Journal of Computatonal Informaton Systems 7:5 (2011) 1524-1532 Avalable at http://www.jofcs.com Onlne Wreless Mesh Network Traffc Classfcaton usng Machne Learnng Chengje GU 1,, Shuny ZHANG 1, Xaozhen XUE 2, He HUANG 3 1 Insttute of Informaton Network Technology, Nanjng Unversty of Posts and Telecommuncatons, Nanjng 210003, Chna 2 Department of Computer Scence, Texas Tech Unversty, Texas 79415, USA 3 School of Software, Bejng Unversty of Aeronautcs and Astronautcs, Bejng 100083, Chna Abstract Internet traffc classfcaton based on flow statstcs usng machne learnng has attracted great attenton. Wreless mesh networks (WMNs) facltate the extenson of wreless local area networks nto wde areas and have emerged as a key technology for next-generaton wreless networkng. Onlne and accurate traffc classfcaton s a key challenge for wrless mesh network management. We propose an onlne wreless mesh network traffc classfcaton usng C4.5. We evaluate the effectveness of our proposed method through the experments on real mesh traffc traces. Experment results llustrate ths method can classfy onlne wreless mesh network traffc wth hgh accuracy. Keywords: Traffc Classfcaton; Wreless Mesh Network; Machne Learnng; Accuracy 1. Introducton The rapd development of P2P (Peer-to-Peer) applcatons have enrched the performance of Internet n recent years. The P2P traffc has occuped above 50% of the total Internet traffc, and the rato s stll growng [1]. The large amount of P2P traffc and the rapd growth on the usage of P2P applcatons have led to network congeston and traffc hndrance because of the excessve occupaton of the network bandwdth [2]. Therefore, accurate and onlne classfcaton of network traffc plays mportant roles n many areas such as traffc engneerng, QoS, and ntruson detecton etc. The earlest and smplest traffc classfcaton approach s port-based traffc classfcaton whch conssts n examnng the port numbers n TCP headers [3]. Ths method s no longer vald because of the naccuracy and ncompleteness of ts classfcaton results. Several payload-based analyss technques have been proposed to nspect the packets payload searchng for specfc sgnatures [4]. Although ths soluton does can acheve hgh classfcaton accuracy, t can t work wth encrypted traffc or newly P2P applcatons [5]. At the same tme, traffc classfcaton method based on flow statstcs shows effectve performance n ths feld. Substantal attenton has been nvested n data mnng technques and machne learnng algorthms usng flow features for traffc classfcaton. Correspondng author. Emal addresses: jackee.gu@gmal.com (Chengje GU). 1553-9105/ Copyrght 2011 Bnary Informaton Press May, 2011
1525 C. Gu et al. /Journal of Computatonal Informaton Systems 7:5 (2011) 1524-1532 Wrelss mesh network s generally consdered as a type of ad-hoc networks due to the lack of wred nfrastructure that exsts n cellular or W-F networks through deployment of base statons or access ponts [6]. Recently, lots of attenton has been pad on wrelss mesh network as a fundamental technology whch s one of the most sought-after networks of next generaton [7]. Whle traffc classfcaton methods based on flow statstcs offer varous degrees of successes, there are several lmtatons. 1) The exstng classfers cannot classfy traffc effectvely, because they cannot always capture the ntal sub-flow when a communcatng node moves n wreless mesh network. 2) Many proposed classfers can t solve the onlne traffc classfcaton problems faultlessly. To address the above-mentoned problems, we take two aspects to mprove the accuracy and speed of the machne learnng methods for wreless mesh network traffc classfcaton. 1) We propose sub-flow selecton wth applcaton behavors, and the method solves a crtcal problem of how to select approprate sub-flows for achevng traffc classfcaton n wreless mesh network. 2) In order to acheve early detecton, we allow the classfer to classfy traffc flows early n the connecton usng the frst p packets of flow. Our onlne traffc classfcaton should be ndspensable to manage the network whch has a varety of moble nodes. The remander of ths paper s structured as follows. Related work s represented n Secton 2. Secton 3 descrbes the relatonshp between wreless mesh network and traffc calssfcaton. Our proposed onlne mesh network traffc classfcaton usng machne learnng s presented n ths secton 4. Secton 5 presents the expermental results and analyss. The conclusons and potental future work are lsted n Secton 6. 2. Related Work Machne learnng technque whch s a powerful tool n data separaton n many dscplnes ams to classfy data based on ether a pror knowledge or statstcal nformaton extracted from raw dataset. Ths method can be well suted wth Internet traffc classfcaton, as long as the traffc classfed nto categores that exhbt smlar characterstcs n parameters. Each ndvdual flow can be assocated wth a specfc applcaton accordng to ts flow features, and consequently traffc classfcaton s acheved wthout drect nspecton of each packet s header or payload by Machne Learnng (ML) algorthm. The flow features are statstcal patterns, such as packet sze, packet nter-arrval tme, and packet arrval order. Machne learnng algorthms are generally dvded nto supervsed learnng and unsupervsed learnng. Unsupervsed learnng essentally clusters flows wth smlar characterstcs together [8-10]. The advantage s that t does not requre tranng, and new applcatons can be classfed by examnng known applcatons n the same cluster. Erman et al. [8] compared the performance of unsupervsed machne learnng algorthms n traffc classfcaton. Snce our man focus s on evaluatng the predctve power of a bult/traned traffc classfer rather than on detectng new applcatons or flow clusterng. Also, Erman et al. [9] evaluated the performance of two clusterng algorthms, namely K-Means and DBSCAN, n Internet traffc classfcaton. The result ndcated that K-Means was one of the quckest and smplest algorthms for clusterng of Internet flows. Bernalle et al. [10] used a smple K-Means clusterng algorthm to perform classfcaton by usng only the frst fve packets of the flow, amng at applyng on the real-tme classfcaton. Supervsed learnng requres tranng data to be labeled n advance and produces a model that fts the tranng data [11-13]. Moore et al. [11] used a Nave Bayes classfer whch was a supervsed
C. Gu et al. /Journal of Computatonal Informaton Systems 7:5 (2011) 1524-1532 1526 machne learnng approach to classfyng nternet traffc. But only 65% accuracy rate, whch was not good enough to classfy Internet traffc. Wllams et al. [12] conducted a comparson of fve machne learnng algorthms whch were wdely used to classfy emprcal study of Internet traffc. Among these algorthms, C4.5 acheved the hghest accuracy n ther results. Auld [13] proposed supervsed machne learnng based on a Bayesan neural network to classfy the traffc wth hgher accuracy and better stablty, but t was not capable for real-tme applcatons. 3. Traffc Classfcaton n Wreless Mesh Network 3.1. Wreless Mesh Network As varous wreless networks evolve nto the next generaton to provde better servces, wreless mesh networks (WMNs) have emerged recently. In WMNs, nodes are comprsed of mesh routers and mesh clents. Each node operates not only as a host but also as a router, forwardng packets on behalf of other nodes that may not be wthn drect wreless transmsson range of ther destnatons [14]. A WMN s dynamcally self-organzed and self-confgured, wth the nodes n the network automatcally establshng and mantanng mesh connectvty among themselves [15]. Ths feature brngs many advantages to WMNs such as low up-front cost, easy network mantenance, robustness, and relable servce coverage. As llustrated n Fgure 1, WMNs consst of two types of nodes: mesh routers and mesh clents. Other than the routng capablty for gateway/repeater functons as n a conventonal wreless router, a wreless mesh router contans addtonal routng functons to support mesh networkng [16]. To further mprove the flexblty of mesh networkng, a mesh router s usually equpped wth multple wreless nterfaces bult on ether the same or dfferent wreless access technologes. Compared wth a conventonal wreless router, a wreless mesh router can acheve the same coverage wth much lower transmsson power through mult-hop communcatons. Optonally, the medum access control (MAC) protocol n a mesh router s enhanced wth better scalablty n a mult-hop mesh envronment [17]. Fg.1 WMNs Infrastructure Archtecture
1527 C. Gu et al. /Journal of Computatonal Informaton Systems 7:5 (2011) 1524-1532 3.2. Traffc Classfcaton n Wreless Mesh Network Dfferent from other ad hoc networks, most applcatons of WMNs are broadband servces wth varous QoS requrements. Thus, n addton to end-to-end transmsson delay and farness, more performance metrcs such as delay jtter, aggregate and per-node throughput, and packet loss ratos, must be consdered by communcaton protocols. Traffc classfcaton of wreless mesh network should take nto account the factors of packet loss rato and connecton loss raton. Untl recently, most publshed works about onlne traffc classfcaton have reled on features of ntal sub-flow. Those works assume the ntal sub-flow s captured and avalable for traffc classfcaton. However, ths assumpton s not accepted n wreless mesh network because of seamless moblty. In the case of changng ts pont of attachment caused by movement of a node wth communcaton, those classfers begn to capture packets composng a flow at a pont n tme when the flow s already n progress. Consequently those classfers cannot capture the ntal sub-flow. Desrable classfer should thus be capable of traffc classfcaton based on not only ntal sub-flow but also varous types of sub-flow. 4. Onlne Wreless Mesh Network Traffc Classfcaton usng Machne Learnng 4.1. Sub-flow Selecton Internet traffc classfcaton schemes operate on the noton of network flows. A flow s defned to be as a seres of packet exchanges between two hosts, dentfable by the 5-tuple (source address, source port, destnaton address, destnaton port, transport protocol), wth flow termnaton determned by an assumed tmeout or by dstnct flow termnaton semantcs. For each flow, network montors can record statstcs such as duraton, bytes transferred, mean packet nterarrval tme, and mean packet sze. Sub-flow s N consecutve packets taken from a flow. An ntal sub-flow s the ntal N consecutve packets from the pont where communcaton establshed. The applcatons provde users wth varous types of servce. We defne these events of each applcaton as applcaton behavors that are expressble lke fnte state machne. Each applcaton starts from ntal behavor and accepts varous events, as nstructons changng behavors. Whenever the applcaton accepts the event, t changes to the next behavor and executes actons assocated wth the behavor. We assume that a sub-flow, taken from the transton pont of the applcaton behavor, s effectve for the achevement of the desrable classfer. The ratonale behnd possblty of the classfer s the followng. A sub-flow s N consecutve packets taken from a full-flow; therefore, two or more sub-flows can be taken from a flow. The sub-flow features have ablty to dstngush each applcaton, because the sub-flow contans a sequence exchangng control packets that are pre-defned messages n each applcaton. We devse the classfer that added the functon of sub-flow selecton wth applcaton behavors. 4.2. Machne Learnng Algorthm Machne Learnng s prevalng n traffc classfcaton because of ts beng ndependent from the port and payload nformaton. These are some dfferent machne learnng algorthms, such as C4.5, Support Vector Machne (SVM), Nave Bayesan and Random Forest. In order to dentfy wreless mesh network traffc, we choose the C4.5 whch has hgh TP rate and low FP [18]. C4.5 s a decson tree based dentfcaton algorthm. A decson tree s a herarchcal data structure for
C. Gu et al. /Journal of Computatonal Informaton Systems 7:5 (2011) 1524-1532 1528 mplementng a dvde-and-conquer strategy. It s an effcent non-parametrc method that can be used both for dentfcaton and regresson. In non-parametrc models, the nput space s dvded nto local regons defned by a dstance metrc. In a decson tree, the local regon s dentfed n a sequence of recursve splts n smaller number of steps. A decson tree s composed of nternal decson nodes and termnal leaves. Each node m mplements a test functon wth dscrete outcomes labelng the branches. Ths process starts at the root and s repeated untl a leaf node s ht. The value of a leaf consttutes the output. 4.3. Onlne Wreless Mesh Network Traffc Classfcaton Archtecture Classfers based on machne learnng use a tranng dataset that conssts of N tuples ( x, y ) and learn a mappng f ( x) y. In the traffc classfcaton context, examples of attrbutes nclude flow statstcs such as duraton and total number of packets. In our supervsed Internet traffc classfcaton system, Let X x1 x2 x n {,,, } be a set of flows. A flow nstance x s characterzed by a vector of attrbute values, x { xj 1 j m}, where m s the number of attrbutes, and x j s the value of the j th attrbute of the th flow. Also, let Y { y1, y2,, y q } be the set of traffc classes, where q s the number of classes of nterest. The y can be classes such as P2P, WWW, and FTP. Fg.2 Archtecture of Onlne Wreless Mesh Network Traffc Classfcaton usng Machne Learnng As llustrated n Fgure 2, the archtecture of onlne wreless mesh network traffc classfcaton usng machne learnng ncludes two portons: off-lne ML modelng and on-lne ML classfcaton. In the stage
1529 C. Gu et al. /Journal of Computatonal Informaton Systems 7:5 (2011) 1524-1532 of off-lne ML modelng, traffc trace should be labeled to dfferent applcaton usng L7-Flter or Hand-classfcaton method. Tranng subsets are unformly sampled for the specfc ML classfcaton. Once the datasets are ready, the system carres out feature selecton to elmnate the redundant and rrelevant features to get optmal feature subset. In the stage of onlne ML classfcaton, the flows whch can be realtme collected are traned usng the selected ML classfer. Flow statstcs are computed n terms of each selected feature and stored them to the correspondng database n the flow preprocessng module. The sub-flow selecton module can mplement sub-flow selecton. The output classfer model produced by off-lne ML modelng s appled to classfy the captured traffc. Eventually, the classfcaton output would be appled to network actvtes such as network survellance, QoS. 5. Expermental Results and Analyss 5.1. Emprcal Traces Ths subsecton descrbes the emprcal traces n our work. We construct a pnt-szed wreless mesh network n Nanjng Unversty of Posts and Telecommuncatons. To facltate our work, we collect traces on the campus and resdental area. The Campus_Set was collected from 9 am to 10 am on June 28, 2009. The Resdental _Set was collected from 6 pm to 7 pm on June 28, 2009. To smplfy the presentaton, we group the applcatons by category. For example, the P2P category ncludes all dentfed P2P traffc from protocols ncludng PPlve, PPstream, BtTorrent, Gnutella, Xunle and KaZaA. Table 1 summarzes the applcatons found n the Campus traces and Resdental traces. Table 1 Statstcs of Emprcal Traces Type of Flow Applcaton Names Campus_Set Resdental _Set Num of flow Percent(%) Num of flow Percent(%) WWW http, https 46384 48.77 23215 21.04 MAIL Imap, pop3, smtp 9326 9.81 3827 3.47 BULK ftp 13729 14.44 16308 14.75 DATABASE oracle, mysql 5462 5.74 2103 1.91 SERVER dent,ntp,x11,dns 2099 2.21 962 0.87 P2P kazaa, bttorrent 13753 14.46 37917 34.36 MEDIA real, meda player 4301 4.52 18342 16.64 GAME half-lfe 46 0.05 7681 6.96 Total 32 applcatons 95100 100 110355 100 Pror to the ML modelng, feature selecton can be executed off-lne. Feature selecton s an mportant step to machne learnng whch s the process of choosng a subset of orgnal features. It can optmze for hgher learnng accuracy wth lower computatonal complexty by removng rrelevant and redundant features. In order to fnd the best feature subset for traffc classfcaton, we use the Sequental Forward Selecton (SFS) method n the paper.
C. Gu et al. /Journal of Computatonal Informaton Systems 7:5 (2011) 1524-1532 1530 5.2. Evaluaton Metrcs To measure the performance of our proposed method, we use three metrcs: accuracy, precson and recall. accuracy n n TP 1 100% n TP FP 1 1 (1) Accuracy s the rato of the sum of all True Postves to the sum of all the True Postves and False Postves for all classes. We apply ths metrc to measure the accuracy of a classfer on the whole trace set. The latter two metrcs are to evaluate the qualty of classfcaton results for each applcaton class. TP precson 100% (2) TP FP Precson of an algorthm s the rato of True Postves over the sum of True Postves and False Postves or the percentage of flows that are properly attrbuted to a gven applcaton by ths algorthm. TP recall 100% (3) TP FN Recall s the rato of True Postves over the sum of True Postves and False Negatves or the percentage of flows n an applcaton class that are correctly dentfed. 5.3. Comparng Performance among Dfferent Technology We compare classfcaton accuracy of onlne wreless mesh network traffc classfcaton usng machne learnng wth the other classfcaton approaches solely based on port-based approach and payload-based approach. For our experments, we classfy network traffc usng flows from Campus_Set. Table 2 Classfcaton Performance among Dfferent Traffc Classfcaton Method Type of Flow Port-based Payload-based ML-based Recall Precson Recall Precson Recall Precson WWW 70.09 71.97 76.88 77.26 87.98 91.77 MAIL 69.25 68.64 76.04 73.22 87.13 87.65 BULK 64.94 61.15 68.22 65.92 79.37 80.43 DATABASE 67.13 65.57 70.28 69.49 83.26 83.95 SERVER 67.36 64.62 72.97 70.31 84.04 84.91 P2P 59.89 57.25 69.05 64.77 80.15 79.39 MEDIA 70.41 62.08 73.81 66.53 84.93 83.04 GAME 58.54 54.23 67.43 62.15 78.53 76.65 Accuracy s a crtcal requrement of traffc classfcaton that can be measured n terms of recall and precson, both of whch are mportant. As llustrated n table 2, we can see that the classfcaton precson whch uses port-based methods to classfy network traffc s 71.97%, 57.27% for WWW and P2P applcaton respectvely. At the same tme, the precson of payload-based classfcaton whch extracts payload sgnatures to dentfy specfc protocol s 77.26%, 64.79% for WWW and P2P applcaton respectvely. In
1531 C. Gu et al. /Journal of Computatonal Informaton Systems 7:5 (2011) 1524-1532 addton, n order to classfy network traffc, we choose the machne learnng method usng C4.5 whch has 91.77%, 79.39% for WWW and P2P applcaton respectvely. Compared wth the other classfcaton approaches, ths method proposed n the paper can acheve hgher overall recall and precson. For a range of network applcatons, onlne wreless mesh network traffc classfcaton based on machne learnng can meet the key requrement, such as hgh accuracy. 5.4. Impact of Number of Packets for Statstcs on Classfcaton Accuracy A fundamental challenge n the desgn of the onlne wreless mesh network traffc classfcaton s to classfy a flow as soon as possble. Unlke offlne classfcaton where all flow statstcs are avalable a pror, we only have partal nformaton on the flow statstcs n the real-tme context. In order to classfy the network applcatons assocated wth a flow as early as possble, we follow the dea presented n Bernalle et al. [10] and conduct experments to determne the approprate packet number p. The statstcs nformaton of several packets n each flow could dstngush network traffc from Internet traffc accurately wth the least p. For our experments, we classfy network traffc usng flows from Campus_Set and Resdental_Set respectvely. Fg.3 Impact of Number of Packets for Statstcs on Classfcaton Accuracy The expermental result shown n Fgure 3 ndcates that ths method could acheve better accuracy when we choose 11 packets for statstcs. It s notceable that the statstcs of the frst 11 packets could classfy traffc wth hgh accuracy n Campus_Set and Resdental_Set. At the same tme, the classfcaton accuracy mproves margnally usng more than 11 packets. Consderng our goal to classfy wreless mesh network traffc as fast as possble wth hgh accuracy, we choose 11 packets for flow feature statstcs. 6. Concluson Wreless mesh networks (WMNs) are communcatons network made up of rado nodes organzed n a mesh topology. Wreless mesh networks traffc, beng aggregated from a large number of end users, changes nfrequently. It causes the most challengng problem n network traffc classfcaton. In ths paper, we propose onlne wreless mesh network traffc classfcaton usng machne learnng. We show that our method can acheve hgh classfcaton accuracy. Ths method s also sutable for onlne network traffc classfcaton. Our expermental results so far are promsng for ths research drecton n wreless mesh
C. Gu et al. /Journal of Computatonal Informaton Systems 7:5 (2011) 1524-1532 1532 network, and several opportuntes exst for future work. Supervsed machne learnng method s the requrement on a large number of labeled tranng samples. We can propose sem-supervsed classfcaton method to solve ths ssue for wreless mesh network traffc classfcaton. Acknowledgement Ths work s supported by Natonal Hgh-Tech Research and Development Plan (863) of Chna (No.2009AA01Z212, No.2009AA01Z202), Natural Scence Foundaton of Chna (No.61003237), Natural Scence Foundaton of Jangsu Provnce (No.BK2007603), Hgh-Tech Research Plan of Jangsu Provnce (No.BG2007045). References [1] B.Marco, Mella, Antono Pescape and LucaSalgarell, Traffc classfcaton and ts applcatons to modern networks, Computer Networks, 53(6):759-76, 2009. [2] Soysal, Murat,Schmdt, Ece Guran.Machne learnng algorthms for accurate flow-based network traffc classfcaton: Evaluaton and comparson. Performance Evaluaton, 67(6):451-467, 2010. [3] Karaganns T, Rodo A, Aloutsos M, Laffy K. Transport layer dentfcaton of P2P traffc. Proceedngs of the 2004 ACM SIGCOMM Internet Measurement Conference, pages 121 134, 2004. [4] Haffner P, Sen S, Spatscheck O, Wang D. ACAS: Automated Constructon of Applcaton Sgnatures. ACM SIGCOMM 05 Workshops, pages 197 202, 2005. [5] Moore AW, Papagannak K. Toward the accurate dentfcaton of network applcatons. Passve and Actve Measurement Workshop, pages 41 54, 2005. [6] Akyldz Ian F, Wang Xudong, Wang Weln.Wreless mesh networks: A survey. Computer Networks, 47(4):445-487, 2005. [7] Zeng Guoka, Wang Bo, Dng Yong, Xao L. Effcent multcast algorthms for multchannel wreless mesh networks. IEEE Transactons on Parallel and Dstrbuted Systems, 21(1):86-99, 2010. [8] J.Erman, A.Mahant, M.Arltt, I.Cohen, and C.Wllamson. Offlne/realtme traffc classfcaton usng sem-supervsed learnng. Techncal report, Unversty of Calgary, 2007. [9] J.Erman, M. Arltt, and A. Mahant. Traffc classfcaton usng clusterng algorthms.proceedngs of SIGCOMM workshop on Mnng network data, pages 281-286, 2006. [10] Bernalle L, Teuxera R, Akodkenous I, Soule A, Slamatan K. Traffc classfcaton on the fly. ACM SIGCOMM Computer Communcaton Revew 36: 23 26, 2006. [11] A.W. Moore and D. Zuev. Internet traffc classfcaton usng bayesan analyss technques. Proceedngs of ACM SIGMETRICS nternatonal conference on Measurement and modelng of computer systems, pages 50-60, 2005. [12] N.Wllams, S. Zander, and G. Armtage. A prelmnary performance comparson of fve machne learnng algorthms for practcal p traffc flow classfcaton. ACM SIGCOMM Computer Communcaton Revew, 30(5):5-16, 2006. [13] T.Auld, A.W.Moore, and S.F. Gull. Bayesan neural networks for nternet traffc classfcaton. IEEE Transacton on Neural Network, 18(1):223-239, 2007. [14] L Bo,Zhang Qan, Lu Jangchuan and Wang, Chonggang. Advances n wreless mesh networks. Moble Networks and Applcatons, 13(1):1-5, 2008. [15] Bejerano Ygal, Han Seung-Jae, Kumar Amt. Effcent load-balancng routng for wreless mesh networks Computer Networks, 51(10):2450-2466, 2007. [16] Yanchao Zhang, Yuguang Fang. A secure authentcaton and bllng archtecture for wreless mesh networks. Wreless Networks. 13( 5):663-678, 2007. [17] Ian Akyldz, Xudong Wang. Cross-layer desgn n wreless mesh networks. IEEE Transacton on Vehcular Technology. 57(2):1061-1076, 2007. [18] Yongl Ma, Zongjue Qan, Guochu Shou, Yhong, Hu. Study of nformaton network traffc dentfcaton based on C4.5 algorthm. Internatonal Conference on Wreless Communcatons, Networkng and Moble Computng, 2008.