Comparison of Deep Packet Inspection (DPI) Tools for Traffic Classification

Tomasz Bujlow, Valentín Carela-Español, Pere Barlet-Ros

Research output: Book/ReportReportResearch

8979 Downloads (Pure)

Abstract

Nowadays, there are many tools, which are being able to classify the traffic in computer networks. Each of these tools claims to have certain accuracy, but it is a hard task to asses which tool is better, because they are tested on various datasets. Therefore, we made an approach to create a dataset, which can be used to test all the traffic classifiers. In order to do that, we used our system to collect the complete packets from the network interfaces. The packets are grouped into flows, and each flow is collected together with the process name taken from Windows / Linux sockets, so the researchers do not only have the full payloads, but also they are provided the information which application created the flow. Therefore, the dataset is useful for testing Deep Packet Inspection (DPI) tools, as well as statistical, and port-based classifiers. The dataset was created in a fully manual way, which ensures that all the time parameters inside the dataset are comparable with the parameters of the usual network data of the same type. The system for collecting of the data, as well as the dataset, are made available to the public. Afterwards, we compared the accuracy of classification on our dataset of PACE, OpenDPI, NDPI, Libprotoident, NBAR, four different variants of L7-filter, and a statistic-based tool developed at UPC. We performed a comprehensive evaluation of the classifiers on different levels of granularity: application level, content level, and service provider level. We found out that the best performing classifier on our dataset is PACE. From the non-commercial tools, NDPI and Libprotoident provided the most accurate results, while the worst accuracy we obtained from all 4 versions of L7-filter.
Original languageEnglish
PublisherUniversitat Politècnica de Catalunya
EditionUPC-DAC-RR-CBA-2013-3
Number of pages107
Publication statusPublished - 6 Jun 2013

Fingerprint

Inspection
Classifiers
Computer networks
Interfaces (computer)
Statistics
Testing

Keywords

  • DPI
  • traffic classification
  • machine learning
  • network monitoring

Cite this

Bujlow, T., Carela-Español, V., & Barlet-Ros, P. (2013). Comparison of Deep Packet Inspection (DPI) Tools for Traffic Classification. (UPC-DAC-RR-CBA-2013-3 ed.) Universitat Politècnica de Catalunya.
Bujlow, Tomasz ; Carela-Español, Valentín ; Barlet-Ros, Pere. / Comparison of Deep Packet Inspection (DPI) Tools for Traffic Classification. UPC-DAC-RR-CBA-2013-3 ed. Universitat Politècnica de Catalunya, 2013. 107 p.
@book{513b6aea77af4cf4a3530919351d8ff3,
title = "Comparison of Deep Packet Inspection (DPI) Tools for Traffic Classification",
abstract = "Nowadays, there are many tools, which are being able to classify the traffic in computer networks. Each of these tools claims to have certain accuracy, but it is a hard task to asses which tool is better, because they are tested on various datasets. Therefore, we made an approach to create a dataset, which can be used to test all the traffic classifiers. In order to do that, we used our system to collect the complete packets from the network interfaces. The packets are grouped into flows, and each flow is collected together with the process name taken from Windows / Linux sockets, so the researchers do not only have the full payloads, but also they are provided the information which application created the flow. Therefore, the dataset is useful for testing Deep Packet Inspection (DPI) tools, as well as statistical, and port-based classifiers. The dataset was created in a fully manual way, which ensures that all the time parameters inside the dataset are comparable with the parameters of the usual network data of the same type. The system for collecting of the data, as well as the dataset, are made available to the public. Afterwards, we compared the accuracy of classification on our dataset of PACE, OpenDPI, NDPI, Libprotoident, NBAR, four different variants of L7-filter, and a statistic-based tool developed at UPC. We performed a comprehensive evaluation of the classifiers on different levels of granularity: application level, content level, and service provider level. We found out that the best performing classifier on our dataset is PACE. From the non-commercial tools, NDPI and Libprotoident provided the most accurate results, while the worst accuracy we obtained from all 4 versions of L7-filter.",
keywords = "DPI, traffic classification, machine learning, network monitoring",
author = "Tomasz Bujlow and Valent{\'i}n Carela-Espa{\~n}ol and Pere Barlet-Ros",
year = "2013",
month = "6",
day = "6",
language = "English",
publisher = "Universitat Polit{\`e}cnica de Catalunya",
edition = "UPC-DAC-RR-CBA-2013-3",

}

Bujlow, T, Carela-Español, V & Barlet-Ros, P 2013, Comparison of Deep Packet Inspection (DPI) Tools for Traffic Classification. UPC-DAC-RR-CBA-2013-3 edn, Universitat Politècnica de Catalunya.

Comparison of Deep Packet Inspection (DPI) Tools for Traffic Classification. / Bujlow, Tomasz; Carela-Español, Valentín; Barlet-Ros, Pere.

UPC-DAC-RR-CBA-2013-3 ed. Universitat Politècnica de Catalunya, 2013. 107 p.

Research output: Book/ReportReportResearch

TY - RPRT

T1 - Comparison of Deep Packet Inspection (DPI) Tools for Traffic Classification

AU - Bujlow, Tomasz

AU - Carela-Español, Valentín

AU - Barlet-Ros, Pere

PY - 2013/6/6

Y1 - 2013/6/6

N2 - Nowadays, there are many tools, which are being able to classify the traffic in computer networks. Each of these tools claims to have certain accuracy, but it is a hard task to asses which tool is better, because they are tested on various datasets. Therefore, we made an approach to create a dataset, which can be used to test all the traffic classifiers. In order to do that, we used our system to collect the complete packets from the network interfaces. The packets are grouped into flows, and each flow is collected together with the process name taken from Windows / Linux sockets, so the researchers do not only have the full payloads, but also they are provided the information which application created the flow. Therefore, the dataset is useful for testing Deep Packet Inspection (DPI) tools, as well as statistical, and port-based classifiers. The dataset was created in a fully manual way, which ensures that all the time parameters inside the dataset are comparable with the parameters of the usual network data of the same type. The system for collecting of the data, as well as the dataset, are made available to the public. Afterwards, we compared the accuracy of classification on our dataset of PACE, OpenDPI, NDPI, Libprotoident, NBAR, four different variants of L7-filter, and a statistic-based tool developed at UPC. We performed a comprehensive evaluation of the classifiers on different levels of granularity: application level, content level, and service provider level. We found out that the best performing classifier on our dataset is PACE. From the non-commercial tools, NDPI and Libprotoident provided the most accurate results, while the worst accuracy we obtained from all 4 versions of L7-filter.

AB - Nowadays, there are many tools, which are being able to classify the traffic in computer networks. Each of these tools claims to have certain accuracy, but it is a hard task to asses which tool is better, because they are tested on various datasets. Therefore, we made an approach to create a dataset, which can be used to test all the traffic classifiers. In order to do that, we used our system to collect the complete packets from the network interfaces. The packets are grouped into flows, and each flow is collected together with the process name taken from Windows / Linux sockets, so the researchers do not only have the full payloads, but also they are provided the information which application created the flow. Therefore, the dataset is useful for testing Deep Packet Inspection (DPI) tools, as well as statistical, and port-based classifiers. The dataset was created in a fully manual way, which ensures that all the time parameters inside the dataset are comparable with the parameters of the usual network data of the same type. The system for collecting of the data, as well as the dataset, are made available to the public. Afterwards, we compared the accuracy of classification on our dataset of PACE, OpenDPI, NDPI, Libprotoident, NBAR, four different variants of L7-filter, and a statistic-based tool developed at UPC. We performed a comprehensive evaluation of the classifiers on different levels of granularity: application level, content level, and service provider level. We found out that the best performing classifier on our dataset is PACE. From the non-commercial tools, NDPI and Libprotoident provided the most accurate results, while the worst accuracy we obtained from all 4 versions of L7-filter.

KW - DPI

KW - traffic classification

KW - machine learning

KW - network monitoring

M3 - Report

BT - Comparison of Deep Packet Inspection (DPI) Tools for Traffic Classification

PB - Universitat Politècnica de Catalunya

ER -

Bujlow T, Carela-Español V, Barlet-Ros P. Comparison of Deep Packet Inspection (DPI) Tools for Traffic Classification. UPC-DAC-RR-CBA-2013-3 ed. Universitat Politècnica de Catalunya, 2013. 107 p.