SigBox: Automatic Signature Generation Method for Fine-Grained Traffic Identification

• Published in: Journal of Information Science and Engineering Vol. 33; no. 2; pp. 537 - 569
• Main Authors: KYU-SEOK SHIM, SUNG-HO YOON, SU-KANG LEE, MYUNG-SUP KIM
• Format: Journal Article
• Language: English
• Published: 社團法人中華民國計算語言學學會 01.03.2017
• Subjects: Apriori algorithm; automatic signature generation; sequence pattern algorithm; traffic identification; traffic classification
• ISSN: 1016-2364
• DOI: 10.6688/JISE.2017.33.2.15

The continual appearance of new applications and their frequent updates emphasize the need for automatic signature generation. Although several automatic methods have been proposed, there are still limitations to their adoption in a real network environment in terms of automation, robustness, and elaboration. To address this issue, we propose an automatic signature generation method, so called SigBox, for fine-grained traffic identification. Using a modified sequence pattern algorithm, this system extracts three types of signatures: content, packet, and flow signature. A flow signature, the final result of this system, consists of a series of packet signatures, and a packet signature consists of a series of content signatures. A content signature is defined as a distinguishable and unique substring of the packet payload. By using the modified sequence pattern algorithm, we can improve the system performance in terms of automation and robustness. In addition, the proposed method can generate an elaborated signature for fine-grained traffic identification by using flow-level features beyond those of the packet level. In order to verify the feasibility of our proposed system, we present the results of experiments based on ten popular applications according to three defined metrics: redundancy, coverage, and accuracy. In addition, we show the quality of the generated signatures as compared to those produced by existing methods.