Go to APNOMS 2020 homepageJoint Analysis of Port and Protocol via Endpoint Measurement: An Empirical Study
Abstract: As network services continuously evolving, accurately classifying traffic is important for network operators to optimize QoS and customize policy. Network service uses non-standard ports and protocol obfuscation causing damage to the accurate port-based and payload-based traffic classification. However, Deep Packet Inspection (DPI) technique, which combines the payload-based method and port-based method, is still adopted by practitioners from the academic and industrial community. In this paper, we investigate the DPI classification result on a large network to estimate the impact of two factors. We qualify the popularity of non-standard port among different protocols. By endpoint filtering, we discover a large proportion of non-standard ports are opened temporally. We show there still is strong association between P2P protocols and camouflaged protocol. In particular, using both host and label association between endpoints, we find camouflaged protocols exhibit an abnormal port span that is different with the original protocol and are similar to the port span of P2P protocols.
0 Replies
Loading