Recognizing the content types of network traffic based on a hybrid DNN-HMM model

Protocol identification and application classification for network traffic have been well studied in the past two decades, due to their importance for network management and security defense. One of the challenges to most of existing work comes from the onion-like characteristics of modern network t...

Full description

Saved in:
Bibliographic Details
Published in:Journal of network and computer applications 2019-09, Vol.142, p.51-62
Main Authors: Tan, Xincheng, Xie, Yi, Ma, Haishou, Yu, Shunzheng, Hu, Jiankun
Format: Article
Language:English
Subjects:
Content recognition
Deep neural network
Gaussian mixture model
Hidden Markov model
Network traffic
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Protocol identification and application classification for network traffic have been well studied in the past two decades, due to their importance for network management and security defense. One of the challenges to most of existing work comes from the onion-like characteristics of modern network traffic, which enables the actual transmission content or service to be disguised by the external protocols or applications and to be unrecognizable. In some scenarios, unrecognizable traffic may lead to incorrect network management policies and create favorable conditions for cyber attacks. In contrast to most of the existing research that merely focuses on the identification of external protocols and applications, in this work we explore a new scheme for content types recognition by traffic behavior, in which it does not need to inspect the external protocols or applications. The proposed scheme is based on three mature technologies, including Gaussian mixture model (GMM), hidden Markov model (HMM) and deep neural network (DNN). The GMM-HMMs are used to capture the underlying time-varying behavior patterns for the network traffic carrying a specific type of content. To eliminate the instability and limitations caused by the general GMM-HMMs, a shared DNN is derived and combined with the trained HMMs to implement the final recognition of the content types for network traffic. We introduce the architecture and rationale of the proposed scheme in details, derive the algorithms for content recognition, and evaluate its performance with multiple baseline methods via real network traffic. The experiment results not only demonstrate that the proposed scheme is able to accurately and stably recognize the content types of network traffic, but also verify the performance of the proposed scheme on the discrimination for similar and short traffic.
ISSN:1084-8045
1095-8592
DOI:10.1016/j.jnca.2019.06.004