Network application detection techniques
In this thesis, some new approaches for identifying which real-time multimedia applications are running over a network of computers are presented. Conventional techniques involve capture and decode of the packet stream generated and are generally targeted at standards-based network applications (e.g. H.323). The new techniques presented in this thesis rely on the examination of the characteristics and features of the traffic stream itself and attempt to identify those applications which are not standards-based or utilise packet encryption.
A significant proportion of the work involved the analysis of several classes of applications and the nature of the traffic generated by them. The results of these analyses suggested that the packet size distribution profile could be used as a ‘finger print’ for each application. One can compare the profiles extracted from the traffic stream from a particular part of a network with a set of stored profiles thus allowing the determination of which applications are running. In order to test effectiveness of the comparison techniques and the packet size distribution as the application signature, a prototype detector was built.
It will be shown that these techniques function well even with ‘difficult’ applications that dynamically negotiate network connections. As such, applications cannot simply be identified via their packet port numbers. The techniques also have the advantage over packet decode techniques of not requiring the capture of every packet in the stream, or even capture from the beginning of the session. Also, they require only superficial, (readily available) technical information concerning the application. The techniques are completely transparent to the applications.
- Mechanical, Electrical and Manufacturing Engineering