A Heuristic-Based Co-clustering Algorithm for the Internet Traffic Classification

Classifying network traffic in a real-time fashion on large-scale communication networks has been extensively studied in recent years due to its importance in many areas such as network security, QoS provisioning, and network management. To address this issue, port numbers and packet payload signatures have been widely used in many existing traffic classification tools. They, however, are far away from completed due to for example the increase of new Internet applications and traffic encryption. In this paper, we propose a hybrid framework to classify the Internet traffic, combining a classifier based on the well-known port numbers and packet payload signatures, and a novel heuristic-based co-clustering algorithm for classifying the leftover unknown Internet traffic. Taking advantage of a fast unsupervised co-clustering algorithm with simple flow-based features, our traffic classifier can perform a real-time computing online for application discovery on the Internet. Experimental evaluations with over 200,000 network flows collected over two consecutive days on a large-scale WiFi ISP show that the proposed approach successfully classifies a large portion of the Internet traffic missed by the signature based classifier while also reducing the false alarm rate.