On Accuracy of Early Traffic Classification

The widely employment of traffic encryption, tunneling and other protection/obfuscation mechanisms in modern network applications, prompts the emergence of traffic behavior (i.e., packet direction pattern, size, and inter-arrival time) based classification approaches. Some proposals even demonstrate its potential for on-line early traffic classification - using the first 4-6 data packets at the beginning of a TCP connection to identify the corresponding application. Nevertheless, the related accuracy issues on early classification are still unclear when forged packets exist. The performance of such mechanism under malicious environment, where sophisticated forged data packets injection techniques are presented, had not been addressed. This work aims to touch the above issues, especially when forged packets are inserted before actual application transaction started. Our contributions are two-folded: (1) confirm the discrimination power of early classification as revealed by previous study; (2) explore it´s accuracy vulnerability to forged packets - the experiments on both simulated and real SSH tunnel traces show the accuracy declines when forged packets are injected. Our findings show that the intellective early classification methods still deserve further investigation before actual deployment.