Joint Analysis of Port and Protocol via Endpoint Measurement: An Empirical Study

2020 21st Asia-Pacific Network Operations and Management Symposium (APNOMS) Pub Date : 2020-09-01 DOI:10.23919/APNOMS50412.2020.9237036

Chengshang Hou, Gaopeng Gou, G. Xiong, Zhuguo Li

{"title":"Joint Analysis of Port and Protocol via Endpoint Measurement: An Empirical Study","authors":"Chengshang Hou, Gaopeng Gou, G. Xiong, Zhuguo Li","doi":"10.23919/APNOMS50412.2020.9237036","DOIUrl":null,"url":null,"abstract":"As network services continuously evolving, accurately classifying traffic is important for network operators to optimize QoS and customize policy. Network service uses non-standard ports and protocol obfuscation causing damage to the accurate port-based and payload-based traffic classification. However, Deep Packet Inspection (DPI) technique, which combines the payload-based method and port-based method, is still adopted by practitioners from the academic and industrial community. In this paper, we investigate the DPI classification result on a large network to estimate the impact of two factors. We qualify the popularity of non-standard port among different protocols. By endpoint filtering, we discover a large proportion of non-standard ports are opened temporally. We show there still is strong association between P2P protocols and camouflaged protocol. In particular, using both host and label association between endpoints, we find camouflaged protocols exhibit an abnormal port span that is different with the original protocol and are similar to the port span of P2P protocols.","PeriodicalId":122940,"journal":{"name":"2020 21st Asia-Pacific Network Operations and Management Symposium (APNOMS)","volume":"5 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 21st Asia-Pacific Network Operations and Management Symposium (APNOMS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.23919/APNOMS50412.2020.9237036","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

As network services continuously evolving, accurately classifying traffic is important for network operators to optimize QoS and customize policy. Network service uses non-standard ports and protocol obfuscation causing damage to the accurate port-based and payload-based traffic classification. However, Deep Packet Inspection (DPI) technique, which combines the payload-based method and port-based method, is still adopted by practitioners from the academic and industrial community. In this paper, we investigate the DPI classification result on a large network to estimate the impact of two factors. We qualify the popularity of non-standard port among different protocols. By endpoint filtering, we discover a large proportion of non-standard ports are opened temporally. We show there still is strong association between P2P protocols and camouflaged protocol. In particular, using both host and label association between endpoints, we find camouflaged protocols exhibit an abnormal port span that is different with the original protocol and are similar to the port span of P2P protocols.

查看原文本刊更多论文

基于端点测量的端口和协议联合分析:一个实证研究

随着网络业务的不断发展，准确的流量分类对于网络运营商优化QoS和定制策略具有重要意义。网络服务使用非标准端口和协议混淆，不利于基于端口和基于负载的准确流分类。然而，深度包检测(DPI)技术结合了基于有效负载的方法和基于端口的方法，仍然被学术界和工业界的实践者所采用。在本文中，我们研究了一个大型网络上的DPI分类结果，以估计两个因素的影响。对非标准端口在不同协议中的流行程度进行了定性。通过端点过滤，我们发现有很大一部分非标准端口是临时开放的。我们表明P2P协议和伪装协议之间仍然存在很强的关联。特别是，使用端点之间的主机和标签关联，我们发现伪装协议表现出与原始协议不同的异常端口跨度，类似于P2P协议的端口跨度。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2020 21st Asia-Pacific Network Operations and Management Symposium (APNOMS)

自引率

0.00%

发文量