Project ID:
RFP-2007-020
Title:
Protocol Oblivious (Behavioral) Internet Traffic Classification
Summary:
Traffic classification is a critical component of many Internet applications, such as traffic control and lawful interception.
Until recently, classification was done mainly by using payload inspection, checking for application signatures (string or regular expressions, message structure, etc.). While this process worked well in the past, it is becoming insufficient due to (1) scalability issues, (2) increasing difficulty in developing signatures for applications which try to evade detection (e.g., BitTorrent and Skype) or masquerade as another application and (3) applications and protocols becoming a moving target as they frequently change.
In this RFP we are encouraging research on IP traffic classification methods which are not payload-based. We are interested in classification methods that, (1) classify to application families rather than to specific applications (e.g., classify to "Voice" rather than to "GoogleTalk") and (2) are able to correctly classify applications which try to evade detection.
Full Description:
In the last few years, the ability to classify Internet traffic has become a requirement for several applications. For example, traffic control (prioritize browsing over other traffic), lawful interception (requires recognition of all voice traffic), general data mining to track end user behavior, etc.
Until recently, classification was mainly done by inspecting the payload of traffic packets, checking for an application signature (string or regular expressions, message structure, etc.). While payload inspection techniques have worked well in the past, they suffer from two major limitations. First, applications such as Azureus and Skype started using techniques which "provide a completely random-looking header and (optionally) payload to avoid passive protocol identification" [1]. The second limitation is signature development scalability, which impacts the response time of traffic analysis equipment vendors (from the time a new method/protocol is introduced until a signature is implemented). Currently, there are many protocols in use, and new protocols are frequently being introduced, thus making the reactive development of a signature for each new protocol a challenging task.
The purpose of this RFP is to encourage research on non payload-based methods for two broad tasks: classification of traffic to application families, and classification of specific applications, even if they try to hide or masquerade.
The families of interest include:
- Voice (e.g., Skype, GoogleTalk, and Yahoo messenger)
- Over-The-Top Video - based on P2P (e.g., Joost and Zatoo), or HTTP (e.g., YouTube)
- Gaming (e.g., PS2 / XBOX, and PC online gaming), though this is a lower priority
The challenge is to develop robust and performance-efficient methods, which can classify the traffic accurately even if the application behavior is dynamic (e.g., changes between versions), and could be used for identifying applications from the same family. The focus is on classification based on the application/host behavior and not on the payload information.
Following are several desired properties of a solution. The algorithm should work in real time, and classify traffic soon after a session starts, (as opposed to classification of sessions upon termination). The algorithm should be suitable for operation on network equipment inserted at the edge of the network, over links connecting a number of subscribers (e.g., 10,000) to the Internet cloud. In addition, it may be assumed that as a result of the classification, the traffic will be controlled (bandwidth limited, etc.), which may cause traffic patterns of an adaptive application to change.
References
Constraints and other information:
IPR will stay with the University. Cisco expects customary scholarly dissemination of results, and hopes that promising results would be made available to the community without limiting licenses, royalties, or other encumbrances.
Proposal submission:
Cisco is not currently accepting proposals for this RFP.
Questions? Contact: research@cisco.com
