Traffic classification

Traffic classification is an automated process. It categorises computer network traffic according to various parameters into a number of traffic classes. For example, port number or protocol.

Classification methods

Classification is achieved by various means.

Port numbers

• Fast
• Low resource-consuming
• Supported by many network devices
• Does not implement the application-layer payload, so it does not compromise the users' privacy
• Useful only for the applications and services, which use fixed port numbers
• Easy to cheat by changing the port number in the system

Deep Packet Inspection

• Inspects the actual payload of the packet
• Detects the applications and services regardless of the port number, on which they operate
• Slow
• Requires a lot of processing power
• Signatures must be kept up to date, as the applications change very frequently
• Encryption makes this method impossible in many cases

A comprehensive comparison of various network traffic classifiers. It depends on Deep Packet Inspection in the Independent Comparison of Popular DPI Tools for Traffic Classification.^[1]

Statistical classification

• Relies on statistical analysis of attributes such as byte frequencies, packet sizes and packet inter-arrival times.
• Very often uses Machine Learning Algorithms, as K-Means, Naive Bayes Filter, C4.5, C5.0, J48, or Random Forest
• Fast technique (compared to deep packet inspection classification)
• It can detect the class of yet unknown applications

Implementation

The Linux network scheduler and Netfilter, both contain logic. It helps to identify and mark or classify network packets.

Typical traffic classes

There are three broad types of network traffic:

1. Sensitive traffic: Sensitive traffic is traffic the operator has an expectation to deliver on time. This includes VoIP, online gaming, video conferencing, and web browsing.
2. Best-effort traffic: Best effort traffic is all other kinds of non-detrimental traffic. This is traffic that the ISP isn't sensitive to Quality of Service metrics (jitter, packet loss, latency). A typical example would be peer-to-peer and email applications.
3. Undesired traffic: This category is generally limited to the delivery of spam and traffic created by worms, botnets, and other malicious attacks.

Sources

1. Tomasz Bujlow; Valentín Carela-Español; Pere Barlet-Ros. "Independent Comparison of Popular DPI Tools for Traffic Classification". In press (Computer Networks). Retrieved 2014-11-10.