Network management without payload inspection: Application classification via statistical analysis of bulk flow data

We describe a statistical approach to application classification from network traffic flows. The packet payloads are not investigated, instead we just derive easy to collect statistics such as packet size, download/upload direction, protocol and interarrival time, along with ip-number:port pairs. Each flow is modeled by a mixture of Markov models. We employ a nonparametric Bayesian approach to identify flow clusters. An important feature of our clustering method is that we don´t have to specify the number of clusters in advance and the model is able to infer new flow types in an unsupervised manner. We illustrate our approach on a real dataset collected from live traffic.