On the capabilities of application level traffic measurements to differentiate and classify Internet traffic

The use of network based traffic classification to differentiate aggregate traffic has been introduced with the development of new Internet service architectures, especially with the Differentiated Services. We present measurements and analysis of various packet and flow statistics to aid in classifying or differentiating traffic flows according to the application nature. Our study on methods traffic classification includes the background analysis of traffic traces to detect applications of varying nature by measuring packet inter-arrival times, packet lengths, flow inter-arrival times, and packet and flow shares of total traffic. Most promising results with a single statistic are achieved when classifying traffic based on packet inter-arrival patterns. The interarrival time distributions of packets seem to be able to divide the traffic into two distinguishable classes. However, the division to three or more classes remains as somewhat ambiguous issue and needs further research. However, the results also indicate that no single statistic is able to classify application flows with reasonable certainty but that this might be achieved when several statistics and their analysis results are combined. A good method of increasing the classification result would be to increase the dimensionality of the classification. For instance, combining the classification results of packet IAT and packet length distributions would almost certainly lead to the detection of applications of different nature.