BitCoding: Protocol type agnostic robust bit level signatures for traffic classification

Abstract

Traffic classification has received considerable interest as many network applications use obfuscation methods to hide their identity and bypass security. Traditionally application signatures are generated using byte level content of application flows. Increasingly new data formats are used to encode the application protocols which render the byte level signatures ineffective in identifying applications. To address this issue we propose BitCoding a bit-level application signature generation using invariant bits of application flows. Unlike other works, BitCoding uses only a small number of initial bits of flows to generate signature and signature bits are encoded using run length coding to reduce size; hence it is very inexpensive in storage and is light weight for signature matching. We evaluate BitCoding using three different datasets and show that it is able to classify both text based and binary protocols with high accuracy, making it protocol type agnostic. Further we perform cross evaluation of signatures generated to understand the portability of signatures generated to other sites and conclude that it will lead to a small compromise in the detection rate. © 2017 IEEE.