FlowCop: Detecting "Stranger" in Network Traffic Classification

As the cornerstone of future network research, network traffic classification plays an important role on network management, cyberspace security and quality of service. Recently, many researches have used Machine Learning technologies for traffic classification. Most of them only focus on classifying the samples into predefined classes but ignoring the "strangers". In this paper, we use stranger to represent the traffic not belonging to any predefined application, and propose a novel scheme named FlowCop to achieve stranger detection in network traffic classification. By constructing multiple one-class classifiers, FlowCop can divide testing traffic into N classes and a stranger class. Since samples of stranger class are not required during the training stage, FlowCop works in an inexperienced way to detect strangers, just like the cops searching the crowd for strangers. Besides, for accurate classification and low overhead, a feature subspace algorithm is proposed to select outstanding features for each one-class classifier. To verify the effectiveness of FlowCop, we make contrast experiments on two real-world datasets. The results show that FlowCop can not only identify the predefined traffic flows but also detect the strangers. It outperforms four state-of-the-art approaches on both precision and recall.