MCC: A Message and Command Correlation Method for Identifying New Interactive Protocols via Session Analyses  

作　　者：Chenglong Li Yibo Xue Yingfei Dong Dongsheng Wang 

机构地区：[1]Tsinghua National Lab for Information Science and Technology(TNList),Beijing 100084,China [2]Research Institute of Information Technology(RIIT),Tsinghua University,Beijing 100084,China [3]Department of Computer Science&Technology,Tsinghua University,Beijing 100084,China [4]Department of Electrical Engineering,University of Hawaii,Honolulu,HI 96822,USA

出　　处：《Tsinghua Science and Technology》2012年第3期344-353,共10页清华大学学报（自然科学版（英文版）

基　　金：Supported by the National Natural Science Foundation of China (Nos. 60833004 and 60970002);Prof. Yingfei Dong's current research is supported in part by US NSF (Nos. CNS-1041739, CNS-1120902, CNS-1018971, and CNS-1127875)

摘　　要：Traffic classification is critical to effective network management. However, more and more pro- prietary, encrypted, and dynamic protocols make traditional traffic classification methods less effective. A Message and Command Correlation （MCC） method was developed to identify interactive protocols （such as P2P file sharing protocols and Instant Messaging （IM） protocols） by session analyses. Unlike traditional packet-based classification approaches, this method exploits application session information by clustering packets into application messages which are used for further classification. The efficacy and accuracy of the MCC method was evaluated with real world traffic, including P2P file sharing protocols Thunder and Bit- Torrent, and IM protocols QQ and GTalk. The tests show that the false positive rate is less than 3% and the false negative rate is below 8%, and that MCC only needs to check 8.7% of the packets or 0.9% of the traffic. Therefore, this approach has great potential for accurately and quickly discovering new types of interactive application protocols.Traffic classification is critical to effective network management. However, more and more pro- prietary, encrypted, and dynamic protocols make traditional traffic classification methods less effective. A Message and Command Correlation （MCC） method was developed to identify interactive protocols （such as P2P file sharing protocols and Instant Messaging （IM） protocols） by session analyses. Unlike traditional packet-based classification approaches, this method exploits application session information by clustering packets into application messages which are used for further classification. The efficacy and accuracy of the MCC method was evaluated with real world traffic, including P2P file sharing protocols Thunder and Bit- Torrent, and IM protocols QQ and GTalk. The tests show that the false positive rate is less than 3% and the false negative rate is below 8%, and that MCC only needs to check 8.7% of the packets or 0.9% of the traffic. Therefore, this approach has great potential for accurately and quickly discovering new types of interactive application protocols.

关 键 词：traffic classification SESSION network management correlation INTERACTIVE 

分 类 号：TP393.09[自动化与计算机技术—计算机应用技术] TP391[自动化与计算机技术—计算机科学与技术]