Detection of illicit traffic based on multiscale analysis

Recent years have witnessed a huge increase in the number and variety of Internet applications, as well as on the number and diversity of security attacks to network users and systems. Consequently, the need for an accurate mapping of traffic to its corresponding applications has also raised in order to allow ISPs to provide better Quality-of-Service (QoS) standards, implement traffic engineering methodologies and deploy efficient security strategies. Several approaches have been proposed to identify Internet applications, starting from port-based identification and going into the detailed analysis of the packet´s payload content or to the statistical analysis of the generated traffic flows. However, even the most efficient methodologies present some constraints that limit their applicability, namely some confidentiality constraints or difficulties to classify traffic with unknown behavior. This paper presents a new methodology for traffic classification that relies on the multiscale analysis of the sampled traffic by estimating the multifractal coefficients of the different traffic flows and grouping them, using clustering techniques, according to their multifractal behavior over different time scales. Besides applying this approach to classify traffic from three of the most important Internet protocols, the methodology´s efficiency was also tested by identifying two of the most frequent network security attacks.