Independent Comparison of Popular DPI Tools for Traffic Classification

Tomasz Bujlow, Valentín Carela-Español, Pere Barlet-Ros

Research output: Contribution to journalJournal articleResearchpeer-review

49 Citations (Scopus)
319 Downloads (Pure)

Abstract

Deep Packet Inspection (DPI) is the state-of-the-art technology for traffic classification. According to the conventional wisdom, DPI is the most accurate classification technique. Consequently, most popular products, either commercial or open-source, rely on some sort of DPI for traffic classification. However, the actual performance of DPI is still unclear to the research community, since the lack of public datasets prevent the comparison and reproducibility of their results. This paper presents a comprehensive comparison of 6 well-known DPI tools, which are commonly used in the traffic classification literature. Our study includes 2 commercial products (PACE and NBAR) and 4 open-source tools (OpenDPI, L7-filter, nDPI, and Libprotoident). We studied their performance in various scenarios (including packet and flow truncation) and at different classification levels (application protocol, application and web service). We carefully built a labeled dataset with more than 750K flows, which contains traffic from popular applications. We used the Volunteer-Based System (VBS), developed at Aalborg University, to guarantee the correct labeling of the dataset. We released this dataset, including full packet payloads, to the research community. We believe this dataset could become a common benchmark for the comparison and validation of network traffic classifiers. Our results present PACE, a commercial tool, as the most accurate solution. Surprisingly, we find that some open-source tools, such as nDPI and Libprotoident, also achieve very high accuracy.
Original languageEnglish
JournalComputer Networks
Volume76
Issue number0
Pages (from-to)75-89
Number of pages15
ISSN1389-1286
DOIs
Publication statusPublished - 2015

Fingerprint

Inspection
Web services
Labeling
Classifiers
Network protocols

Cite this

Bujlow, Tomasz ; Carela-Español, Valentín ; Barlet-Ros, Pere . / Independent Comparison of Popular DPI Tools for Traffic Classification. In: Computer Networks. 2015 ; Vol. 76, No. 0. pp. 75-89.
@article{aa00004ba9f54bddaf09a98b9a5f6686,
title = "Independent Comparison of Popular DPI Tools for Traffic Classification",
abstract = "Deep Packet Inspection (DPI) is the state-of-the-art technology for traffic classification. According to the conventional wisdom, DPI is the most accurate classification technique. Consequently, most popular products, either commercial or open-source, rely on some sort of DPI for traffic classification. However, the actual performance of DPI is still unclear to the research community, since the lack of public datasets prevent the comparison and reproducibility of their results. This paper presents a comprehensive comparison of 6 well-known DPI tools, which are commonly used in the traffic classification literature. Our study includes 2 commercial products (PACE and NBAR) and 4 open-source tools (OpenDPI, L7-filter, nDPI, and Libprotoident). We studied their performance in various scenarios (including packet and flow truncation) and at different classification levels (application protocol, application and web service). We carefully built a labeled dataset with more than 750K flows, which contains traffic from popular applications. We used the Volunteer-Based System (VBS), developed at Aalborg University, to guarantee the correct labeling of the dataset. We released this dataset, including full packet payloads, to the research community. We believe this dataset could become a common benchmark for the comparison and validation of network traffic classifiers. Our results present PACE, a commercial tool, as the most accurate solution. Surprisingly, we find that some open-source tools, such as nDPI and Libprotoident, also achieve very high accuracy.",
author = "Tomasz Bujlow and Valent{\'i}n Carela-Espa{\~n}ol and Pere Barlet-Ros",
year = "2015",
doi = "10.1016/j.comnet.2014.11.001",
language = "English",
volume = "76",
pages = "75--89",
journal = "Computer Networks",
issn = "1389-1286",
publisher = "Elsevier",
number = "0",

}

Independent Comparison of Popular DPI Tools for Traffic Classification. / Bujlow, Tomasz; Carela-Español, Valentín ; Barlet-Ros, Pere .

In: Computer Networks, Vol. 76, No. 0, 2015, p. 75-89.

Research output: Contribution to journalJournal articleResearchpeer-review

TY - JOUR

T1 - Independent Comparison of Popular DPI Tools for Traffic Classification

AU - Bujlow, Tomasz

AU - Carela-Español, Valentín

AU - Barlet-Ros, Pere

PY - 2015

Y1 - 2015

N2 - Deep Packet Inspection (DPI) is the state-of-the-art technology for traffic classification. According to the conventional wisdom, DPI is the most accurate classification technique. Consequently, most popular products, either commercial or open-source, rely on some sort of DPI for traffic classification. However, the actual performance of DPI is still unclear to the research community, since the lack of public datasets prevent the comparison and reproducibility of their results. This paper presents a comprehensive comparison of 6 well-known DPI tools, which are commonly used in the traffic classification literature. Our study includes 2 commercial products (PACE and NBAR) and 4 open-source tools (OpenDPI, L7-filter, nDPI, and Libprotoident). We studied their performance in various scenarios (including packet and flow truncation) and at different classification levels (application protocol, application and web service). We carefully built a labeled dataset with more than 750K flows, which contains traffic from popular applications. We used the Volunteer-Based System (VBS), developed at Aalborg University, to guarantee the correct labeling of the dataset. We released this dataset, including full packet payloads, to the research community. We believe this dataset could become a common benchmark for the comparison and validation of network traffic classifiers. Our results present PACE, a commercial tool, as the most accurate solution. Surprisingly, we find that some open-source tools, such as nDPI and Libprotoident, also achieve very high accuracy.

AB - Deep Packet Inspection (DPI) is the state-of-the-art technology for traffic classification. According to the conventional wisdom, DPI is the most accurate classification technique. Consequently, most popular products, either commercial or open-source, rely on some sort of DPI for traffic classification. However, the actual performance of DPI is still unclear to the research community, since the lack of public datasets prevent the comparison and reproducibility of their results. This paper presents a comprehensive comparison of 6 well-known DPI tools, which are commonly used in the traffic classification literature. Our study includes 2 commercial products (PACE and NBAR) and 4 open-source tools (OpenDPI, L7-filter, nDPI, and Libprotoident). We studied their performance in various scenarios (including packet and flow truncation) and at different classification levels (application protocol, application and web service). We carefully built a labeled dataset with more than 750K flows, which contains traffic from popular applications. We used the Volunteer-Based System (VBS), developed at Aalborg University, to guarantee the correct labeling of the dataset. We released this dataset, including full packet payloads, to the research community. We believe this dataset could become a common benchmark for the comparison and validation of network traffic classifiers. Our results present PACE, a commercial tool, as the most accurate solution. Surprisingly, we find that some open-source tools, such as nDPI and Libprotoident, also achieve very high accuracy.

U2 - 10.1016/j.comnet.2014.11.001

DO - 10.1016/j.comnet.2014.11.001

M3 - Journal article

VL - 76

SP - 75

EP - 89

JO - Computer Networks

JF - Computer Networks

SN - 1389-1286

IS - 0

ER -