An Efficient Application Traffic Signature Generation System

Application traffic signatures are byte subsequences or behaviors (such as packet sizes and interval times) within traffic that can distinguish which application is contributing to the network traffic, application traffic signatures form the building blocks of many constructions of deep packet analysis rules in numerous areas, such as network management, measurement, and even security systems. Under the pressure of the continual appearance of new applications and their frequent updates, how to efficiently and accurately extract signatures from network traffic becomes a more challenging issue. Although several generating methods have been proposed, because of the problems of efficiency, robustness, and refinement, the application of these methods in real network environments still has limitations. Existing CS (Common Subsequence) based approaches are ineffective in generating signatures from network traffic, especially when the network traffic is massive. In this paper, we propose ESGS, an efficient system to extracts signatures from application traffic traces. ESGS base on the Latent Dirichlet Allocation (LDA) and a modified sequence pattern algorithm. First, we use a semantic analysis algorithm based on the LDA to select the candidate packet from the traffic traces according to the semantic information of the packet and refine the traffic traces. Then, we use a modified sequence pattern algorithm to generate signatures in the filtered traffic trace. We compare ESGS with several existing generating methods via evaluation on real-world application traffic traces. The result shows that ESGS can generate application traffic signatures significantly faster, and the signatures perform high accuracy. In addition, this method can effectively reduce the input traffic of signature generation systems such as Sigbox, and significantly improve the efficiency of signature generation while having a little impact on accuracy.