A self-learning stateful application identification method for Deep Packet Inspection

With advanced data communication techniques, Internet service providers are facing big problem of managing heavy P2P and VoIP traffic for their network. Deep Packet Inspection (DPI) is one of the techniques to inspect and classify application traffic. There are various existing methods (port based, payload based, statistical analysis, time based behavior etc) to identify application traffic using DPI. However, each method has its own advantages and limitations. This paper suggests a composite self-learning DPI method to identify application flows using correlated flows and statistical analysis. It is observed that most application flows have some correlated flow(s) which can easily be identified by existing methods. Our approach uses this property. It keeps information about identified flows found during observed unidentified flow. Once sufficient number of records are found, it can correlate this unidentified flow with corresponding identified flows found and conclude about unidentified flow being part of one of the identified flow application. Many applications change behavior of one of its flows in newer versions. Since all other flows from that application can be detected using old signature, the newer unidentified flow can easily be correlated with them. This method can add newly identified flow vector in statistical engine in real-time, thus updating statistical data set without manual analysis and tagging. The test results indicate that this method is accurate and it identifies traffic with high degree of reliability.