1. 2019/5/8
BitCoding Network Traffic Classification Through Encoded Bit Level Signatures
Author: Neminath Hubballi, Mayank Swarnkar
Publisher/Conference: IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 26, NO. 5, OCTOBER 2018
Referenced:
Presenter: 林宇翔
Date: 2019/03/20
Department of Computer Science and Information Engineering
National Cheng Kung University, Taiwan R.O.C.
CSIE CIAL Lab 1

2. 2019/5/8
Introduction
In traditional deep-packet-inspection (DPI) methods, application specific signatures are generated with byte-level data from payload.
Increasingly new data formats are being used to encode the application protocols with bit-level information which render the byte-level signatures ineffective.
BitCoding, a bit-level DPI-based signature generation technique, uses only a small number of initial bits from a flow and identify invariant bits as signature. Subsequently, these bit signatures are encoded and transformed into a newly defined state transition machine transition constrained counting automata.
We describe a method for signature similarity detection using a variant of Hamming Distance and propose to increase the length of signatures for a subset of protocols to avoid overlaps.
National Cheng Kung University CSIE Computer & Internet Architecture Lab
CSIE CIAL Lab

3. BitCoding
BitCoding uses signatures generated from bit-level content of payload to identify flows corresponding to different applications.
All the packet’s (within the flow) payload data is taken and concatenated which is then used as input for the subsequent signature generation phase.
BitCoding uses first n bits from bidirectional flow to generate signatures.
Assuming there are K bidirectional flows of an application in training set, it collects the first n bits from each of the K bidirectional flows of application A and generates n bit-signature 𝐴 𝑆𝑖𝑔 for that application.
National Cheng Kung University CSIE Computer & Internet Architecture Lab

4. Bit-Signature Generation
In this example, there are 3 flows each with 20 bits and are used for signature generation. The final signature generated is ***111.
For efficient representation, storage and comparison purposes, we perform Run-length Encoding (RLE) of these n bits. RLE is a technique used in loss-less data compression.
After encoding with RLE it is converted to 8W6Z3*3W.
National Cheng Kung University CSIE Computer & Internet Architecture Lab

5. State Transition Machine Creation
Transition Constrained Counting Automata (TCCA) for 8W6Z3*3W.
Example: classified, not classified
National Cheng Kung University CSIE Computer & Internet Architecture Lab

6. Addressing Signature Overlap
There might be chances of signature overlap (two different applications having similar signatures).
To avoid such overlaps we compute the similarity between signatures of different applications using a form of Relaxed Hamming Distance (RHD). The corresponding RHD of the example below is 3.
National Cheng Kung University CSIE Computer & Internet Architecture Lab

7. Experiments and Results - Dataset
National Cheng Kung University CSIE Computer & Internet Architecture Lab

8. Experiments and Results – Homogeneous result
National Cheng Kung University CSIE Computer & Internet Architecture Lab

9. Experiments and Results –Heterogeneous result
National Cheng Kung University CSIE Computer & Internet Architecture Lab

10. Experiments and Results – Grand result
National Cheng Kung University CSIE Computer & Internet Architecture Lab

11. Comparison: BitCoding vs BitFlow 40-bit
National Cheng Kung University CSIE Computer & Internet Architecture Lab

12. Comparison: BitCoding vs BitFlow 80-bit
National Cheng Kung University CSIE Computer & Internet Architecture Lab

13. Comparison: BitCoding vs BitFlow 120-bit
National Cheng Kung University CSIE Computer & Internet Architecture Lab

14. Comparison: BitCoding vs ACAS 40-bit
National Cheng Kung University CSIE Computer & Internet Architecture Lab