Two-phased network traffic classification method for quality of service management

Identification of network traffic is crucial in network management and monitoring purposes. Nowadays port based and payload based classification methods have become inadequate as many applications use dynamically allocated port numbers, masquerade to be another application by using some standard port number or use encryption to avoid detection. Recent studies propose an alternative technique for network traffic classification utilizing statistical characteristics of network flows in classification. Most of these studies focus on classifying flows when flows have finished. This kind of classification is not sufficient for quality of service management purposes, therefore network flows have to be classified as early as possible. This paper introduces a two-phased classification method which is capable of classifying network flows early in the connection and providing a secondary classification phase to improve the classification accuracy. A simple K-Means clustering technique is utilized in both classification phases. The classifier was trained and evaluated using manually generated training and evaluation datasets. According to the results two-phased classifier classified 97.8% of target applications correctly and was able to detect untrained application flows at high precision. Also individual classification phases produced high overall accuracies and precise detections of unknown traffic. (6 refs.)