Stochastic Traffic Identification for Security Management: eDonkey Protocol as a Case Study

  • Rafael A. Rodríguez-Gómez
  • Gabriel Maciá-Fernández
  • Pedro García-Teodoro
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7873)


Traffic identification is a relevant issue for network operators nowadays. As P2P services are often used as an attack vector, Internet Service Providers (ISPs) and network administrators are interested in modeling the traffic transported on their networks with behavior identification and classification purposes. In this paper, we present a stochastic detection approach, based on the use of Markov models, for classifying network traffic to trigger subsequent security related actions. The detection system works at flow level considering the packets as incoming observations, and is capable of analyze both plain and encrypted communications. After suggesting a general structure for modeling any network service, we apply it to eDonkey traffic classification as a case study.

After successfully evaluating our approach with real network traces, the experimental results evidence the way our methodology can be used to model normal behaviors in communications for a given target service.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Jin, Y., Duffield, N., Erman, J., Haffner, P., Sen, S., Zhang, Z.L.: A Modular Machine Learning System for Flow-Level Traffic Classification in Large Networks. ACM Trans. Knowl. Discov. Data 6(1), 4:1–4:34 (2012)Google Scholar
  2. 2.
    Chen, H., Zhou, X., You, F., Wang, C.: Study of Double-Characteristics-Based SVM Method for P2P Traffic Identification. In: 2010 Second International Conference on Networks Security Wireless Communications and Trusted Computing (NSWCTC), vol. 1, pp. 202–205 (April 2010)Google Scholar
  3. 3.
    Callado, A., Kamienski, C., Szabo, G., Gero, B., Kelner, J., Fernandes, S., Sadok, D.: A Survey on Internet Traffic Identification. IEEE Communications Surveys & Tutorials 11(3), 37–52 (2009)CrossRefGoogle Scholar
  4. 4.
    Dainotti, A., Pescape, A., Claffy, K.: Issues and future directions in traffic classification. IEEE Network 26(1), 35–40 (2012)CrossRefGoogle Scholar
  5. 5.
    Dahmouni, H., Vaton, S., Rossé, D.: A markovian signature-based approach to IP traffic classification. In: Proceedings of the 3rd Annual ACM Workshop on Mining Network Data, MineNet 2007, pp. 29–34. ACM, New York (2007)CrossRefGoogle Scholar
  6. 6.
    Wright, C.V., Monrose, F., Masson, G.M.: On Inferring Application Protocol Behaviors in Encrypted Network Traffic. J. Mach. Learn. Res. 7, 2745–2769 (2006)MathSciNetzbMATHGoogle Scholar
  7. 7.
    Dainotti, A., de Donato, W., Pescape, A., Salvo Rossi, P.: Classification of Network Traffic via Packet-Level Hidden Markov Models. In: Global Telecommunications Conference, IEEE GLOBECOM 2008, pp. 1–5. IEEE (November 2008)Google Scholar
  8. 8.
    Markov, A., Nagorny, N.: The theory of algorithms. Mathematics and its applications: Soviet series. Kluwer Academic Publishers (1988)Google Scholar
  9. 9.
    Dymarski, P.: Hidden Markov Models, Theory and Applications. InTech (2011)Google Scholar
  10. 10.
    Fink, G.: Markov models for pattern recognition: from theory to applications. Springer (2008)Google Scholar
  11. 11.
    Forney, G.J.: The Viterbi algorithm. Proceedings of the IEEE 61(3), 268–278 (1973)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Baum, L.E., Petrie, T., Soules, G., Weiss, N.: A Maximization Technique Occurring in the Statistical Analysis of Probabilistic Functions of Markov Chains. The Annals of Mathematical Statistics 41(1), 164–171 (1970)MathSciNetzbMATHCrossRefGoogle Scholar
  13. 13.
    Thompson, K., Miller, G., Wilder, R.: Wide-area Internet traffic patterns and characteristics. IEEE Network 11(6), 10–23 (1997)CrossRefGoogle Scholar
  14. 14.
    Feldmann, A.: Characteristics of TCP Connection Arrivals. Technical memorandum, AT&T Labs Research (1998)Google Scholar
  15. 15.
    Johnson, R.A., Wichern, D.W. (eds.): Applied multivariate statistical analysis. Prentice-Hall, Inc., Upper Saddle River (1988)zbMATHGoogle Scholar
  16. 16.
    AMULE: aMule, (last accessed: January 2013)
  17. 17.
    OpenDPI: OpenDPI, (last accessed: January 2013)

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Rafael A. Rodríguez-Gómez
    • 1
  • Gabriel Maciá-Fernández
    • 1
  • Pedro García-Teodoro
    • 1
  1. 1.Department of Signal Theory, Telematics and Communication, CITIC - ETSIITUniversity of GranadaSpain

Personalised recommendations