INTERNATIONAL JOURNAL OF SCIENTIFIC & TECHNOLOGY RESEARCH VOLUME 8, ISSUE 11, NOVEMBER 2019 ISSN 2277-8616 Classifying Network Traffic Using DPI And DFI Argha Ghosh, Dr. A. Senthilrajan Abstract: Nowadays, most of the people are using Internet, for that reason, Internet getting crowded or full of traffic in terms of the network traffic. In between, Hackers/Phishers get best of their chances to make it count for doing their anonymous work comfortably. For managing or handling this much number of traffic it’s a big task to ask for. So, particularly some techniques are needed to check the incoming traffic is malicious or not. Mainly there are three types of network traffic identification methods. And, they are Port-Matching, Deep Packet Inspection and Machine Learning. Port matching is the simpler among those and mainly used in the past. Deep Packet Inspection (DPI) mainly used for High-Speed networks for detect the Network Traffic. And, some of the country’s government likes Egypt, China, etc. is using Deep Packet Inspection for better network traffic identification. Machine Learning mainly used to detect modern-day network traffic. And, it has several classification algorithms like Bayesian identification, Support Vector Machine (SVM), C4.5 and other machine-learning algorithm. This paper proposes a network traffic identification approach using Deep Packet Inspection and Deep Flow Inspection. Besides those above-mentioned identification methods, this paper focuses on P2P traffic identification also because nowadays almost 60%- 80% of traffic comes under P2P traffic. Index Terms: Deep Packet Inspection, Deep Flow Inspection, Machine Learning, Network Traffic Identification, Port Matching, P2P Traffic Identification. ———————————————————— 1 INTRODUCTION Day by Day Internet getting crowded because most of the architecture, and Section VII concludes the paper with future people are using the internet, and also with-out the Internet work. these day human’s life is incomplete, for all those reasons network traffic also gets increased. Most of the people want 2 RELATED WORK fast forward identification of network traffic so that common Bowen Yang et al. [1] proposed architecture to identify network people could continue their surfing, browsing and also Internet traffic using Deep Packet Inspection and Machine Learning. services in a faster manner. Network Traffic Identification is They implement both DPI and Machine Learning to develop a fruitful for knowing the sender’s protocol (WWW, FTP, P2P, framework to identify Network Traffic. Liu Zhenxiang et al. [2] etc.), sender’s address, sender’s port, receiver’s address; proposed a model to identify P2P traffic, they build a receiver’s port and, size of the payload or packet in the queue, recognizer using Naive Bayes machine learning algorithm to for identifying the content of payload and, also for identifying identify P2P traffic. Chunzhi Wang et al. [3] proposed a logical the Application. Moreover, to check anything got changed in- view of DPI and DFI, and they include four modules of DPI between Server and Client or between Sender and Receiver. and DFI traffic identification and a concurrent view of DPI and To check any anonymous activity in the middle or not, if there DFI. Hongwei Chen et al. [4] proposed P2P Traffic any malicious activity found then stopped the transmission of Identification Model based on DPI and DFI. They compare the payload or packet queue, before it reaches to the client or between Library of DPI Feature and Library of DPI Method receiver. In the context of network traffic identification, between Library of DFI Feature and Library of DFI Method. presently there are three common methods are there, those And, proposed a coordinate module between DPI Module and are Port Matching, Deep Packet Inspection and, Machine DFI Module for identifying the P2P traffic. Hongwei Chen et al. Learning. We have been described about all the three [5] proposed Algorithm Comparison of P2P Traffic methods briefly in Section IV. To modify Moreover, nowadays Identification based on Deep Packet Inspection. They have 60%-80% bandwidth/traffic occupied on the Internet by P2P been compared between the matching algorithms like Aho- traffic, Peer-to-Peer(P2P) traffic mainly generated by Corasick (AC) algorithm, Wu-Manber algorithm and Set distributed applications like Skype, BitTorrent, Gnutella, Backward Oracle Matching (SBOM) algorithm. ZebaAtique eDonkey2000, QQLive, Fasttrack etc. Here, proposed Shaikh et al. [6] provide an overview of Network Traffic architecture to identify P2P traffic. The rest of the paper is Classification methods, like Payload-Based Traffic formulated as follows. Section II discuss about Literature Classification, Deep Packet Inspection and Cisco Survey about previously used techniques to detect P2P traffic. Classification Technologies. Lastly, they present an approach Section III presents DPI and DFI and their differences, on Naïve Bayesian and Bayesian Neural Network based traffic characteristics, ability, and advantages over each other. classification. Jingyu Wang et al. [7] analyzes the Section IV will provide all the three methods of Network Traffic characteristics of P2P traffic then presents a traffic Identification; those are Port Matching, Deep Packet identification algorithm and, in the end, evaluates the Inspection and Machine Learning. Section V will present the performance of traffic identification algorithm based on some proposed architecture to identify P2P traffic using DPI and of the P2P applications like eMule, pplive, kugoo, etc. Song DFI. Section VI provides evaluation of the proposed Yang et al. [8] proposed a traffic flow model for optical network traffic based on content identification and they provide an ———————————————— analysis of traffic flow model. Fereshte Dehghani et al. [9] Argha Ghosh is currently pursuing Doctor of Philosophy (Ph. D) in proposed a traffic classification model using Baysian algorithm computer science in Alagappa University, India, PH-+918145232677. E- for real-time traffic classification based on statistical and mail: [email protected] payload content features. Dr. A. Senthilrajan is currently working as Professor in Department of Computational Logistics in Alagappa University, India. E-mail: [email protected] 3983 IJSTR©2019 www.ijstr.org INTERNATIONAL JOURNAL OF SCIENTIFIC & TECHNOLOGY RESEARCH VOLUME 8, ISSUE 11, NOVEMBER 2019 ISSN 2277-8616 3 DEEP PACKET INSPECTION AND DEEP FLOW INSPECTION Deep Packet Inspection (DPI) is a real-time network filtering and Internet traffic analyzing technology that mainly works in High-Speed network connection. DPI can be implemented in the application layer of Open System Interconnection (OSI) model. It is called “deep” inspection because the inspection not only includes the packet headers but also covers the packet payloads [10]. Deep Packet Inspection (DPI) technologies are intended to allow network operators precisely to identify the origin and content of each packet of data that passes through the networking hubs [11]. DPI can identify the packet content and packet ID. A classical algorithm for Fig. 1. Domain of Traditional Packet Forwarding and DPI decades, string matching has recently proven useful for deep packet inspection (DPI) to detect intrusions, scan for viruses, and filter Internet content [12].DPI makes network filtering by However, DPI used to use some of the methods for string examining the signature of the payload packet either by string matching and expression matching the same way DFI also matching algorithms like Wu-Manber, Aho-corasick, and uses methods like Support Vector Machine (SVM), Neural SBOM, or by regular expression matching algorithms which is Network, Bayes Classifier, Decision Tree etc. Intrusion used in NIDS of Snort, Bro and L7-filter in Linux [13]. DPI uses detection, virus scanning, content filtering, instant-messenger two approaches to collect data packets, and they are Port management, and peer-to-peer identification all can use string Mirroring and Optical Splitter. Port mirroring known as matching for inspection [14]. Malicious behavior detection is Switched Port Analyzer (SPAN) also, it mainly used to monitor generally classified into two levels: packet level and flow level, the network traffic. It can perform the task of monitoring each for which DPI (Deep Packet Inspection) and DFI (Deep Flow incoming packet in one port of a network. Optical Splitter Detection) are representatives [18]. DPI and DFI are two mainly collects the packet information and used to send the supportive processes of each other in the context of identifying information of a packet to the network manager. To improve network traffic. Using the deep packet inspection (DPI) programmability and re-configurability, the hardware intrusive technology thoroughly reads the contents of the IP packet detection system is using network processor (NP) to perform payload [19]. pattern search using deep packet inspection [14]. DPI able to detect protocols and applications using three methods and 4 NETWORK TRAFFIC IDENTIFICATION those are Port Detection, Signature Detection and Heuristics METHODS Detection. Other characteristics of a high-performance DPI system include flow-based detection (for TCP, UDP and WAP), The term Network Traffic Identification mainly refers that support for IPv4 and IPv6, TCP/IP normalization and identifying the incoming network traffic that mainly generated reassembly and rules-based metadata extraction [15]. In most by the network applications