Hybrid P2P traffic classification with heuristic rules and machine learning

Peer-to-peer (P2P) applications have become more and more popular in recent years. Although they make our lives easier, increasing P2P traffic leads to many problems in management and security. Classifying P2P traffic accurately is becoming more critical for network management and P2P malware detection. Many methods have been proposed for P2P traffic classification, such as port-based, signature-based, pattern-based, and statistics-based methods. However, with the development of anti-identification techniques from port disguise to payload encryption or even packet size controlling, a single method is not enough to classify P2P traffic accurately. In this paper, an improved two-step hybrid P2P traffic classifier is proposed. The first step is a signature-based classifier at the packet-level combined with connection heuristics. The second step consists of a statistics-based classifier and pattern heuristics, and classifies the remaining unknown traffic at the flow level. Based on the analysis of various machine learning algorithms, the statistics-based classifier is implemented with REPTree, a decision tree algorithm. Through verification with real datasets, it is shown that our hybrid scheme provides high accuracy and low overhead compared to other hybrid schemes.