World Applied Sciences Journal 5 (2): 150-160, 2008 ISSN 1818-4952 © IDOSI Publications, 2008 Corresponding Author: Ali Asghar Yarifard, Islamic Azad University, Qaenat Branch, Iran 150 The Monitoring System Based on Traffic Classification 1 Ali Asghar Yarifard and 2 Mohammad Hossein Yaghmaee 1 Islamic Azad University, Qaenat Branch, Iran 2 Department of Computer Engineering, Ferdowsi University, Mashhad, Iran Abstract: Accurate identification and classification of network traffic according to the application that generated them is at the basis of any modern network management platform. Nowadays, many P2P applications using dynamic port numbers, masquerading techniques and encryption to avoid detection. Therefore, simple port-based and systematic analyses of packet payloads methods are rapidly inefficient. An alternative approach is to classify traffic rely on the fact that different applications have distinct behavior patterns when they communicate on a network. We present this latter approach to effectively identify groups of traffic that are similar using only transport layer statistical information. In this study, we propose a traffic monitoring scheme based on IPFIX standard that employs the clustering algorithms as a classification tool to classify network traffics using only transport layer's information. We believe that in order to build an accurate classifier, a good classification model must be used. For building such model, we considers three unsupervised clustering algorithms, namely K-Means, DBSCAN and SNN, for cluster training data that the latter has not previously been used for network traffic classification. We evaluate this algorithm and compare to the previously used K-Means and DBSCAN algorithms, using empirical internet traces. Key words: Monitoring system • Traffic classification • IPFIX protocol INTRODOCTION The number of application layer protocols and end-users is increasing rapidly. Because of this deployment, the efficient management of network resources is a complicated task. With traditional network management methods, it is difficult to obtain a comprehensive view from the state of the network and simultaneously discover important details from the network traffics. Traffic classification mechanisms are useful tools that help the allocation, control and management of resources in TCP/IP networks and improve the reliability of Network Intrusion Detection Systems (NIDS). Different techniques can be used to classify network traffic. The simplest method is to identify the applications that generated each flow by its transport level source and destination port numbers that has been very successful in the past [1]. However, standard services are frequently run on non-standard ports, for example to circumvent policy restrictions. Moreover, some increasingly popular applications, such as peer-to-peer applications using dynamic port numbers and also started distinguishing themselves by using port numbers for commonly used protocols such as HTTP and FTP. Many recent studies confirm that port-based identification of network traffic is inefficient [4, 7]. To address aforementioned drawbacks of port- based classification, other techniques proposed such as the ones present in many NIDS such as Bro and Snort [8, 9] rely on the detailed analysis of each packet payload. In this approach, packet payloads are inspected to determine whether they contain characteristic signatures of known applications. This method is extremely accurate, but some limitations. First, these techniques only identify traffic for which signatures are available and are unable to classify any other traffic. Second, there is a high storage and computational cost to study every packet that traverses a link (in particular on very high-speed links). Finally, payload information is not useful when applications use encryption. Therefore, this approaches scale poorly to the capacity of current high-speed networks, limiting their use to lower bandwidth links The limitations of port-based and payload-based analysis have motivated use of transport layer statistics for traffic classification [3, 5, 7, 15, 18]. These classification techniques rely on the fact that different applications typically have distinct behavior patterns when communicate on a network. For instance, a large file transfer using FTP would have a longer connection