NetTiSA: Extended IP Flow with Time-series Features for Universal Bandwidth-constrained High-speed Network Traffic Classification

TL;DR

NetTiSA introduces a novel, efficient extended IP flow feature set based on packet size time series, enabling high-accuracy network traffic classification suitable for high-speed ISP networks with minimal computational overhead.

Contribution

The paper presents NetTiSA, a new extended IP flow method using time series of packet sizes, which is scalable and effective for high-speed network traffic classification.

Findings

Outperforms existing methods in 25 classification tasks.

Proven effective in high-speed 100 Gbps ISP networks.

Maintains high accuracy with minimal flow extension size.

Abstract

Network traffic monitoring based on IP Flows is a standard monitoring approach that can be deployed to various network infrastructures, even the large IPS-based networks connecting millions of people. Since flow records traditionally contain only limited information (addresses, transport ports, and amount of exchanged data), they are also commonly extended for additional features that enable network traffic analysis with high accuracy. Nevertheless, the flow extensions are often too large or hard to compute, which limits their deployment only to smaller-sized networks. This paper proposes a novel extended IP flow called NetTiSA (Network Time Series Analysed), which is based on the analysis of the time series of packet sizes. By thoroughly testing 25 different network classification tasks, we show the broad applicability and high usability of NetTiSA, which often outperforms the best-performing related works. For practical deployment, we also consider the sizes of flows extended for NetTiSA and evaluate the performance impacts of its computation in the flow exporter. The novel feature set proved universal and deployable to high-speed ISP networks with 100\,Gbps lines; thus, it enables accurate and widespread network security protection.