The Journal of Korean Institute of Communications and Information Sciences (한국통신학회논문지)

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지
DOI QR코드

DOI QR Code

Automatic Payload Signature Update System for Classification of Recent Network Applications

최신 네트워크 응용 분류를 위한 자동화 페이로드 시그니쳐 업데이트 시스템

  • Shim, Kyu-Seok (Department of Computer and Information Science, Korea University) ;
  • Goo, Young-Hoon (Department of Computer and Information Science, Korea University) ;
  • Lee, Sung-Ho (Department of Computer and Information Science, Korea University) ;
  • Sija, Baraka D. (Department of Computer and Information Science, Korea University) ;
  • Kim, Myung-Sup (Department of Computer and Information Science, Korea University)
  • Received : 2016.09.27
  • Accepted : 2017.01.13
  • Published : 2017.01.31
Download PDF
⟨ Previous Next ⟩

Abstract

In these days, the increase of applications that highly use network resources has revealed the limitations of the current research phase from the traffic classification for network management. Various researches have been conducted to solutions for such limitations. The representative study is automatic finding of the common pattern of traffic. However, since the study of automatic signature generation is a semi-automatic system, users should collect the traffic. Therefore, these limitations cause problems in the traffic collection step leading to untrusted accuracy of the signature verification process because it does not contain any of the generated signature. In this paper, we propose an automated traffic collection, signature management, signature generation and signature verification process to overcome the limitations of the automatic signature update system. By applying the proposed method in the campus network, actual traffic signatures maintained the completeness with no false-positive.

오늘날 네트워크 자원을 사용하는 응용이 증대되면서 네트워크 관리를 위한 트래픽 분석에서 현재 연구 단계의 한계가 드러나고 있다. 그런 한계를 해결하기 위한 다양한 연구가 진행되고 있는데 그 중 대표적인 연구인 시그니쳐 자동생성 연구는 응용 트래픽을 입력으로 트래픽의 공통된 패턴을 찾아 출력하는 과정이 자동화된 연구이다. 그러나 시그니쳐 자동생성 연구는 트래픽을 사용자가 수집해야 하는 반자동 시스템이기 때문에 트래픽 수집 단계에서 문제가 발생할 수 있고, 생성된 시그니쳐의 검증 과정이 포함되어있지 않기 때문에 시그니쳐의 정확도를 신뢰할 수 없는 한계가 있다. 본 논문에서는 시그니쳐 자동생성 시스템의 한계를 극복하기 위해 트래픽수집, 시그니쳐 생성, 시그니쳐 검증, 시그니쳐 관리까지 모든 과정이 자동으로 이루어지는 시스템을 제안한다. 제안하는 방법을 학내 망의 실제트래픽에 적용하여 추출한 시그니쳐는 분석률을 유지하며, 오탐률을 0으로 만드는 효과를 보였다.

Keywords

References

  1. M.-S. Kim, Y. J. Won, and J. W.-K. Hong, "Application-level traffic monitoring and an analysis on IP networks," ETRI J., vol. 27, pp. 22-42, 2005. https://doi.org/10.4218/etrij.05.0104.0040
  2. B. Park, Y. Won, J. Chung, M. S. Kim, and J. W. K. Hong, "Fine-grained traffic classification based on functional separation," Int. J. Network Management, vol. 23, pp. 350-381, Sept. 2013. https://doi.org/10.1002/nem.1837
  3. B.-C. Park, Y. J. Won, M.-S. Kim, and J. W. Hong, "Towards automated application signature generation for traffic identification," IEEE NOMS 2008, pp. 160-167, 2008.
  4. X. Feng, X. Huang, X. Tian, and Y. Ma, "Automatic traffic signature extraction based on Smith-waterman algorithm for traffic classification," IEEE Int. Conf. IC-BNMT, pp. 154-158, 2010.
  5. H.-A. Kim and B. Karp, "Autograph: Toward automated, distributed worm signature detection," in USENIX Security Symp., p. 19, San Diego, USA, Aug. 2004.
  6. Y. Wang, Y. Xiang, and S. Z. Yu, "An automatic application signature construction system for unknown traffic," Concurrency and Computation-Practice & Experience, vol. 22, pp. 1927-1944, Sept. 2010. https://doi.org/10.1002/cpe.1603
  7. Y. Choi, "An automated classifier generation system for application-level mobile traffic identification," 2011.
  8. P. Haffner, S. Sen, O. Spatscheck, and D. Wang, "ACAS: automated construction of application signatures," in Proc. 2005 ACM SIGCOMM, pp. 197-202, 2005.
  9. IANA port number list. Available: http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
  10. N. F. Huang, G. Y. Jai, H. C. Chao, Y. J. Tzang, and H. Y. Chang, "Application traffic classification at the early stage by characterizing application rounds," Inf. Sci., vol. 232, pp. 130-142, May 2013. https://doi.org/10.1016/j.ins.2012.12.039
  11. T. Choi, C. Kim, S. Yoon, J. Park, B. Lee, H. Kim, et al., "Content-aware internet application traffic measurement and analysis," IEEE/IFIP NOMS 2004, pp. 511-524, 2004.
  12. R. Agrawal and R. Srikant, "Mining sequential patterns," in Proc. 11th Int. Conf. Data Eng., pp. 3-14, 1995.
  13. R. Agrawal and R. Srikant, "Fast algorithms for mining association rules," in Proc. 20th Int. Conf. VLDB, pp. 487-499, 1994.
  14. S. H. Yoon, H. G. No, and M. S. Kim, "The classification of network application using the TMA," KIPS Commun. 2008, pp. 946-949, Daegu, Korea, May 2008.
  15. K. S. Shim, S. H. Yoon, S. K. Lee, S. M. Kim, W. S. Jung, and M. S. Kim, "Automatic generation of snort content rule for network traffic analysis," J. KICS, vol. 40, no. 04, pp. 666-677, Apr. 2015. https://doi.org/10.7840/kics.2015.40.4.666
  16. D. M. W. Powers, "Evaluation: from precision, recall and f-measure to ROC, informedness, markedness and correlation," J. Machine Learning Technol., vol. 2, no. 1, pp. 37-63, Dec. 2011.
  17. AfreecaTV, Available: http://www.afreecatv.com
  18. Facebook, Available: https://www.facebook.com
  19. Kakaotalk, Available: http://www.kakao.com/talk
  20. uTorrent, Available: http://www.utorrent.com