Table 4 Summary of Payload ⋆ and Host Behavior †-based Traffic Classification
Ref. | ML Technique | Dataset | Features | Classes | Evaluation | |
|---|---|---|---|---|---|---|
Settings | Results | |||||
Haffner et al. [176] ⋆ | Supervised NB, AdaBoost, MaxEnt | Proprietary | Discrete byte encoding for first n bytes of unidirectional flow | FTP, SMTP, POP3, IMAP, HTTPS, HTTP, SSH | n=64−256 bytes | Overall error rate <0.51%, precision > 99%, recall > 94% |
Ma et al. [286] ⋆ | Unsupervised HCA | Proprietary: U. Cambridge, UCSD | Discrete byte encoding for first n bytes of unidirectional flow | FTP, SMTP, HTTP, HTTPS, DNS, NTP, NetBIOS, SrvLoc | n=64 bytes, distance metric: PD = 250, MP = 150, CSG = 12% | Error rate: PD ≤ 4.15%, MP ≤ 9.97%, CSG ≤ 6.19% |
Finamore et al. [146] ⋆ | Supervised SVM | Statistical characterization of first N bytes of each packet a window of size C, divided into G groups of b consecutive bits | eMule, BitTorrent, RTP, RTCP, DNS, P2P-TV (PPLive, Joost, SopCast, TVAnts), Skype, Background | C=80,N=12,G=24,b=4 | Average TP = 99.6%, FP < 1% | |
Schatzmann et al. [404] †| Supervised SVM | Proprietary: ISP network | Service proximity, activity profiles, session duration, periodicity | Mail, Non-Mail | N/A | Average accuracy = 93.2%, precision = 79.2% |
Bermolan et al. [53] †| Supervised SVM | Proprietary: campus network, ISP network | Packet count exchanged between peers in duration △T | PPLive, TVAnts, SopCast, Joost | △T=5 s, SVM distance metric R=0.5 | Worst-case TPR ≈95%, FPR < 0.1% |