Using Network Motifs to Identify Application Protocols

Identifying application types in network traffic is a difficult problem for administrators who must secure and manage network resources, further complicated by the use of encrypted protocols and nonstandard port numbers. This paper takes a unique approach to this problem by modeling and analyzing application graphs, structures which describe the application-level (e.g., HTTP, FTP) communications between hosts. These graphs are searched for motifs: recurring, significant patterns of interconnections that can be used to help determine the network application in use. Motif-based analysis has been applied predominantly to biological networks to hypothesize key functional regulatory units, but never to network traffic as it is here. For the proposed method, a description of each node is generated based on its participation in statistically significant motifs. These descriptions, or profiles, are data points in multidimensional space that are used as input to a k-nearest neighbor (k-NN) classifier to predict the application. This work also compares the performance of motif-based analysis to an alternative profile type based on "traditional" graph measures such as path lengths, clustering coefficients and centrality measures. The results show that motif profiles perform better than traditional profiles, and are able to correctly identify the actions of 85% of the hosts examined across seven protocols.