An empirical study of morphing on behavior-based network traffic classification

Authors

  • Buyun Qu,

    Corresponding author
    1. Institute of Computing Technology, Chinese Academy of Sciences, Beijing, China
    2. University of Chinese Academy of Sciences, Beijing, China
    3. Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China
    4. National Engineering Laboratory for Information Security Technologies, Beijing, China
    • Correspondence: Buyun Qu, Building A3, No. 89A, minzhuang Road, Haidian District, Beijing, China. 100093

      E-mail: buyun.qu@gmail.com

    Search for more papers by this author
  • Zhibin Zhang,

    1. Institute of Computing Technology, Chinese Academy of Sciences, Beijing, China
    Search for more papers by this author
  • Xingquan Zhu,

    1. Faculty of Eng. & Info. Technology, University of Technology, Sydney, Australia
    Search for more papers by this author
  • Dan Meng

    1. Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China
    Search for more papers by this author

ABSTRACT

With the rapid advancement of traffic classification techniques, a countermeasure against them called network traffic morphing, which aims at masking traffic to degrade the performance of traffic identification and classification, has emerged. Although several morphing strategies have been proposed as promising approaches, very few works, however, have investigated their impact on the actual traffic classification performance. This work sets out to fulfill this gap from an empirical study point of view. It takes into account different morphing strategies exerted on packet size (PS) and/or inter-arrival time (IAT) and evaluates them by simulation. The impact is evaluated by using three popularity used classification algorithms, including C4.5, Support Vector Machines , and Naïve Bayes, with various performance metrics considered. The results show that not all morphing strategies can effectively thwart traffic classification. Different morphing strategies perform distinctively in degrading traffic identification, among which the integration of PS and IAT morphings is the best, and the PS-based method alone is the worst. Furthermore, the three classifiers also exhibit distinct robustness to the morphing, with C4.5 being the most robust and Naïve Bayes being the weakest. Finally, our study shows that classifiers can learn nontrivial information merely from the traffic direction patterns, which partially explains the weak protection of PS-based morphing methods because they fail to take the direction patterns into consideration. Copyright © 2013 John Wiley & Sons, Ltd.

Ancillary