
543
546
767
549
527
386
918
390
923
708
683
692
1122
1124
544
547
426
743
764
550
1131
941
919
924
709
1294
1138
1123
1125
1132
1145
1149
744
765
1167
415
942
1366
1298
1295
1139
1146
1150
1306
1309
1168
1367
1299
1307
1310
723
744
872 810
547
873
599
601
710
743
772
774
779
722
871 542
598
267
270
280
600
272
284
638
442
444
731
159
113
855
760
709
1001
310
452
326
50
188
375
266
269
271
283
868
242
143
499
279
203 666
866
649 286
205
1041
118
438
674 467
362
703 660
183
162
290
909
841
867
384
538
436
275
204
1040
437
466
210
374
702
386
537 752
632
707
116
235 350
979
808
318
612
951
441 193 229
901
355
634
751
530
977
1035 181
701
981
289
167
201
176
202
228
861 428
900 334
678
241
579
1005
14
963
768
1008
260
191
427
724
800
816
166
539
529 259
470
8
518
994
357
980 257 985
742
517
258
860
778
741
885
754
976
694
424 753
153
305
200
975
693
423
335
63 501
152
304
548
249
814
151
513 196
105
248
1034
164
736 512 69
195
149
973 735 745
68
80
103
333
972
803
687
477 15
680
476
592
551
806
232
173 950
936
393
591 361
312
231
172
805
716
595
683
158
413
120
90
970
324
682
214
433
38
157
212 78
77
75
293
628
968 676
630
584
581 625
623
573
627
211
508
506
407
302 491
495
401
298 482
489
399
396
391
382
475
621
569
669
665
663
967
406
400
398
395
390
381
507
505
494
490
488
481
474
471
668
662
965
959
956 1042
952
947
941 1038
929 1030
926 1027
1019
922
848
801
664
1043
629
966
960
583
580 957 624
953
1039
622
948
942
572 930 1031
620
655
1028
1020
618
923
927
568
566
849
462
802
378
376
351
656
916
619
567
705
472
463
377
379
450
706
352
920
755
448
917
969
408
303
653 299
451
750
640
371
76
294
449
677
586
739
884
794
37
1015
48
914
27
852
832
49
642
464
502
128
925
28
469
840
409
720
155
594
522
372
430
915
83
607
643
585
434
938
215
422
523
608
129
611
325
108
431
156
410
96
504
788
1036
681
842
243
23
121
414
730
1018
540
91
84
141
208
184
837
60
783
109
394
142
263
924
222
875
609
92
220
983
571 268
20
870
715
5
971
300
24
1000
185
264
838
180
230
658
146
605
217
388
163
250
839 492
606
93
1033
207
21
320
6
301
179
418
626
815
122
65
902
1044
245
147
79
276
186
244
419
688
493
826
251
1003
81
29
425
988
718
311
906
189
321
25
39
426
66
526
339
746
935
992
94
699
420
11
30
893
140
54
402
637
169
82
59
907
812
58
26
125
40
9
403
857
690
712
35
903
329
691
262
95
12
974
561
55
785
150
177
738
556
555
858
879
10
828
261
255
727
36
904
937
106
692
161
459
199
525
535
342
897
524
766
224
178
859
747
792
343
256
509
831
1023
174
869
356
265
288
863
910
761
557
281
711
160
898
943
670
496
322
986
536
61
225
758
138
932
949
570
767
833
273
171
383
175
139
813
64
416
763
596
795
777
487
62
336
51
34
757
856
18
1
221
918
516
853
587
98
19
2
834
360
331
695
52
854
851
890
415
114
989
380
16
198
696
498
520
846
252
197
883
239
503
112
85
33
218
7
22
209
1048
99
392
510
369
945
737
330
528
238
562
115
990
667
44
165
933
511
588
749
689
104
604
253
483
661
934
697
89
439
17
219
748
708
908
1013
654
534
370
206
119
190
86
137
421
295
636
123
721
337
233
223
45
835
798
962
13
456
457
770
519
552
338
995
698
1024
314
756
527
358
110
987
1014
274
315
728
136
836
650
134
700
955
282
455
297
124
254
582
1016
593
765
148
521
799
684
359
500
130
216
484
323
645
73
479
850
111
719
465
192
1046
468
944
829
131
100
226
1045
543
67
87
440
411
135
545
675
905
1025
964
940
306
349
560
234
610
53
107
590
317
43
740
1047
984
862
47
313
732
865
1017 227
480
776
74
497
1029
576
344
713
807
830
790
672
285
991
679
88
704
46
899
577
389
1021
345
993
316
563
615
485
921
939
824
194
213
671
405
657
844
101
659
1026
277
954
635
822
56
1032
307
631
478
958
614
42
404
102
417
843
132
364
72
363
809
931
97
429
240
319
328
821
825
117
432
978
126
602
894
685
154
57
182
603
308
597
791
144
133
575
473
804
845
847
514
3
170
784
4
486
31
332
771
385
458
864
127
946
70
895
913
41
348
531
187
435
32
928
544
982
309
168
823
71
387
880
686
714
145
633
1049
412
532
717
278
574
578
613
373
644
764
1004
648
769
397
876
515
541
827
236
246
911
533
896
759
291
762
1002
729
641
340
346
912
793
919
589
1022
296
961
353
365
367
891
789
1037
673
446
546
237
453
460
549
553
558
247
616
287
292
646
327
725
733 341
347 651
564
773
775
780 781
443
445
447
454
786
354
366
368
892
796
461
817
550
877
881 554
886
819
559
565
888
617
996
639
998
647
726
1006
1009
1011
652
734
782
811
874
997
999
1007
1010
787
797
818
878
882
887
820
889
1012
(a) The Gnutella TDG (P2P application).
(b) The HTTPS TDG (client-server application). Fig. 1. Two TDG visualization contrasting a P2P (top) with a client–server application (bottom). Largest component is with bold (black) edges – hence the graphs are best viewed on a computer screen or a colored print-out. (For interpretation of the references to color in this figure legend, the reader is referred to the web version of this article.)
Table 1 Set of backbone traces from the Cooperative Association for Internet Data Analysis (CAIDA). Statistics for the TR-ABIL trace, are reported only for the first five-minute interval since IPs were anonymized differently at each five-minute sample. Name
Date/time
Duration
Flows
TR-PAY1 TR-PAY2 TR-ABIL
2004-04-21/17:59 2004-04-21/19:00 2002-09/(N/A)
1h 1h 1 month
38,808,604 37,612,752 2,057,729
TR-PAY1 and TR-PAY2 traces. Both traces contain up to 16 bytes of payload in each packet, thereby allowing the labeling of flows using the signature matching techniques described in [26,25]. Running the PC over the TR-PAY1 and TR-PAY2 traces we find 14% of the traffic to be P2P, 27% Web, 7% DNS, and the rest to belong to other applications. A detailed application breakdown is summarized in Table 2. In the table we further report the traffic information for the top six P2P applications with the highest
1912
M. Iliofotou et al. / Computer Networks 55 (2011) 1909–1920
Table 2 Application breakdown for TR-PAY1 and TR-PAY2 traces. Values in parenthesis show the percentage of each P2P application over the entire identified P2P traffic (All-P2P). Name
% in flows
% in bytes
% in packets
Gnutella eDonkey FastTrack Soribada MP2P BitTorrent All-P2P Web (80/443) SMTP DNS Games Unknown No-Payload Rest
0.95(6.78) 2.96(21.16) 0.55(3.92) 7.76(55.44) 0.41(2.93) 0.60(4.26) 13.85 27.45 1.65 6.65 0.71 0.97 28.06 20.66
0.17(1.59) 2.22(21.17) 0.74(7.10) 0.07(0.63) 0.01(0.14) 4.59(43.81) 9.19 41.99 1.10 0.32 0.54 1.98 0.46 44.42
0.81(6.32) 2.84(22.21) 0.97(7.61) 0.97(7.63) 0.07(0.53) 4.37(34.24) 12.10 35.51 2.431 1.586 2.84 3.22 6.04 36.27
number of flows in our data set. These six applications contribute 95% of the flows and 75% of the overall P2P bytes. In our traces, we also have flows by P2P applications that are not longer in use, such as WinMX, Direct Connect, Goboogy, Ares, SoulSeek, and EarthStation. We observed that some of these protocols were used for transferring very large files and contributed many bytes, but their overall number of flows was significantly lower. In our evaluation we include all P2P flows. For our study, we remove the 1% of traffic that remained unknown and the 28% that contained no payload. The small number of unknown flows is strongly correlated with the small number of encrypted flows in our traces. 2.2. Identifying P2P TDGs Identifying the right metrics to compare graph structures is a challenging question that arises in many disciplines [31]. Our approach is to consider several graph metrics, each capturing a potentially useful characteristic, until a set of metrics is found that distinguishes the target graphs. To select an appropriate set of metrics, we generate a large number of TDGs using all our traces (Table 1), thus observing TDGs over two different locations at the backbone. For the TR-PAY1 and TR-PAY2 traces, we use the payload-based classifier (PC) in order to select which flows belong to each TDG. Since the TR-ABIL trace does not have any payload information, we use port numbers [26] to assign flows to applications. We can use port numbers for the TR-ABIL trace since it was collected in 2002 where most P2P applications used their default port numbers [13,23]. We only use the TR-ABIL trace to verify our TDG observations over a second location in the backbone and we do not use it in the final evaluation of our classifier. By using the month-long TR-ABIL trace, we can study the consistency of TDGs over different times of the day and over weekdays and weekends. We observe TDGs over five-minute intervals. This interval length gives good classification results and stability of TDG metrics over time as we show later in this section. For each TDG we generate a diverse set of metrics. Our
metrics capture various aspects of TDGs including the degree distribution, degree correlations, connected components, and distance distribution. For additional details about these metrics we refer the reader to [19,31]. To select the right set of metrics we use various graph visualizations and trial and error. Finding a less ad hoc approach is beyond the scope of this work. Two TDG visualization examples are shown in Fig. 1. We see that FastTrack (P2P) has a denser graph than HTTPS, or a higher average is given by degree, where the average node degree k k ¼ 2jEj=jVj. We utilize two other metrics that capture the directionality of the edges in the graph and the distances between nodes. The directionality is useful since we know that pure clients only initiate traffic, pure servers should never initiate traffic, and that some P2P nodes play both roles. To capture this quantitatively, we define InO to be the percentage of nodes in the graph that have both incoming and outgoing edges. The distance between two nodes is defined as the length of their shortest path in the graph. The diameter of a graph is defined as the maximum distance between all pairs of nodes, which is sensitive as a metric [31]. For a more robust metric, we use the effective diameter (EDiam), which we define as the 90-th percentile of all pairwise distances in the graph. We show the high graph diameter of the BitTorrent P2P TDGs in Fig. 2. The graph represents the BitTorrent interactions between 3000 nodes from the TR-PAY1 trace. The visualization is suggestive of a spider’s web with large paths between nodes at opposite edges. This intuition is precisely captured by the large value of the effective graph diameter. In general TDG visualizations are suggestive, but the metrics make the intuitions precise and allow classification. From our measurements, we empirically derive the fol > 2:8 lowing two rules for detecting P2P activity. Rule 1: k and InO > 1%; Rule 2: InO > 1% and EDiam > 11. With these simple rules, we can correctly identify all P2P TDGs from both backbone locations (Abilene backbone and Tier-1 ISP). Intuitively, P2P hosts need to be connected with a large set of peers in order to perform tasks such as answering content queries and sharing files, which can explain the higher average degree compared to client–server applications. An additional characteristic of P2P applications is the duality of roles, with many hosts acting both as client and server. The duality of roles is in turn captured by the high InO value. We further speculate that the decentralized architecture of some P2P applications (such as BitTorrent), can explain the high diameters in some P2P TDGs. We do not claim that our thresholds are universal, but our measurements suggest that small adjustments to these simple parameters allow our methodology to work on different backbone links. Distinguishing collaborative applications from P2P: Some well-known applications other than P2P exhibit collaborative behavior, such as DNS and SMTP. This is not surprising since in these applications servers communicate with each and servers act both other and with other clients (high k), as clients and servers (high InO). This is exactly what our metrics are set out to detect. Next, we outline two
1913
M. Iliofotou et al. / Computer Networks 55 (2011) 1909–1920 2042
1906
2885
2060
3213
3654
2706
1498
3512
3227
3563
3006
3646
3174
2066
3511
1243
3501
3498
3497
3490
3489
3487
3486
2050
2620
2614
2613
515
3483
1001
3482
3473
2592
2591
3472
3467
3466
3040
2043 39 2011
2953
2238
2237
2949
2948
2947
2946
2276
2274
2631
1592
2211
496
980
1331
1757
2630
1782
2593
1278
2590
2589
2588
3217
1799 846
3294
1737
2227
2788
1347
3386
1156
3263
516 2130
741
2975
2974
2983
2982
704
2116
2115
1708
1707
2586
3340
2743
3289
270
2529
2212
1941
2585
857 38
1923
2918 362
2275
1884
1783
1114
1738
688
1876
2242
2391
2124
2677
2629
3240
140 1064 1348
1293
1279
1157
1676
1675
2633
838
2815
2579
2578
2379
3038
742
705 839 956
2813
1504
180
2122 1169
1281
136
88
1924
2173 2990
2989
363
2676
1054
2628
271
1636
1546
1115
2028
2109
1414
385
1705
1305 1200
723
141
1394
726
3427
1393
2026
1065
3008
2110
2700 957
1647
26
1375
932
3007
1168
3454
25
622
3453
1908
1280
3471 1306
3255
771
1646
3525
137
1075
1275
3378
722
1055
87
89
1127 1342 808
131
52
1128 384
1407
3010
3009
2608
3448
3447
124
809
3371
2323
2781 1467 2966
3298 1890
2727
53
1744
1704
404 2680
3146
1044 1363
3449
1814 2504 2351
3530
2731
3544
3543
3551
3550
1340
1339
1299
62
3444
2941
2123
2624
3443
2047 2715
1191 2157
1408
132
2132
853 3606 1059 856 155
3587 2716 3162
1028
396
401
3436
3435
3018
637 293
1349 1188
2695
520
1639
1406 2182 2315
434
1259
1629
3313 2147
2693
2718 146
973 3417
854
1082
130
1686
2574
2573
2559
2558
1007 3576
2065
1677
397
2104
156
519
1638
1058 855
1390 982
145
3228
1107
255 3570
892
3569
2846
1173
1172
1165
1164
294 2454
121
2004
400
2155
1102
518
2399
654
46
1100 1049
2770
1048
1443 1537 1006
357 3577
1953
129
2064
1106
2236
2235
1389 587
58
504 3492
1310
2270 221
1118 1770
28
24
47 3390
517
419 1514 254 1557 1921 2400
3375
1927
274
1180
1125
655
1672 1518
2322 2005
2836
2778
967
29 405
59
2051 220
815
2094
122
543
2534
2533
23
588
356
1062
1266
361
111
1886
225
1311 2370
2250
2249
1309
1070
27
930
163
2168 966 1485 803 1061
1060
2059
923
922
2015
275
3613
1440
2523
816
3176
1928
2643
406
2881
914
224
2522
444 1124
773
1004
832 2644
913 944
273
1490
2450
473 534 288
2734
1267
772
888
2515
2514
452 112
2239
287
1286
1897
3395
1784
1618
3585
3584
3593
3592
868
867
185
453
2366 802
3309
1690
309
1095 3178 998
2079
3437
1529 2344
833 1005
1530
2088
2087
2082
2081
533
1962 770 2823 3214
3002
615
700
3080 992
3072
3419
1473
1288
3133
1815
1645
2785
1477 3468
2616
756 3337
985
984
1508
3539
663
987 747
7
11
3179
776
465
1777
454
310
1538
3224
480 2220
3601
3600
3362
3015 2474
474
1596 3187
1591
481
68
8
1336
1619 2747 3132 989
988
799
699
798
286
2615
2935
1533
2926
2934
769 69 2744
738
2849
3225
761
760
2933
2610
451 234
633 3215
12 1610
2401
455
1507
662
240
1388
1899
1813
1534
2925
1462 1867
324 3014
1476
2959
505
1620
3123
2075 678
285
1595
677
1594
2705
680
3252
2845
2455
2748
2447 1033
1632
679 2177
960 2061
2062
3609
2353
3612
3611
682
1480
1898
573
681
3231
1812
1811
1785 3614
1881
447
450 1896
3124
3145 2780
634
1902
262
844
843
1249
1248
3045 1727
1739
2494
942
601 2213 238
1034 2980
1680
1631
337
442
3186
2503
2502
2021
599 2449
560 559
2174
3098
3272
2348 862
2567
472 3586
532
2311
1669
1422
2283
1901 380
1719 2564
2726
602
381
1959
2510
551 443
1588
421
600
572
598
566
565
1671
1670
3404
2001
1531 1766
1853
2437
1341
1585 1681 3005 531
1587
298
647
420
2464
1710 2264
471 2428
2957 861
782
547
546
1874
2057
417
2056
3567
2438
1578
959
2623 18
91
1987
931
1579
3588 2565
552
438
437
399
398
3171
754
753
529 2855
1523 1586
378
2789
1765
1141
2427
2928
2927
379 17 376
2263
3517 2958 3023
3022
3025
3024
2302
1939
1088
648
1087
2930
1709
521
997
716
902
1558
3655
2657
2754
236
958 1417
90
596
595
1418
841
330
840
1789
1788
1780
1779
703
1424
1622
1319
483
329
970
429
969
237
2810 3109
1412 996
1612 430
545 748
544
1758
1327
377
3573
1433
3027
1067 667
1303
3026
292
2746
291
1068
1506 2921
811
968
3622 1320 1261
1260
3523
284
283
1161
3403
462 2825
2092
2136
3222 2472 1520 2884 113
3616
1016
3615 3496
2225 1519
3459
730 216
1977 1469 1295
1326
577
594
1434
249
248
245
244
3402
3401
3011
3583
2073
3241
2317
1826 2462
3481
1017
463
983 3122
2659
609
606
448 578
829
501
1186
2178
2113
1752
3383
3575
3382
338
1404
114 881
217
1415
1405
593
339
910
1296
909
1236
1235
1743 2156
1742
493
2252
459
500
3623
2251
135
134
3251
340
214
3380
1936
714
2690
3477
2330
2074
513
3112
2681 1177
715
3147
610
1751 828 154
95
3242
2542
528
476 2669
2668
2671
2670
870
1864
3282
2486
2485
2568 630 1869
241 403
898 2689
458
3148
875 1847
402
876
104 2720 3306
3568
1427
514
642
2496
96 477 103 2463 1277
153
1940
1051
2814
1868
2831
641
1193
920
2911
2910
2900
2837
2902
2901
64
2916 2152
2673
2267
2672
3157
3518
2868
3041
3548
1593 495
762
3653
1964 2044
1197
200 1750
2188 2291
1192
3432
2863 2685
2189
1491
2686
35
34
1163
101
1945
583
389 2571
1134 1590
2398
2032
494
206 2151 431
921
1946
2646 1094
2490 65
2554
3029
3028
2443
763
3344
2430
1492
3470
1354
1135
1572 1411
3199
817
308
307
3149
1699
2229
2228
1252
388 439
2117
584
345 1423 1225
3627
3626
3629
3628
3633
3632
3643
3642
1589
6
2745
3032
205
2397
1015 207
3158 109 60 1152
3374
2327
1580
2484
1952
2483
2300 905
971
1050
1573
2808
5
2246
2497
110
1345
1344
1253 684
3167
346
818
3336
2161 344 3269
31
2923
1877 3475
3479
800
3059
3617
3311
2476
2475
1276 1184 1358
157 2306
1297
183
2804 1176
1513
208
139
3594
159
2165
1653
1895
61
1382
706
333
3634
10
638
176
2069 3161
30
1762
972
639
1761
1047 1982 3508 3491
3
2728
2114
181 2736
3638
175 2260
460
1460 1181
57
508
1468
1359
158
3182
2971
751
1195
935
1911
934
1495
1823
1494
3076 1425
807
3610 707 1493
160
1912 3619
2894
2893
2699
1410
9
1461 138
1346 530
1983
56
1111
1957 946 182
1372
464
1455
2126
3097
507 2030
2662
71
2247
3192
2018
2331 1196
2208
965
280
964
2888
3141
2887
813 1024 1022
243
2835
1409
392
736
1837 70
1233
1797 659
737 607
281
393 394
812
2688 3637 801 2107
2709
2883
1037
2108
2691
824 242
2684
2226
806
1160
608 1201
2793
2809
278
2995 2505
860
1845
152
2048 1401
1083 1768
2943 3229
1958
1512
3207 1846 1505
2800
695
694
1202
2872
2871
1723
1023
1822 2932
825
1657 1240
440 395
3560
2742
1833
2193
1817
1254
2363 1428
2905
2904
797 2759
3042
260
629
1973
628
1665
2223
2222
1605 2599
1693
1661
1445
3183 408 3636
1194
1606 2507
2801
1656 1767 167 2245 2392
1241
1875
2072
2459 1444
3305
1913
994
3421 261 2240
1521 1140
1722
2040
2039
1660
3134
2192 1972
3343 3036
3035
251
250
20
19
1522
168
871
1432 2886
1026
2506
796
1511
661
1996 1368
691 872
470
2493
2358 1703
314
2896
3259
1384
1234
1698
2149
355
539
2880 2917 2456
424
2460
187
186
98
97
3377
2167
3376
2641 491
3356
3064
625
1215 118 3087
669
668
467
1273
926
2261
466
259
268
2687
232
1844
1397
624
2280
2617
1745 3519
3253 2694
835
1697
1999
1112
354
605
538
3349
192
1385 40
1145 690
418
1992
2994
1231
692
2762
1222
1232
1221
2148
660
585
3220
1900 537
536
1270
2618
3405
3529
1966
2224
1604
1730 3218
3052
41
3051
1204
3347
2906
2664
233
1849
2769 1313
2248 2217 269
1000 2761
2478 94
1426
2090 117
1076
2929
2461
258
2553 877
15 3054
2203
3314 341
3504
3055
561
211
2531
37
2204
1220 1109
1010
2287
2663
2730
3117
2433
586
3221
2469
1827
744
315
2184 999
213
335
2798
368
1717
100
99 449
2183
1891
360
570
3115
50
953 2372 2290 1398
2704
2703
556
2076
555 3335 2329
1085
869
1623
963
2457
651
1778
1413 1144
698
312
711
710
1547 2944
3334
3333
2991
342
36
3393
120
1903
3070
1219
2083
209
3118
3173 1294 2314
1861
548
353
1644
3431 210
2848 977 2920
1441
306
1947
1892
743
2350 1532 3058
3057
256
2384 334 3101
2230
2000 383
391
426
1624 2721
44
2162
2601 890
1482
3455
562
93
569
708
1380
371
370
1466
1625
1465
2436
2435
1621 3571
390 794
479
2826 1330
3061
1948
51
1086 2919
904
3003
2757
305
228
1338 3502
3060
903
457
673
3033
382
2067
1383 3039
2717
576
2912
162
119
190
2285
2442
2570
456
229
3412
1626
189
2052
2181
952
2625
3439
13
195 2640
2931 203
2328
161
1
2063
1041
2143
1942
945 672
3063
3062
3067
3066
580
874
2636
372
1198
3327
3326
478
823
1133
246
2842
204 1329
851
822
522
1092
720
1679 1373
3169
2070
1949
226
3170
883
194
2652
3414
1502 804
746
745
1652
3318
943
414
427
2760 267
191
3086
3528
3082
1039
884
2879
2281
1040
3325
3324
721 579 1206
374 525
14
247 1484
92 3111
597
2468
2146
1244
74
1374
2416 125
2576
2889 2091
1283
413
266
375 1561
2550
54
827
826
1635
171
1746
144
1855
1986 2071
3545
1205 1678
805
2577
852
373
73
1187
3323
3322
301
2185
2272
75
1247
1860
1963
1535
116 895 492
2389
1716
986
3034
1314
2725 2390
343
2013
3056
302
1772
784 3400
3652
612
3596
611
674
2552
3281
3075
2415
1673
143 1781
468
2772
2419
2361
133 3151
2867
1798
1854 115 1179
2499
2129
3250
759
3194
671
3461
3065
2807
2362 1078
1178
1701
55
1369
750
147
1486
764 1370
2420
3495
2258
482 2940 1282
2937
670
1077 1155
178
1149 3233
2936
1158
718
1526
1791
783
2031 820
1648
810 1429
2862
222
780
1143
2584 845
2811
2861
2277
1302
1568
2166
1096
3004
148
1920
223 786
387 2833
2445
2575
1536
469
2619
3053
1599
1497
3206
785
1362 788 732
3540
1081
2903
749
2068
1436
3360
3268
2465
1614 2954 2771 765
758
656
2517
1159 719 2383 618
2674
1148
617
1848
1142 2365
1696
1976
2207 1470
202
2278
177 366
2812
2086
787
2446
3285
169
2913 1008
2100
2956
1021
766
2543
1119 1794
2945
563
1792
2555
1121
650 2029
3205
735
791
734
1069 675
1437 165
657 1615
1642
2832 367
1079
2859
2714
2713
2241
1773
1032 386 1598
2145
821
3155
1002
1056
3321
3320
3301
729
2431
1353
1151 1459
1666
2914
3410 2284
2963
1667
1052
166
1029
961
1117
142
1150
2012
3413 3463
2190
3181
3074
3073
564
859
858
1663
2095
1419
3267
1392
410 3140
2422
2797
127 1333
792
649
2796
2214
2096
676
2084
3566
757 1515
911 1131
1263
1053
1379
2765 3532
550
1655
962 2257
1080
1400
2256
3096
409
1003
2432
2596
1019
1018
2023
2022
1332 2163
2572 2560 350
2035 3649
850
170
849 2877
1352 2221
511 1479
1147
2508
2041
1458 2675
3079
3078
3077
1350
3089
3088
3091
3090
1020
1285
1284
2852
1167
2851
1933
793
1689
2305 2847
2219
1643
948
524
1961 3331
2262
303
2875
2135
2547 1378
697
2444
1421
1230
2556
2144
1654 78
2279
3513
3257
2683
128
2367
3630 2255
1207
1300
2045
3308
3139
2563
2834
2034
1301
2639 349
3484 3016
3017 1171
3232
549
557
3291
1123
512 289
3526
2298
696
523
2137 1613
1229
603
1166 263
1965
2418
2417
1843
2412
2404
2403
1878
2544
1255
2737
2792
2539 2583
900 3507
908
3372
941 2600
940
2259
1775
635
1218 2876 2180
2053
2254
2289
3128
929
928
955
954
317
2480
1925 1979
1544
1728 3142
1031
950 1356
322
150
894
3416 1915
3527
2099
1994
1035
2985 1971 778
3127
43 32
2312 901
3180
1499
3254
42 1036
81
1748 2054
276
2355
1694
2866 318
3049
321 3188 1909
277 2612
80
423
1980
1132
951
2017
2016
2978 1804
2702
1183
3172
3303
1873
2282 1483 33 1803
3354
1138
2102
422
2434
1545
2858
2609
1387 2191 896
1209
1208
3193
149
2206
2080
2205
1889
1471
3476 2645
1105
3346
1664
3559
949 82
2635
3384
1747
1214
1182
1093
3595 107
2101 1449 2821
1937 2951 108
2532
1386
1269
1268 3524
2528 2724 2243
2304
1754 3631 702
3302 2458
3236
2557
2338
2196
1517
3288
3287
252
2414
1116
219
574
83 174
978
2105
1013
1879
1103 2197
2537 1850
2648 3366
173 2952
701
1753
979
1014
1104
1308
1307
3280
3279
1720 1706
2402
2332
590
2869
2696
621 3012 1721
218 1258
1692 2118
3297
3154
1323
3635 866
939
937
1829 3105
3104
3505 3500
1315
3648
2660
2265
2860
575
3278
3277
199
1830
1265
296
264
2538
589
620
2511
3189
3415
645
789
3203
2530
2753
2752
2764
2763
1760
2121
865
2170
938
2308
936
3013
2394
2393
2388
2387
731
687
1700
3130
3565 915
1396
1395
1403
924
1402
1431
1430
1447
1446
1628
646
1223
790
2964
1224
1553
1602
265
1759
2120
3350
1464
1463
1324
2169
2307
1316
2967 2055 3129
1819
1541
1540
1543
1542
3564
1818
1551
1550
1556
1555
1563
916
925
1712
1562
1802
1711
1584
1488
2965
1583
1582
1581
3204
1597
990
1608
1607
1634
1633
1641
1487
1640
1650
1649
2200
2199
709 554
327 885 1825
1810
1824
1840
1839
1866
1865
1872
1871
2319
2318
2321
567
2325
2324
1554
3160
3159
3164
3163
831
3168
1888
2119
2139
2138
2160
1887
1603
1715
2159
2968
1917
1714
1732
1916
1919
1918
1930
1929
1932
1931
1956
1955
1968
1967
1989
1687
1988
1998
1997
2008
2007
2818
2817
2899
2266
1805
2310
2309
2175
2791
2790
2195
2194
2202
2201
1926
428
2767
2176
2766
2774
2773
2787
2786
2334
2333
3191
3190
2336
2335
2024
2025
2347
2346
2360
2359
2369
2368
2375
2374
2378
2377
2382
2381
2386
2385
1435 553
328 3138
3137
3144
3143
499
1943
2795
2794
1617
2802
412
3197
3196
3202
3201
3212
3211
3223
2999
3244
3243
3247
3246
3261
3260
3271
3270
3275
3274
2602 2605
411
2603
Fig. 2. Graphical representation of the BitTorrent TDG with 3000 IPs, showing the formation of long paths connecting P2P hosts. The largest connected component is highlighted with darker color edges.
2.3. Practical considerations for TDGs 2.3.1. Stability of metrics over time If thresholds derived from TDGs changed significantly with time, then the classifier must be trained constantly and that would detract from its value. Fortunately this does not appear to be the case. We show the stability of TDGs in time and space using traces from different points in time at two different backbone locations for Abilene and a commercial Tier 1 ISP (Section 2.2).
To test stability over time, we measured P2P TDGs from our longest trace (TR-ABIL) that span over one month and include samples taken over day and night hours, and both weekdays and weekends. To the best of our knowledge such month-long traces with payload are not available. Stability was also observed in all the one-hour long traces (TR-PAY1, TR-PAY2). Fig. 3 summarizes the stability study for TR-ABIL showing the average degree metric. As we see, average degree takes values in a small range over the entire month. Soribada tends to have very small graphs ranging from 30 to 1000 nodes and hence the higher variability. Stability was also observed for the diameter and InO metric with the figures not included for brevity. For this study, we used TDGs representing five-minutes of traffic. In Section 2.3.2
Average Degree
approaches that can help to separate between collaborative applications (e.g., DNS) and P2P: (1) One solution is to rely on port numbers or payload information for this task. In fact, it has been reported recently [26] that port numbers are fairly accurate in identifying such legacy applications, although they fail to identify P2P and other applications with dynamic use of port numbers. Therefore, one could use legacy ports to pinpoint and isolate such collaborative applications and then use graph metrics on the remaining traffic. In addition to port inspection, we can also examine the payload of a flow in order to verify that it follows the expected application-layer interactions. (2) In a recent work on dynamic graphs [16], we show that measuring how much TDGs change over time gives additional information about the nature of the applications. In particular, we observed that P2P TDGs are more dynamic (i.e., how frequently nodes and edges change over time) than legacy applications, such as DNS. If the classification problem at hand requires this further separation, we can incorporate such dynamic techniques in Graption.
30 28 26 24 22 20 18 16 14 12 10 8 6 4 2 0
min = 23.73
0
Gnutella FastTrack Soribada
WinMX
eDonkey
MP2P
Fig. 3. The average degree for various P2P protocols over one month in trace TR-ABIL. Candle sticks show the maximum and minimum recorded values together with the average (horizontal line) and ± the standard deviation. For visualization purposes, for the MP2P application we show only the minimum value which is very high (23.73).
1914
M. Iliofotou et al. / Computer Networks 55 (2011) 1909–1920
we show experiments with TDGs where we vary the observation interval from five seconds to 15 min. Note that BitTorrent is not shown in Fig. 3 since it was not well-known in 2002 and resulted only in a handful of flows in the TRABIL trace. 2.3.2. Selecting the interval of observation The effect of the observation interval on the graph metrics. We observe that by increasing the observation interval, graph metrics are more stable across successive TDGs of an application. To show this, we measure the variation of all our graph metrics over time as a function of the interval of observation. We vary the interval from one second up to 15 min. For each interval length, we generate consecutive graph snapshots with non-overlapping time intervals. For each interval, we extract the graph and calculate the average degree, InO, and effective diameter metrics. We examine the variability of each metric over all intervals of observation. We use the commonly-used range metric, which is the difference between the maximum and minimum observed values over all intervals for each graph metric. For each metric, we then normalize the range by the average value calculated over the time series. This normalization makes the range for different metrics somewhat comparable. For each application, we report the average range over all three graph metrics, and we plot this average range versus the duration of the observation interval in Fig. 4. Our experiments showed very high range values for intervals smaller than 60 s. The range shows significant decrease for intervals larger than a minute. Increasing the interval from five minutes to 10 and 15 does not significantly effect the range. This trend is shown in Fig. 4, where we report the average range over all metrics for a set of our applications. Even though we have variability in our results, there was a clear trend in all our measurements. Similar trends we observed in all our traces (Table 1). For the rest of our study, we use five minute intervals. 3. The Graption framework The Graption traffic classification framework consists of the following three steps. 2.5
DNS EDONKEY FASTRACK GNUTELLA HTTP NTP POP3 SMTP MP2P
Variation Range
2
1.5
1
0.5
0
0
100
200
300
400
500
600
700
800
900
Interval Length (sec)
Fig. 4. The effect of changing the interval of observation for TDGs ranging from five seconds up to 15 min over a large set of protocols. To reduce variability we can choose to use longer intervals. After 300 s the reduction in variability is not significant.
Step 1: Flow isolation. The input is network traffic in the form of flows as defined in Section 2. The goal of this first optional step is to utilize external information to isolate any flows that can already be classified. This knowledge could be based on payload signatures, port numbers, or IP address (e.g., exclude flows from a particular domain such as google.com). Step 2: Flow grouping. We use similarity at the flow and packet level to group flows. The definition of similarity is flexible in our proposed methodology. We can use flow statistics (duration, packet sizes, etc.) or payload if this is available. Eventually, the output of this step is a set of groups with each group ideally containing flows from a single application (e.g., Gnutella, NTP, etc.). However, at this step, the exact application of each group is not known. Step 3: Group classifier. For each group of flows, we construct a TDG. Next, we quantify each TDG using various metrics. The classifier uses these metrics to identify the application for each group of flows. For the classification decision, we use a set of rules which in general depend on the focus of the study. Although this paper focuses on P2P detection, we believe Graption can be used for general application classification by choosing metrics and parameters appropriately. We next describe how we specialized Graption to detect P2P traffic (Graption-P2P).
3.1. Implementation details of Graption-P2P Step 1: This is an optional step in our methodology. Experiments without this step are discussed later in the section. Recent work [26] suggests that port-based classification works very well for legacy applications, as legacy applications use their default ports and tunneling of P2P at such ports is not very common. Thus, in this study, we isolated flows with port 80 for Web, port 53 for DNS, and port 25 for SMTP. These applications turn out to be about 65% of the total number of flows. In our traces, the proportion of P2P actually using one of these ports is as low as 0.1%. Step 2: To implement flow grouping we use the fact that application-level headers are likely to recur across flows from the same application. Therefore, payload similarity can be used to group flows. In Graption-P2P, we only use the first sixteen bytes from each flow. As we show, sixteen bytes are sufficient to give very good classification results. This observation agrees with findings in [30,28]. Even though we use the payload bytes, our grouping is agnostic to application semantics, as each byte is considered as a single independent categorical feature. We consider each byte as a single categorical feature in the range {0, 1, . . ., 255}. The flow grouping step comprises two sub-steps: cluster formation and cluster merging.
1915
M. Iliofotou et al. / Computer Networks 55 (2011) 1909–1920
Step 3: The outcome of the previous step is a set of groups of flows, with each group consisting of flows that we hope stem from a single application. In order to classify each group, we generate a TDG on the group in the same way as described in Section 2. Each group yields a TDG that can be summarized using graph metrics. To identify P2P TDGs, we used the rules extracted from Section 2.2. When a group is labeled as P2P then all the flows of that group are classified as P2P flows.
3.2. Evaluating Graption-P2P To evaluate Graption-P2P, we use traces TR-PAY1 and TR-PAY2, where we have the ground truth using the payload classifier (Section 2). We compute the True Positives, False Positives, and False Negatives. The True Positives (TP) measures how many instances of a given class are correctly classified; the False Positives (FP) measures how many instances of other classes are confused with a given class; and the False Negatives (FN) measures the number of misclassified instances of a class. In our comparisons, we used the following standard metrics: Precision (P), defined as P = TP/(TP + FP); Recall (R), defined as R = TP/(TP + FN); and the F-Measure [38], defined as F = 2P R/(P + R), combining P and R. In all our results, the metrics above report the classification performance in terms of flows. 3.2.1. Forming clusters The K-means algorithm generates k clusters and assigns each flow to a different cluster. We first test the effectiveness of K-means to form pure clusters. A pure cluster will ideally contain flows from a single application. To label the clusters, we use the dominant heuristic [3]. In this heuristic, using the ground truth of flows we label each cluster as belonging to the application with the majority of flows in the cluster. All the flows of a cluster are then classified to belong to this dominant application. Using the dominant heuristic we assign clusters to applications and calculate the precision (P) and recall (R) for different values of k. The clustering results as we increase k for both traces are shown in Fig. 5. We observe that with sufficiently large k (>120) we achieve very good results with P and R above 90%. By increasing k, on one hand we have more ‘‘pure’’ clusters but on the other we make the cluster merging step harder. In the extreme case, each cluster will contain a single flow giving 100% P and R, but making cluster merging challenging. We will return to this topic later in Section 3.5. The Graption-P2P classifier is not sensitive to the exact value for k, since we do not require that each application maps to exactly one cluster. Instead, we only need enough clusters so that flows from different applications do not share a cluster. Hence, it is reasonable to slightly overestiClustering Performance for K-means(%)
(a) Forming clusters. Given the set of discriminating features, the next step is to cluster ‘‘similar’’ flows together. We use the term cluster to describe the outcome of an initial grouping using the selected features. Clusters may be merged in the next function of this step to form groups, which produces the final output. Feature-based clustering is a well-defined statistical data mining problem. For this task we used the popular K-means algorithm [38]. This algorithm has been commonly used for unsupervised clustering of network flows [10,30], with very good results and low computational cost. K-means operates with a single parameter that selects the number of final clusters (k). As we show later in our evaluation, our classifier gives very good results over a large range of k. The similarity between two flows is measured by the Hamming [38] distance calculated over the 16 categorical features (i.e., the payload bytes). Even though more involved similarity measures such as edit-distance (also known as Levenshtein distance) exist, Hamming distance has been used successfully before [15] and performs very well in our application. (b) Cluster merging. During clustering, it is likely that the same application generates multiple clusters. For example, many P2P protocols exhibit a variety of interaction patterns, such as queries (UDP flows) and file transfers (TCP flows), each with significantly different flow and packet characteristics [23]. This motivates mergings clusters that we expect to belong to the same application into groups. This grouping provides a more complete view of the application and aids in understanding the structure of the P2P protocol, as we show in Section 3.2. Cluster merging cannot be based on the chosen set of flow-level features that were already used to create the clusters originally. Instead, in the case of a P2P protocol, it is natural to assume that the TDGs corresponding to each cluster of the same protocol would share a large number of common nodes (IP addresses). Based on these observations, we use an Agglomerative (Hierarchical) Clustering Algorithm that recursively merges clusters with significant similarity in IP addresses. We used the following metric to calculate similarity between clusters: Sim(C1, C2) = (Number of flows having their source or destination IPs present in both clusters)/(The number of flows of the smaller cluster). The cluster merging process starts by hierarchically merging clusters with high similarity and stops when the similarity between all new cluster pairs is below a similarity threshold (ST). As we show later in our evaluation, our classifier gives very good results over a large range of similarity thresholds.
96 94 92 90 88 86 84
Precision (TR-PAY1) Recall (TR-PAY1) Precision (TR-PAY2) Recall (TR-PAY2)
82 80 0
40
80 120 160 Number of Clusters (k)
200
240
Fig. 5. Evaluating K-means: With sufficiently large k (>120) K-means can efficiently separate the flows of different application. All classification metrics are in terms of flows.
1916
M. Iliofotou et al. / Computer Networks 55 (2011) 1909–1920
mate the k. As we show next, with k in the range 120–240 Graption-P2P has high classification performance. 3.2.2. Identifying P2P traffic Using Graption-P2P, we achieve high flow P2P F-Measure over a range of values of k (K-means) and similarity thresholds (ST). We show this in Fig. 6, where we vary the ST from 0.01 to 1 and use a sufficiently large k (see Fig. 5). All experiments are averaged over each disjoint five minute interval of both traces.Intuitively, by using a very large ST, the clusters of an application are not grouped together, which results in TDGs that are harder to classify as P2P. On the other hand, with a very small ST, clusters belonging to different applications are merged together leading to poorer classification performance. The results in Fig. 6 show that we achieve good classification performance (>90% F-Measure), over a large range of similarity thresholds and number of clusters (k). In Fig. 7, we compare our approach with labeling each cluster using the ground truth (i.e. without merging any clusters and labeling each cluster using the dominant heuristic). Intuitively, for a given clustering of flows, the ground truth shows the best that our cluster labeling mechanism can achieve. For merging, we use a ST of 0.5. From Fig. 7, we see that Graption-P2P deviates only slightly from labeling clusters using the ground truth. In the same plot, we also compare Graption-P2P without the cluster
F-Measure of Graption-P2P (%)
100
k=120 k=160 k=240
95 90 85 80 75 70 65 60
0
0.1
0.2
0.3
0.4 0.5 0.6 Similarity Threshold
0.7
0.8
0.9
1
Fig. 6. Graption-P2P achieves > 90% flow F-Measure over a large range of similarity thresholds and number of clusters (k).
merging step, highlighting the benefit of merging clusters of the same application together. Using a ST of 0.5 and k = 160, Graption-P2P achieves above 90% Recall and above 95% Precision over all disjoint five minute intervals for both traces. To apply GraptionP2P to other backbone links, the same selection process can be repeated to adjust the values of ST and k. Our experiments show that the classification performance can degrade with a bad choice of parameters. However, as shown in Figs. 5–7, for reasonable choices for k and ST, our method provides very good results. The Graption framework is flexible enough to incorporate state-of-theart clustering methods. 3.3. Comparison with BLINC [25] We used BLINC to classify traffic for both TR-PAY1 and TR-PAY2 traces. BLINC was optimized after several trial and error efforts to achieve its best accuracy for classifying P2P traffic over these traces. A detailed description of the selection process for the parameters for BLINC is provided in [26]. As reported by Kim et al. [26], tuning the 28 parameters of BLINC is a time consuming process. This is because small changes to the thresholds have a significant effect on the classification results. The Recall and Precision for BLINC are 84% and 89% respectively compared to 90% and 95% of our method. The classification performance per P2P protocol for both BLINC and Graption-P2P are shown in Fig. 8. Given that both methods do not distinguish between particular P2P protocols (e.g., Gnutella vs BitTorrent), it only make sense to report the portion of identified traffic (recall) for each protocol. Graption-P2P can identify more traffic for all P2P applications tested with the exception of MP2P. We can see from Fig. 3 that MP2P has a much higher average node degree than the other P2P applications which can explain the high performance of BLINC over this protocol. Going back to Fig. 8, we see that BLINC has significantly lower performance for some P2P applications. For example, Graption-P2P detects 95% of BitTorrent traffic, while BLINC detects only 25%! In addition, Graption-P2P detects 91% of the flows from the three popular P2P applications {BitTorrent, Gnutella, and eDonkey} while BLINC detects only 73%. Our experiments suggest that BLINC and possible other behavioral-host-based approaches work well when applied Graption−P2P BLINC
95
100
90
80
85 Ground Truth Graption-P2P: Merging Graption-P2P: No Merging
80
Recall (%)
F-Measure of Graption-P2P (%)
100
75 70 65
60 40 20
60 80
100
120
140 160 180 Clusters (k) in K-means
200
220
240
Fig. 7. Graption-P2P compared to cluster labeling based on ground truth. Results are also compared with and without cluster merging.
0 BitTorrent Gnutella eDonkey FastTrack MP2P Soribada
Rest
Fig. 8. The percentage of P2P flows detected by Graption-P2P and BLINC. Flow precision for Graption-P2P is 95% and for BLINC is 89%.
M. Iliofotou et al. / Computer Networks 55 (2011) 1909–1920
at the edge, where a large fraction of host flows are observed and hence enough evidence is collected to profile each node. However, this is not always true for backbone monitoring points which can explain BLINC’s lower performance. These observations are also supported by findings in [26]. We acknowledge that BLINC provides a methodology for detecting traffic from multiple classes of applications (e.g., HTTP, FTP, Chat, etc.) and not only for P2P. Our results only show that Graption-P2P does better in P2P detection. 3.4. Identifying the unknown Our goal here is to answer the following question: Can Graption identify ports used by unknown P2P applications in our traces? To achieve this, we configure Graption as follows. For step 1, we isolate legacy flows using the same approach as in Graption-P2P. In addition, we isolate flows from ports that belong to known P2P applications (e.g., port 1214 for FastTrack). At step 2, we cluster flows using their port number. This produces one cluster for each distinct port in the trace. For merging clusters, we use the same similarity threshold as in the Graption-P2P configuration. Finally, for classifying each group (step 3) we use the same rules as in Graption-P2P. We will refer to this configuration as Graption-P2P-Ports. By manually inspecting the TDGs that Graption-P2PPorts reports as P2P, we discovered interesting behaviors in the Abilene Trace (TR-ABIL). Our simple method was able to detect three ports (2002, 4156, 1978) that we initially thought were false positives. On further research, we found that these three ports were used by the Slapper2 worm. Slapper has been reported to use these ports in order to form a P2P botnet overlay for launching DDoS attacks. Even though Graption-P2P-Ports was never explicitly trained to detect the Slapper overlay, it used the TDG profile of known P2P applications (e.g., eDonkey, Gnutella, etc.) to identify it. This is an advantage of using network-wide behavior to classify traffic. Graption-P2P-Ports also captured an unusual behavior of IPs executing traceroute to each other forming a near clique. Such highly connected group of hosts was not observed in any of the P2P applications present in our traces. We speculate these interactions are by host performing active network measurements inside the Internet2 (Abilene) backbone. Given this unique connection pattern, we can always isolate such unusual behavior and distinguish it from a potentially new P2P application. Besides the active measurement traffic and the flows from the Slapper worm, Graption-P2P-Ports reported only 0.3% other flows as P2P. With no payload information, we were not to able to manually match these flows to a known exploit or P2P application. 3.5. Other Graption configurations For completeness, we show here preliminary results with other system configurations assuming that access to payload is limited or isolation cannot be used. We proceed by describing these configurations. 2
http://www.cert.org/advisories/CA-2002-27.html
1917
Graption-P2P-NI: without isolation. This is the same configuration as the Graption-P2P, but without using isolation. By increasing k in K-means above 300 we achieve good results; >92% precision and >85% recall. A larger k was to be expected, since by including all the Web, SMTP, and DNS flows the total number of signatures increased as well. Our preliminary experiments showed that by increasing the number of clusters, it makes the cluster merging step more difficult. This observation highlights the advantage of using isolation. Graption-P2P-NP: using only flow-level features. This configuration is the same as the Graption-P2P, but assuming that payload and port numbers cannot be used. We achieved >90% precision and >88% recall over a range of k and similarity thresholds. For each flow, we extracted more than 40 flow features ranging from packet size information (size of first 10 packets, max/min packet size, etc.), timing information (flow duration, min and max inter-packet gap, etc.), TCP flags, total volumes in bytes, number of packets, etc. In order to test the relevance of each feature we applied the Information Gain Ranking Filter [38] over various time intervals. For this configuration, we used the most prominent features: packet size information (i.e. min, max, and the size of the first five packets) and protocol (UDP or TCP). A recent work [11] also supports our observation that packet sizes are good features to cluster/classify network flows. 4. Related work This journal paper extends our six-page workshop version [18]. In addition to the work presented in the workshop version, we here include: (a) A study on practical considerations for using TDGs (see Section 2.3, Figs. 3 and 4). (b) We provide additional details regarding our data sets and our classification results (see Sections 2.2 and 3.5, Fig. 2, and Table 2). (c) We provide a more detailed comparison with BLINC (see Section 3.3 and Fig. 8). (d) We include additional experiments showing how Graption can be used to detect previously unknown traffic (see Section 3.4). 4.1. Traffic classification As an alternative to port-based methods, some work use payload [30,28]. Other approaches use machine learning (ML) algorithms to classify traffic using flow features (e.g., packet sizes). For an exhaustive list and comparison of ML algorithms we refer the reader to [32,26]. The problem of training a ML algorithm on one trace and applying it on another was recently addressed in [37]. Even though supervised solutions to traffic classification are continuously improving, all supervised methods require per application training and will thus not detect traffic from new applications. Our work has more in common with unsupervised methods which group similar flows together. All previous methods [3,29,10] require manual labeling of clusters. Our work bridges this gap by providing a method to automatically label clusters of flows based on their network-wide behavior. In BLINC [25], the authors characterize the connection patterns (e.g., if it behaves like using P2P) of a single host at the transport layer and use these patterns to label the
1918
M. Iliofotou et al. / Computer Networks 55 (2011) 1909–1920
flows of each host. BLINC uses graph models called graphlets to model a host’s connection patterns using port and IP cardinalities. Unlike TDGs, graphlets do not represent network-wide host interaction. In some sense, TDGs represent a further level of aggregation, by aggregating across hosts as well. Thus it is perhaps fair to say that while BLINC hints at the benefit of analyzing the node’s interaction at the ‘‘social’’ level, it ultimately follows a different path that focuses on the behavior of individual nodes. As we show, our approach performs better than BLINC in our backbone traces (see Section 3.3). Similar to BLINC, other host-based methods [2,22] target the identification of P2P users inside a university campus (i.e., network edge). The connection patterns of neighboring host (e.g., their degree distribution) were also used as features to profile network hosts [1]. Unlike Graption-P2P, in [2,22,25,1] they do not use network-wide host interaction. In [7], the authors use a port-based method to identify P2P users, using their temporal appearance and connection patterns in a trace. A different approach to host profiling was introduced by Trestian et al. [36]. They used readily available information from the Web to classify traffic using the Google search engine. They show very good results for classifying flows for legacy application, but their results are not promising for P2P detection because of the dynamic nature of P2P IP hosts. Our method can thus be used to complement the work in [36]. The problem of classifying traffic from applications that use sophisticated obfuscation techniques is the topic in [17]. The solution proposed uses advanced community detection algorithms to group related hosts together. It then requires external seed information about the application used by few hosts in each group in order to classify the entire group. The solution in [17] is very different from this work since it does not classify applications using networkwide behavioral informatio. We believe that Graption-P2P can provide a way to identifying P2P communities without relying on external seeding information. 4.2. Worm detection Graphs have been used for detecting worm activities within enterprise networks [9]. Their main goal was to detect the tree-like communication structure of worm propagation. This characteristic of worms was also used for post-mortem trace analysis (for the identification of the source of a worm outbreak, the so-called patient zero) using backbone traces [39]. More recent studies use graph techniques to detect hit-list worms within an enterprise network, based on the observation that an attacker will alter the connected components in the network [6]. 4.3. Measurements on network-wide interactions Statistical methods are used in [40] for automating the profiling of network hosts and ports numbers. The connectivity behavior and habits of users within enterprise networks is the focus of many papers, including [35]. In [34], the authors study P2P overlays using passive measurements, but target mainly the profiling of P2P hosts. The most resent work on network-wide interactions in by Jin et al. [21]. In their work [21], they use graph-partitioning methods to ex-
tract and study the evolution of smaller communities within a TDG. None of the above papers targets P2P detection.
5. Discussion Enhancing the isolation step. To improve isolation we can enforce payload inspection in addition to port-based filtering. For example, we can test all DNS flows at port 53 to see if they also have a DNS payload signature or if another protocol is tunneling its traffic under the DNS port. If payload is encrypted, then we can choose to use flow-level feature such as packet sizes [26] or whitelisted IP addresses [36]. Applying our framework to other backbone locations. In our study we show that is feasible to correctly identify P2P TDGs from all our backbone traces using a single set of thresholds. In other words, we do not use different classification threshold for each individual trace. Even though TDGs from different locations may have differences between them, in our study, we always find TDGs from the same family (e.g., P2P) to have similar characteristics (e.g., high average degree). In Section 2.2, we explicitly state that our thresholds are not universal. Therefore, it might not always be possible to use exactly the same thresholds to identify particular TDGs in all backbone locations. Nevertheless, our measurements suggest that small adjustments to our simple parameters (see Section 2.2) allow our methodology to work on different backbone links. TDG formation and packet sampling. Packet sampling is used in order to reduce the overhead of processing every single packet by a monitoring system. Sampling effectively reduces the overall number of observed flows by the monitor. Less overall flows translates to fewer observed edges over time when forming TDGs. In our experiments in Section 2.3, we observe that the longer we collect edges for a TDG (i.e., applying a longer observation interval) the number of edges and the stability of metrics increases. With sampling, we believe the curves in Fig. 4 may change. In particular, in order to reduce TDG variability in the presence of sampling, the monitoring interval will need to be increase. Encryption in P2P applications. If an application encrypts all traffic classification methods using payload [33,28,15, 30] will be out-dated. Note, however, that it has been shown before [4] that even if an application encrypts its traffic there are ways to distinguish it from other flows. To show that even in the case where P2P encryption becomes prevalent our framework will still be useful, we also experimented with Graption-P2P-NP using only flow level features and observed good results with recall and precision of above 88% in both traces. Obfuscation of P2P applications at multiple levels. In the future, obfuscation might become more common. In the case where IPsec (encryption up to Layer-4 headers) becomes prevalent, transport layer [24], and host-based [25] methodologies will most likely not work. If P2P protocols start using polymorphic blending methods [12,14] to masquerade their traffic at the packet (e.g., packet sizes) and payload level to resemble a legacy application (e.g., Web), then all current machine learning [32] methods will not work. In such a scenario, TDGs (IP-to-IP graphs) might still prove to be useful because the interaction patterns seem hard to hide.
M. Iliofotou et al. / Computer Networks 55 (2011) 1909–1920
6. Summary and conclusions The underlying theme of our work is to go beyond just monitoring individual packets, flows, or hosts, to also monitoring the interactions of a group of hosts. Towards this end, we introduce TDGs and show their potential to generate novel tools for traffic classification. Based on TDGs, we developed Graption, a graph-based framework, which we then specialize (Graption-P2P) for the detection of P2P applications. We show that Graption-P2P classifies more than 90% of P2P traffic with above 95% precision when tested on real-world backbone traces. While our best results are obtained assuming access to some initial payload bytes, Graption still performs well (90% precision with 88% recall) even when payload is not used. We believe the network-wide characteristics of P2P traffic (e.g., InO, average degree, and diameter) are not as easy to hide without significantly altering P2P functionality.
Acknowledgments This work was supported partly by NSF NECO 0832069, a CISCO URP grant, ARL CTA W911NF-09–2-0053, by NAP of Korea Research Council of Fundamental Science and Technology, and the ITRC support program [NIPA-2010C1090–1011-0004] of MKE/NIPA. Michael Mitzenmacher was supported in part by NSF grant CNS-0721491 and research grant from CISCO. George Varghese was supported by grants from NSF and CISCO. The SDSC’s TeraGrid and compute resources are supported by the NSF grant CONMI CRI-0551542. Support for CAIDA’s Internet traces is provided by the National Science Foundation, the US Department of Homeland Security, and CAIDA Members.
References [1] E.G. Allan, W.H. Turkett, E.W. Fulp, Using network motifs to identify application protocols, in: IEEE GLOBECOM, 2009. [2] G. Barlett, J. Heidemann, C. Papadopoulos, Inherent behaviors of online detection of peer-to-peer file sharing, in: IEEE GI, 2007. [3] L. Bernaille, R. Teixeira, K. Salamatian, Early application identification, in: ACM CoNEXT, 2006. [4] D. Bonfiglio, M. Mellia, M. Meo, D. Rossi, P. Tofanelli, Revealing Skype Traffic: when randomness plays with you, in: ACM SIGCOMM, 2007. [5] CAIDA. http://www.caida.org. [6] M.P. Collins, M.K. Reiter, Hit-List worm detection and bot identification in large networks using protocol graphs, in: RAID, 2007. [7] F. Constantinou, P. Mavrommatis, Identifying known and unknown peer-to-peer traffic, in: IEEE NCA, 2006. [8] DatCat, Internet Measurement Data Catalog. http://www.datcat.org. [9] D. Ellis, J. Aiken, K. Attwood, S. Tenarglia, A behavioral approach to worm detection, in: ACM CCS WORM, 2004. [10] J. Erman, M. Arlitt, A. Mahanti, Traffic classification using clustering algorithms, in: ACM SIGCOMM MineNet, 2006. [11] A. Este, F. Gringoli, L. Slagerelli, On the stability of the information carried by traffic flow features at the packet level, ACM SIGCOMM CCR 39 (3) (2009) 13–18. [12] P. Fogla, M. Sharif, R. Perdisci, O. Kolesnikov, W. Lee, Polymorphic blending attacks, in: USENIX Security Symposium, 2006. [13] A. Gerber, J. Houle, H. Nguyen, M. Roughan, S. Sen, P2P, the Gorilla in the cable, in: National Cable and Telecommunications Association (NCTA), 2003. [14] G. Gu, R. Perdisci, J. Zhang, W. Lee. BotMiner: clustering analysis of network traffic from protocol- and structure-independent botnet detection, in: USENIX Security Symposium, 2008. [15] P. Haffner, S. Sen, O. Spatscheck, D. Wang, ACAS: automated construction of application signatures, in: ACM SIGCOMM MineNet, 2005.
1919
[16] M. Iliofotou, M. Faloutsos, M. Mitzenmacher, Exploiting dynamicity in graph-based traffic analysis: techniques and applications, in: ACM CoNEXT, 2009. [17] M. Iliofotou, B. Gallagher, G. Xie, T. Eliassi-Rad, M. Faloutsos, Profiling-by-association: a resilient traffic profiling solution for the internet backbone, in: ACM CoNEXT, 2010. [18] M. Iliofotou, H. Kim, P. Pappu, M. Faloutsos, M. Mitzenmacher, G. Varghese, Graph-based P2P traffic classification at the internet backbone, in: IEEE GI, 2009. [19] M. Iliofotou, P. Pappu, M. Faloutsos, M. Mitzenmacher, S. Singh, G. Varghese, Network monitoring using traffic dispersion graphs (TDGs), in: ACM IMC, 2007. [20] IPOQUE – Bandwidth Management with Deep Packet Inspection, Internet Study: The Impact of P2P File Sharing, Voice over IP, Instant Messaging, One-Click Hosting and Media Streaming on the Internet, 2009. [21] Y. Jin, S. Esam, Z.L. Zhang, Unveiling core network-wide communication patterns through application traffic activity graph decomposition, in: ACM SIGMETRICS, 2009. [22] W. John, S. Tafvelin, Heuristics to classify internet backbone traffic based on connection patterns, in: IEEE ICOIN, 2008. [23] T. Karagiannis, A. Broido, N. Brownlee, K. Claffy, M. Faloutsos, Is P2P dying or just hiding? in: IEEE GLOBECOM, 2004. [24] T. Karagiannis, A. Broido, M. Faloutsos, K. claffy, Transport layer identification of P2P traffic, in: ACM IMC, 2004. [25] T. Karagiannis, K. Papagiannaki, M. Faloutsos, BLINC: multi-level traffic classification in the dark, in: ACM SIGCOMM, 2005. [26] H. Kim, K. Claffy, M. Fomenkov, D. Barman, M. Faloutsos, K. Lee, Internet traffic classification demystified: myths, caveats, and the best practices, in: ACM CoNEXT, 2008. [27] C. Labovitz, S. Lekel-johnson, J. Oberheide, F. Jahanian, Internet interdomain traffic, in: ACM SIGCOMM, 2010. [28] J. Ma, K. Levchenko, C. Kreibich, S. Savage, G.M. Voelker, Unexpected means of protocol inference, in: ACM IMC, 2006. [29] A. McGregor, M. Hall, P. Lorier, J. Brunskill, Flow clustering using machine learning techniques, in: PAM, 2004. [30] A. Moore, K. Papagiannaki, Toward the accurate identification of network applications, in: PAM, 2005. [31] M.E.J. Newman, The structure and function of complex networks, SIAM Review 45 (2003) 167. [32] T.T.T. Nguyen, G. Armitage, A survey of techniques for internet traffic classification using machine learning, IEEE Communications Surveys and Tutorials, 4th ed., March, 2008. [33] S. Sen, O. Spatscheck, D. Wang, Accurate, scalable in-network identification of p2p traffic using application signatures, in: WWW, 2004. [34] S. Sen, J. Wang, Analyzing peer-to-peer traffic across large networks, IEEE/ACM Transaction on Networking 12 (2) (2004) 219–232. [35] G. Tan, M. Poletto, J. Guttag, F. Kaashoek, Role classification of hosts within enterprise networks based on connection patterns, in: USENIX Annual Technical Conference, 2003. [36] I. Trestian, S. Ranjan, A. Kuzmanovic, A. Nucci, Unconstrained endpoint profiling (Googling the Internet), in: ACM SIGCOMM, 2008. [37] G. Urvoy-Keller, T. En-Najjary, Challenging statistical classification for operational usage: the ADSL case, in: ACM IMC, 2009. [38] I.H. Witten, E. Frank, Data Mining: Practical Machine Learning Tools and Techniques, 2nd ed., Morgan Kaufman, 2005. [39] Y. Xie, V. Sekar, D. Maltz, M. Reiter, H. Zhan, Forensic analysis of epidemic attacks in federated networks, in: IEEE ICNP, 2006. [40] K. Xu, Z. Zhang, S. Bhattacharyya, Profiling internet backbone traffic: behavior models and applications, in: ACM SIGCOMM, 2005.
Marios Iliofotou received the B.S. degree in Electrical and Computer Engineering from the Technical University of Crete, in Greece, and the M.S. and Ph.D. degree in Computer Science from the University of California, Riverside, in 2007 and 2011, respectively. His current research investigates the effectiveness of graph-based algorithms for managing and protecting large IP networks. During the course of his Ph.D., Marios has worked as an intern at Microsoft Research in Cambridge, Telefonica Research in Barcelona, the Lawrence Livermore National Laboratory, Narus, and Cisco Systems.
1920
M. Iliofotou et al. / Computer Networks 55 (2011) 1909–1920
Hyun-chul Kim is an assistant professor in the School of Computer Science and Engineering at Seoul National University. His research interests include content-centric networking, measurement, analysis and modeling of Internet traffic and topology, and user behavior patterns in a variety of largescale applications such as IPTV, VoD, VoIP, P2P file sharing, massively multi-player online role-playing games (MMORPGs), and the Web. Kim received his Ph.D. in computer science from the Korean Advanced Institute of Science and Technology (KAIST).
Michalis Faloutsos is a faculty member at the Computer Science Department in University of California, Riverside. He got his bachelor’s degree at the National Technical University of Athens and his M.Sc and Ph.D. at the University of Toronto. His interests include, Internet protocols and measurements, peer-to-peer networks, network security, BGP routing, and ad-hoc networks. He is actively involved in the community as a reviewer and a TPC member in many conferences and journals. With his two brothers, he co-authored the paper on powerlaws of the Internet topology SIGCOMM’99, which is one of the top ten most cited papers of 1999. His most recent work on peerto-peer measurements have been widely cited in popular printed and electronic press such as slashdot, ACM Electronic News, USA Today, and Wired. Most recently he has focused on the classification of traffic and identification of abnormal network behavior. He also works in the area of Internet routing (BGP), and ad hoc networks routing, and network security, with emphasis on routing.
Michael Mitzenmacher is a Professor of Computer Science in the School of Engineering and Applied Sciences at Harvard University. He graduated summa cum laude with a B.A. in mathematics and computer science from Harvard in 1991. After studying mathematics for a year in Cambridge, England, on the Churchill Scholarship, he obtained his Ph. D. in computer science at U.C. Berkeley in 1996. His work on low-density parity-check codes shared the 2002 IEEE Information Theory Society Best Paper Award and won the 2009 ACM SIGCOMM Test of Time Award. His textbook on randomized algorithms and probabilistic tech-
niques in computer science was published in 2005 by Cambridge University Press.
Prashanth Pappu received his Doctor of Science degree from Washington University in St. Louis where his research was focused on design of scalable routers and included QoS architectures, packet lookup and scheduling algorithms. Later, he was a Technical Leader at Cisco Systems where he led the design of Cisco’s data center, storage and Ethernet switches. He’s currently the Director of Product Management at Conviva Inc. that is creating a real-time, viewer-centric platform for delivering the highest resolution, broadcast quality video on the Internet.
George Varghese worked at DEC for several years designing DECNET protocols and products (bridge architecture, Gigaswitch) before obtaining his Ph.D. in 1992 from MIT. He worked from 1993–1999 at Washington University. He joined UCSD in 1999, where he currently is a professor of computer science. He won the ONR Young Investigator Award in 1996, and was elected to be a Fellow of the Association for Computing Machinery (ACM) in 2002. Together with colleagues, he has 16 patents awarded in the general field of Network Algorithmics. Several of the algorithms he has helped develop have found their way into commercial systems including Linux (timing wheels), the Cisco GSR (DRR), and Microsoft Windows (IP lookups). He also helped design the lookup engine for Procket’s 40 Gbps forwarding engine. He has written a book on building fast router and endnode implementations called ‘‘Network Algorithmics’’, which was published in December 2004 by Morgan-Kaufman. In May 2004, he co-founded NetSift Inc., where he was the President and CTO. NetSift was acquired by Cisco Systems in 2005. From Aug 2005 to Aug 2006, he worked at Cisco Systems to help equip future routers and switches to detect traffic patterns for measurement and security.