| |
Student: Daniel Nechay, M. Eng Student
Researcher: Dr. Yvan Pointurier
Supervisor: Prof. Mark Coates
Description:
Why is Internet Traffic Classification important?
Internet traffic classification involves associating a user-defined class to a traffic flow. With the profileration of applications on the Internet nowadays, there is a need for Internet Service Providers (ISPs) to know what exactly is passing through their network.
With this knowledge, ISPs can enhance their service to their customers in many ways. For one, Quality of Service (QoS) guarantees and Service Level Agreements (SLAs) can be enforced.
To enforce these guarantees and agreements, ISPs can promote or prioritize certain applications (i.e. time-sensitive applications like VoIP) and block or limit harmful traffic to the network (i.e. Peer-to-Peer (P2P) which is known to take large portions of network resources).
Other uses for Internet traffic classification include using the results to help plan network resources (network provisioning) and network security.
Current Internet traffic classification methods can accurately identify network traffic with a high confidence but none so far are able to provide any
hard performance guarantees (this claim is validated in [1]). In this project, a classifier with false alarm rate (FAR) guarantees and a classifier with false discovery rates (FDR) guarantees are proposed.
The FAR for class i is defined by the expected fraction of the flows that do not belong to traffic class i that are incorrectly classified as belonging to i. Providing
a FAR guarantee is important as this can help save network resources. For example, consider that the ISP plans to promote all traffic belonging to class i.
By setting a maximum allowable FAR for this class, the ISP can ensure that network resources won't be wasted on flows that do not belong to this class beyond a certain threshold.
On the other hand, the FDR for class i is defined by the expected fraction of incorrectly classified flows among all traffic flows classified as class i. Classifiers with FDR guarantees would be
used for classes where a certain level of confidence is required in classifying a flow as a particular class. This is critical if the ISP plans to block or limit all flows belonging to this class,
as flows not belonging to this class should not be dropped.
Methodology: The classifier with FAR constraints is implemented using a 2nu-Support Vector Machine (SVM) [2]. A SVM creates an optimal hyperplane that separates the two classes according to the
max-margin principle. The 2nu-SVM differs from a regular SVM as it uses cost-sensitive classification. Cost-sensitive classification allows the user to assign different penalties in misclassifiying the different classes.
Therefore by setting a higher penalty for misclassifying one class, this allows the classifier to focus on trying to classify the points of this class over the other class. Each class can then be considered to have a 'knob' which
adjusts the misclassification penalty for the class and the goal of the classifier is then to tune the 'knobs' to obtain the a classifier that satisfies the FAR constraints while minimizing the overall misclassification rate.
The classifier with FDR constraints is implemented using the Learning to Satisfy (LSAT) framework [3] which is adapted from 2nu-SVM. LSAT is distinguished by being able to satisfy multiple constraints and the output behaviour is only assigned on the solution set. The goal then is to maximize the
set that can satisfy all the constraints specified.
The two classifiers mentioned so far work in the binary setting only. Generally there is more than one class an ISP needs to classify on the network so these classifiers need to be adapted for a multi-class setting. If there are c classes that are present on the network then a chain of c binary
classifiers are used. Each classifier in the chain is then responsible for classifying a particular class. When a flow needs to be classified, it goes down the chain until one of the classifiers says that it belongs to a particular class. If none of the classifiers identify the flow as belonging to its
class, the flow is then identified as 'unknown'. To determine the best classifier, one has to consider the ordering of the classes inside the chain and all the parameters that can be adjusted in the binary classifiers. Minimizing cost functions (that are described in [4]) are used to determine the best classifier for the FAR-constrained classifier and the FDR-constrained classifier.
Experiments: In April 2008, we collected a 24 hour trace from a Canadian ISP. From this trace, we tried to classify 4 applications: HTTP, HTTPS, POP3 and MSN messenger. All other flows are considered 'unknown'. For our experiments, we trained and validated our classifier on flows from the first hour and examined the performance of the classifiers on the remaining 23 hours. For the FAR-constrained classifier we chose a multi-class SVM as the baseline to compare both of our FAR-constrained classifiers.
We then trained two FAR-constrained classifiers: the first classifier had a FAR constraint on HTTP set to 0.4% while the second classifier set a FAR constraint of HTTP flows inside the HTTPS class at 0.02%. Figure 1 shows the overall accuracy for the three classifiers while Figure 2 shows the FAR for HTTP for the baseline classifier and the FAR constrained classifier for the HTTP class.
Figure 3 shows the FAR for the remaining 23 hours for HTTP being classified as HTTPS for the baseline classifier and the FAR constrained classifier with a FAR constraint for HTTP being classified as HTTPS.
 Figure 1
 Figure 2
 Figure 3
The setup was similar for experimenting with the FDR-constrained classifier. We trained a FDR-constrained classifier with a FDR constraint of 5% for the HTTPS. For comparison, we used the same multi-class SVM as a baseline as before. We also compared a unconstrained binary classifier (which used the LSAT framework but with no constraints set).
Figure 4 shows the overall accuracy for all three classifiers while Figure 5 shows the FDR of HTTPS for the remaining 23 hours.
 Figure 4
 Figure 5
Related Publications
[1] T. T. T. Nguyen and G. Armitage, "A survey of techniques for Internet traffic classication using machine learning," IEEE Communications Surveys & Tutorials, vol. 10, no. 4, pp. 56-76, 2008.
[2] M. A. Davenport, R. G. Baraniuk, and C. D. Scott, "Controlling false alarms with support vector machines," in Proc. Int. Conf. Acoustics, Speech, and Signal Proc. (ICASSP), Toulouse, France, May 2006.
[3] F. Thouin, M. J. Coates, B. Erikkson, R. Nowak, and C. Scott, "Learning to Satisfy," in Proc. Int. Conf. Acoustics, Speech, and Signal Proc. (ICASSP), Las Vegas, NV, USA, Apr. 2008.
[4] D. Nechay, Y. Pointurier and M. Coates, Controlling False Alarm/Discovery Rates in Online Internet Traffic Flow Classification, in Proc. IEEE INFOCOM, Rio de Janeiro, Brazil, April 2009. [slides]
|
Return to Internet Traffic Classification Projects