Publication Details

Traffic Classification and Application Identification in Network Forensics

PLUSKAL Jan, LICHTNER Ondrej and RYŠAVÝ Ondřej. Traffic Classification and Application Identification in Network Forensics. In: Fourteenth Annual IFIP WG 11.9 International Conference on Digital Forensics. New Delhi: Springer International Publishing, 2018, pp. 161-181. ISBN 978-3-319-99277-8. ISSN 1868-4238.
Czech title
Klasifikace síťového provozu i komunikujících aplikací v síťové forenzní analýze
Type
conference paper
Language
english
Authors
Keywords

network forensics, network traffic classification, statistical protocol identification, application identification, application protocol identification, machine learning, random forests, Bayesian classifier

Abstract

Network traffic classification is an absolute necessity for network monitoring, security analysis, and digital forensics. Without accurate traffic classification, computation demands on analysis of all IP flows are enormous. Classification can also reduce the number of flows that need to be analyzed, prioritize, and order them for an investigator to analyze the most forensically significant first. This paper presents an automatic feature elimination method based on a feature correlation matrix. Furthermore, we compare two algorithms adapted from literature, that offer high accuracy and acceptable performance, and our algorithm -- Enhanced Statistical Protocol Identification (ESPI). Each of these algorithms is used with a subset of features that best suits it. We evaluate these algorithms on their ability to identify application layer protocols and additionally applications themselves. Experiments show that the Random Forest based classifier yields the most promising results, whereas our algorithm provides an interesting tradeoff between higher performance and slightly lower accuracy.

Published
2018
Pages
161-181
Journal
IFIP Advances in Information and Communication Technology, vol. 532, no. 1, ISSN 1868-4238
Proceedings
Fourteenth Annual IFIP WG 11.9 International Conference on Digital Forensics
Conference
Fourteenth Annual IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, IN
ISBN
978-3-319-99277-8
Publisher
Springer International Publishing
Place
New Delhi, IN
DOI
UT WoS
000475838900010
EID Scopus
BibTeX
@INPROCEEDINGS{FITPUB11511,
   author = "Jan Pluskal and Ondrej Lichtner and Ond\v{r}ej Ry\v{s}av\'{y}",
   title = "Traffic Classification and Application Identification in Network Forensics",
   pages = "161--181",
   booktitle = "Fourteenth Annual IFIP WG 11.9 International Conference on Digital Forensics",
   journal = "IFIP Advances in Information and Communication Technology",
   volume = 532,
   number = 1,
   year = 2018,
   location = "New Delhi, IN",
   publisher = "Springer International Publishing",
   ISBN = "978-3-319-99277-8",
   ISSN = "1868-4238",
   doi = "10.1007/978-3-319-99277-8",
   language = "english",
   url = "https://www.fit.vut.cz/research/publication/11511"
}
Back to top