Deep packet inspection applications for traffic classification and security monitoring

Abstract

Deep Packet Inspection (DPI) is a commonly used network tra c monitoring technique which nds applications in variety of network management activities. Two prominent use cases of DPI are in tra c classi cation and security monitoring. DPI based tra c monitoring techniques screen the payload or content within network packets to identify applications and detect security issues like worm breakouts. Network management activities based on DPI are known to be accurate and at the same time computationally expensive. In this thesis, we seek to design e ective DPI based network tra c monitoring methods for three tasks - tra c classi cation, zero day attack detection in web tra c and detecting spam users in Voice over Internet Protocol (VoIP) network.DPI based tra c classi cation methods generate application signatures using invariant payload content. Both supervised and unsupervised methods are proposed in the literature for this task. We propose three DPI based tra c classi cation methods namely RDClass, BitCoding and BitP rob in this thesis. RDClass is an unsupervised tra c classi er which automatically identi es a set of keywords for an application when presented with unknown network ows. It nds the relative distance between identi ed keywords to generate application speci c signatures. RDClass is designed to handle only text based protocols as it requires identifying meaningful keywords from network ows. BitCoding and BitP rob are supervised tra c classi cation methods proposed to handle all types of application protocols (text, binary, open standard and proprietary). These two methods generate application speci c bit level signatures by identifying invariant bits from network ows of a particular application. We experiment with two publicly available datasets and one private dataset containing tra c of a variety of applications and show that these methods can classify applications withvery high accuracy. Detecting zero day attacks is usually done with payload based anomaly detection systems. We propose two DPI based anomaly detection methods, Rangegram and OCPAD, to detect zero day attacks in web tra c. Rangegram and OCPAD generateshort sequences from benign application packet payloads and nd deviations in occurrence range or probability of short sequences to identify anomalous packets (attacks). We evaluate the detection performance of both the detection methods with few HTTP based attacks and show that they can detect anomalies in the web tra c accurately. We propose a DPI based method SpamDetector to detect VoIP spam callers. It uses DPI to extract a set of call related parameters from Session Initiation Protocol (SIP) packets. Using these call parameters, it generates a directed weighted graph representing social interaction among the users. SpamDetector identi es nodes which are di erent from their local neighborhood as anomaly and hence as spam users. We evaluate the detection performance of SpamDetector with a large simulated user base and show that it can detect the spam users with a good detection rate.