Reconciling Multiple Matches for the Signature-Based Application Identification

Accurate application identification is one of the core elements of network operations and management to provide enhanced network services and security. While the signaturebased approach that examines packet content for identification is attractive with greater accuracy than the traditional technique relying on TCP port numbers, one potential challenge is multiple matches arising when more than a single application identifies the data stream in question. In that case, the input stream cannot be adequately classified solely by the help of the application signatures, and it is necessary to establish an additional process that reconciles such multiple matches in order to make the final identification decision. In this paper, we address the problem of multiple matches by developing a set of selection heuristics that help accurately identify the application associated with the input data stream. The heuristics choose one out of a set of applications using their own unique discrimination function, and the input traffic can be classified into the selected application. Our experimental results with a recent traffic data set show that our proposed method successfully deals with multiple matches, achieving a high degree of identification accuracy up to 99% with respect to precision and recall.