A wide range of traffic classification approaches has been proposed in the last few years by the scientific community. However, the development of complete classification architectures that work directly in real-time on high capacity links is limited.
In this page you can download the implementation of the classification procedure of two machine-learning techniques (Naive Bayes with Kernel density estimation and single-class SVM) and a port-based classifier, that uses the port-application mapping file of CoralReef (developed by CAIDA). The two machine-learning classification approches have been chosen so as to represent two extremes in terms of computational complexity. Naive Bayes adopts simple protocol models and it is low-computational, while SVM-based classifier employs more accurate models and shows higher computational requirements. The classifiers are developed adopting the CoMo project infrastructure.
The sources you can download from this page are presented in A. Este, F. Gringoli and L. Salgarelli, On-line SVM traffic classification, TRAC 2011, 2nd International Workshop on TRaffic Analysis and Classification, Jul. 5-8, 2011 (to appear).
For an overview of the CoMo project, please refer to CoMo web page.
In the following Figure we show an example of the ouput. Each line corresponds to a flow identified by the starting timestamp, source IP, destination IP, source port, destination port. We also report the duration, the number of packets and bytes that the system received up to the time the flow is stored with the classification verdicts. The last three columns report the classification output of the port-based, single-class SVM and naive bayesian classifiers. The evaluated trace is an anonymized CAIDA trace (year 2002), source and destination IP addresses have not the original values (as appear in Figure).
SVM and BAYES classifier create a thread for each protocol, exploiting efficiently multi-core architectures.