A multiple-stage classifier for identifying unknown Internet traffic

Accurate and timely classification of network traffic has received a lot of attention recently due to its important roles in many subjects such as QoS provisioning, traffic engineering, network intrusion detection and prevention. In this paper, we present a multiple-stage framework to classify the unknown network traffic in which we first use the well-known port numbers and static payload signatures to identify the most popular network applications and then a deep payload inspection technique is proposed to classify those applications with ephemeral connections. For the rest unknown traffic we applied the traditional k-means algorithm to classify them into existing known application communities. During the experimental evaluation, we verify our algorithm with the network flows collected on a campus-wide WiFi ISP network over one hour and evaluation results show a high detection accuracy approaching to 97%.