Detecting TCP-based applications using packet size distributions

To know what applications are currently in operation across modem packet based communication networks such as the Internet is always attractive to network administrators, network service providers and security systems. The availability of this information can contribute to preventing improper network use, which may include illegal activities, consume a large amount of bandwidth, or may cause security problems or break policies in network usage. In addition, using this information, the network may be able to establish enhanced environments for the applications, which are in use. Various techniques exist to perform network application detection. However difficulty is encountered where the traditional techniques will fail in their task. For example, if the application uses non-registered port numbers, the capture of certain specific packets is impossible or the data portion of at least some of the packets is unavailable due to encryption or processing overload. In this Thesis an alternative approach to application detection, using packet size distributions, is applied to TCP applications. This statistical property of the traffic stream is found to be unique to certain kinds of network applications. The detection can be achieved by simply comparing this "fingerprint" with pre-evaluated samples stored in a database. Previous work has shown that packet size distributions can successfully identify many types ofUDP application. This Thesis suggests that for those TCP-based network applications that do not use the Nagle Algorithm, the detection mechanism, which had been proved to be successful for UDP-based applications, could be also adopted without any modification. For Naglebased applications, the situation becomes more complicated, however, with some precomputation, successful detection can be achieved as well. A prototype detector implementing the suggested approaches has been designed in order to test the feasibility and performance of the approach proposed. The tests carried out upon this prototype platform indicate that the method is universally suitable for several of distributions and give out satisfied detection success ratios.