Network application profiling with traffic causality graphs

A network application profiling framework is proposed that is based on traffic causality graphs (TCGs), representing temporal and spatial causality of flows to identify application programs. The proposed framework consists of three modules: the feature vector space construction using discriminative patterns extracted from TCGs by a graph-mining algorithm; a feature vector supervised learning procedure in the constructed vector space; and an application identification program using a similarity measure in the feature vector space. Accuracy of the proposed framework for application identification is evaluated, making use of ground truth packet traces from seven peer-to-peer (P2P) application programs. It is demonstrated that this framework achieves an overall 90.0% accuracy in application identification. Contributions are twofold: (1) using a graph-mining algorithm, the proposed framework enables automatic extraction of discriminative patterns serving as identification features; 2) high accuracy in application identification is achieved, notably for P2P applications that are more difficult to identify because of their using random ports and potential communication encryption. Copyright (C) 2014 John Wiley & Sons, Ltd