Classification of HTTP traffic based on C5.

0
Machine Learning Algorithm
Tomasz Bujlow, Tahir Riaz, Jens Myrup Pedersen
Section for Networking and Security, Department of Electronic Systems
Aalborg University, DK-9220 Aalborg East, Denmark
{tbu, tahir, jens}@es.aau.dk

Abstract—Our previous work demonstrated the possibility of system sockets), and the centralized solution was assessed to
distinguishing several kinds of applications with accuracy of be 99.3–99.9 % accurate, due to the C5.0 classification error,
over 99 %. Today, most of the traffic is generated by web when classifying 7 different applications [3].
browsers, which provide different kinds of services based on
the HTTP protocol: web browsing, file downloads, audio and In previous papers, we assumed that one application carries
voice streaming through third-party plugins, etc. This paper only one type of traffic and, for this reason, we took into
suggests and evaluates two approaches to distinguish various account only applications fulfilling this criterion. However,
HTTP content: distributed among volunteers’ machines and the data collected by VBS showed that nowadays majority
centralized running in the core of the network. We also assess of traffic is generated by HTTP-based applications as web
accuracy of the global classifier for both HTTP and non-HTTP
traffic. We achieved accuracy of 94 %, which supposed to be browsers. Until now, we were treating this kind of traffic
even higher in real-life usage. Finally, we provided graphical as a general web traffic class, which in effect consisted of
characteristics of different kinds of HTTP traffic. interactive traffic (web pages), audio and video streams, and
Index Terms—traffic classification, computer networks, HTTP big file downloads. All the kinds of content have different
traffic, browser traffic, C5.0, Machine Learning Algorithms characteristics and QoS requirements [5], and therefore, they
(MLAs), performance monitoring
need to be distinguished and processed in a different way.
The measured characteristics of different content types found
I. I NTRODUCTION
within HTTP flows are shown at the end of this paper. All these
The assessment of Quality of Service (QoS) in computer factors lead to the conclusion that during QoS assessment, we
networks is a challenging task because different kinds of are interested in the type of the traffic, not in the application
applications (voice, video, file download) have different which it generates. In this paper we present and evaluate a
requirements. Therefore, to estimate the performance, we need method for recognizing different kinds of HTTP traffic.
to know what type of data flow is currently being assessed. Other methods for HTTP traffic classification are shown in
There are many methods for distinguishing computer network [6] and [7]. In [6], the authors propose to use the size of
traffic, including the classification by ports, Deep Packet the flow and the number of flows associated with the same
Inspection (DPI), or statistical classification [1]. We compared IP address to determine character of the traffic by 3 different
them in [2] and we assessed that these methods are not MLAs. Unfortunately, this approach requires to have the traffic
sufficient for the real-time identification of HTTP traffic. collected in advance, and in consequence, it is not suitable
We had two possible approaches to the classification of data for the real-time classification needed for QoS assessment
in the high-speed computer network infrastructure: centralized purposes. The method described in [7] is based on keyword
and distributed. We implemented the distributed approach matching, flow statistics and a self-developed algorithm. This
as the Volunteer-Based System (VBS) and presented in approach also does not fulfill our needs because it requires
[2]. It involves collecting data by VBS clients installed on processing whole flows: first to match the signature, then to
users’ computers together with a name of the corresponding extract statistics, such as number of packets contained by the
application. The necessary statistical parameters are calculated flow. As opposite, our centralized solution is able to classify
on the client side and sent to the database located on the the data based on 35 packets from any point of a flow. As a
VBS server. We designed the centralized solution as a flow- consequence, we can monitor flows very quickly.
examining-application installed in the central point of the The remainder of this paper not only gives an overview of
network. All the flows passing through that point are captured our solutions for the distributed and centralized classification
and assigned to a particular application class by the C5.0 of network traffic and our methods for providing precise input
Machine Learning Algorithm (MLA) [3]. As training data we data, but also describes the results and finally shows different
used the data collected by our VBS. The proposed design of a traffic profiles. We assessed the accuracy of the classification
solution for estimating QoS using both these approaches and when using different algorithm parameters. The data used in
combining passive and active measurements was described in our experiments originate from 5 private machines running
[4]. The accuracy of the distributed solution is approaching in Denmark and in Poland as well as 18 machines installed
100 % (as it uses the application names taken directly from in computer classrooms in Gimnazjum nr 3 z Oddziałami

978-1-4673-2713-8/12/$31.00 ©2012 IEEE 000882

 Figure 1. Overview of the method for obtaining the training data

Integracyjnymi i Dwuj˛ezycznymi imienia Karola Wojtyły w with information about a chosen method of classification. As
Mysłowicach, a high school in Poland. shown, most services can be classified accurately by HTTP
content type. Unfortunately, in some cases, we are not able
II. T HE CENTRALIZED CLASSIFICATION METHOD
to distinguish HTTP audio from HTTP video streams (as
We designed the centralized solution to be implemented in shown in the case of application/x-mms-framed content type,
the core of the network. 35-packet long snippets from the used both for streamed audio and video content). However,
selected flows are inspected by the statistics generator, which streamed multimedia content is often played by plugins which
calculates the values of the relevant parameters. Based on use the Real-Time Messaging Protocol (RTMP) instead of
the calculated statistics, the C5.0 MLA is able to predict the HTTP, so the content can be separated using plugin names
traffic class of the flow. The first and the most important issue (such as plugin-container) and RTMP remote port (1935).
in our solution was how to train the classifier properly. As The other problem is that we cannot distinguish streamed
a consequence, we designed and implemented an algorithm multimedia content from multimedia files embedded on
which uses pre-classified browser traffic to generate training websites, such as YouTube, because they use the same content
cases for different classes of traffic. The description of the type, for example, audio/mpeg. Moreover, the traffic generated
algorithm is based on Figure 1. by multimedia files downloaded through web browsers appear
Browser traffic can be classified based on two different like a regular multimedia transmission.
approaches: by using HTTP headers, or application names and
additional flow conditions like ports. Table I contains examples As the first step, we need to decide if we are dealing with
of different services provided by Firefox web browser, together HTTP-based flow or another kind of transport-layer flow. For

978-1-4673-2713-8/12/$31.00 ©2012 IEEE 000883

 Table I
E XAMPLES OF DIFFERENT SERVICES PROVIDED BY WEB BROWSERS

Media Location App. name Content type Classification

Internet radio
The Voice http://www.thevoice.dk/popup/popup.php?tab=radio firefox audio/mpeg By content type
NOVAfm http://www.novafm.dk/popup/popup.php?tab=radio firefox audio/mpeg By content type
Radio 3 http://www.radio3.dk/sites/all/modules/netplayer/player.php plugin-container Impossible
RMF FM http://www.rmfon.pl/play,5 plugin-container audio/aacp By content type
ESKA http://www.eska.pl/player?streamId=101 firefox audio/mpeg By content type
CNN radio http://radioradio7.com/radio/CNN.html totem-plugin- application/x-mms-framed By content type
Embedded audio
Wrzuta.pl http://www.wrzuta.pl firefox audio/mpeg By content type
Video on Demand
Youtube http://www.youtube.com/ firefox video/x-flv By content type
Ipla http://www.ipla.pl iplalite video/x-flv By content type
Onet Video News http://www.onet.pl firefox video/x-flv By content type
CNN Video News http://edition.cnn.com/video/ firefox video/x-flv By content type
Wrzuta.pl http://www.wrzuta.pl firefox video/mp4 By content type
Internet TV
Justin.tv http://www.justin.tv/ plugin-container By app name and remote port 1935
Al-Jazeera http://www.aljazeera.com/watch_now/ plugin-container By app name and remote port 1935
PDR http://www.pdr.pl totem-plugin- application/x-mms-framed By content type
File download
File 1 http://download.oracle.com/otn-pub/java/jdk/7u1-b08/ firefox application/x-compress By content type
jdk-7u1-solaris-sparc.tar.Z
File 2 http://www.skatnet.dk/test/testfile.avi firefox video/x-msvideo False classification as video

this purpose, we examine each packet in the flow and check if name to traffic class assignment list. If we cannot find any
the HTTP header exists. If yes, we look for the content-type match, the flow is discarded as well. As it is written in [2],
field. If we can obtain the information, the preferred way of around the first 10 and the last 5 packets of each flow have
processing is always to handle the flow as a HTTP-based flow, different characteristics of size parameters than other packets.
as it allows to recognize different kinds of flows generated by As a result, these packets are cut out of the flow. Next, the
one application. Short flows (below 200 packets in the case flow is split into 35-packet subflows, which are provided to
of regular flows, and below 35 packets in the case of HTTP- the statistics generator. The generated statistics are given as
based flows) are discarded because they are useless from the the input to the C5.0 classifier as training or test data. It was
QoS measurement point of view. shown in [2] that a further increasing number of packets in
the subflow does not improve significantly the accuracy of
A. Regular transport-layer flows the classifier. Using the reasonably smallest number of flows
allows to perform faster traffic classification and saves system
Regular flows are processed based on the application
resources, what allows to process more flows at a time.
name to traffic class assignment list. Most applications
are specialized to handle specific types of traffic (voice
B. HTTP-based transport-layer flows
conversations for Skype, file transfer for FTP clients,
or interactive traffic for games), but they also generate Dealing with HTTP-based flows is more complex, as one
background traffic. For example, Skype shares a distributed transport-layer flow can contain multiple HTTP flows, which
users’ directory, free file transfer clients tend to download can carry various kinds of content: text files, images, audio
advertisements to display on the screen when doing their job, and video data. For this reason, we split the transport-layer
and games have control connections to the main server. These flow into separate HTTP flows, which are mapped to a traffic
flows, acting as noise, are usually quite short. To eliminate class based on the content-type field in the HTTP header. We
their impact, we decided to discard all flows shorter than found that the content-type field in the HTTP header is present
200 packets. If there is no application name assigned to the in and only in the first inbound packet of a new logical HTTP
flow, the flow is discarded. Flows associated with HTTP-based flow. If mapping does not exist, the HTTP flow is discarded.
applications (like web browsers) are discarded as well, because We decided to specify the following traffic classes: audio,
they are not recognized as HTTP flows and their type is file, multimedia, video and web. The multimedia class was
unknown. Then the flows are checked against the application assigned to traffic with content-types, which could carry audio

978-1-4673-2713-8/12/$31.00 ©2012 IEEE 000884

 Table II
as well as video. The file class was assigned to big file M APPING APPLICATION NAMES TO TRAFFIC CLASSES
downloads, and the web class to traffic produced by interactive
web browsing. It was very hard to define what the interactive Name Requirement Class
web browsing is, but we decided to create this class as amule p2p
characteristics of transport-layer flows carrying multiple small dropbox file
files like HTML documents, web images and stylesheets are filezilla file
different than characteristics of downloads of big files. It can http file
be even more complicated because small few-second videos java file
and animations on websites behave more like the interactive libgcflashplay remote_port = 1935 video
traffic than the real video traffic. On the other hand, big plugin-container remote_port = 1935 video
images embedded on the website behave like file downloads. skype protocol_name = ’UDP’ audio
Therefore, we decided to consider all the small (below M
ssh ssh
Bytes) HTTP flows as web interactive traffic, and all the big
steam file
web flows (above N Bytes) as file download traffic. Values
utorrent p2p
for M and N are intended to be chosen experimentally. All
wget file
the interactive HTTP web flows within the transport-layer flow
were merged together into one big web flow. It makes no sense
to calculate statistics for each small web element (HTML file,
images, etc) separately, because they are visible across the packet in the Packets table. This way, we are able to keep track
network as one interactive flow, so they must be processed of the content types in one place and save space in the Packets
holistically to assure the proper assessment of the QoS level. table. Due to obtaining all the relevant information directly
from the client machines, VBS fulfills two roles. First, it is
The HTTP multimedia content must be re-classified as either
an independent distributed solution able to classify network
the audio or the video streams, because they have different
traffic in a real-time from the machine where it is installed.
characteristics and requirements. We use the application
Second, it delivers data for training the C5.0, which is used
names to traffic class assignment list to see if the application
in the centralized classification approach. We must admit that
assigned to that flow is purely audio or video oriented. If
turning on the HTTP content-type packet inspection did not
not, the flow is discarded. Flows shorter than 35 packets
increase the CPU usage in a measurable way, so there was no
are dropped to ensure compatibility with processing regular
need to implement any optimization methods (like processing
transport-layer flows. Finally, the flow is split into 35-packets
only a part of flows, inspecting only a a part of packets in the
subflows, which are provided to the statistics generator. The
flow, and so on).
generated statistics are the input given to the C5.0 classifier
as the training or the test data. B. The application name to traffic class assignment list
III. T HE DATA SOURCES Obtaining mappings between application names and traffic
classes is quite straightforward and it was done in the way
The algorithm of obtaining the training data uses three
described below. The results for our case are shown in Table II.
external sources: a set of physical flows, the application name
• extract all the application names, from the Flows table in
to traffic class assignment list and the content type to traffic
class assignment list. The origin of the mentioned data sources the database, which are associated with flows containing
is described below. at least 5000 packets in total. This limitation was made
to prevent including in the listing applications which
A. The transport-layer flows generated only small amount of data, because they are
The transport-layer flows are obtained by our Volunteer- not sufficiently representative
• change all the names to lowercase and trim the
Based System (VBS), whose architecture and implementation
was described in [2]. We implemented several major changes whitespace from both ends. Then write the list to a
to the system since it was published in order to make it capable Comma Separated Values (CSV) file
• manually assign a traffic class to all the rows in the file.
to process HTTP content types information.
First, we used the JNetPcap library to detect the HTTP Add a condition, as a part of SQL statement, if needed
header in each packet of the flow and, in case of presence, (for example by restricting the transport layer protocol to
to extract the content-type field. The field is always present in UDP or to include only flows matching particular ports).
the first incoming packet of the logical HTTP flow inside the Some of the applications can generate also background
transport-layer flow. Obtaining this information allows us not traffic which must be cut off (like Skype, which beside
only to detect the class of the traffic but also to separate logical the main voice UDP flow generates numerous TCP
HTTP flows within one transport-layer flow. The extracted connections to other clients to exchange the distributed
content types are associated with particular packets and sent users’ directory). If the application is unknown or it can
to the server where they are stored in a separate ContentTypes handle different kinds of traffic which cannot be separated
table, and the corresponding foreign keys are stored for each by a SQL statement, it should be deleted from the list.

978-1-4673-2713-8/12/$31.00 ©2012 IEEE 000885

 Table III Table IV
M APPING CONTENT TYPES TO TRAFFIC CLASSES C LASSIFICATION ERROR RATE [%] FOR DIFFERENT VALUES OF M AND N

Class Content type N=0 N=100 N=200 N=300 N=500 N=1000

audio audio/aac, audio/aacp, audio/mpeg, audio/x-mpegurl, audio/x-pn- M=0 17.9
realaudio-plugin, audio/x-scpls M=30 17.3 17.2 17.2 17.2 17.2
file application/binary, application/force-download, application/octet- M=60 17.1 17.2 17.2 17.2 17.2
stream, application/octetstream, application/pdf, application/rar,
application/x-bzip2, application/x-compress, application/x-debian- M=100 17.1 17.3 17.2 17.2 17.3
package, application/x-gzip, application/x-msdos-program, application/x-
M=150 17.3 17.3 17.3 17.3
msdownload, application/x-redhat-package-manager, application/x-tar,
application/x-xpinstall, application/x-zip-compressed, application/zip, M=300 17.2 17.2 17.2
binary/octet-stream
M=500 17.3 17.2
multimedia application/x-mms-framed, application/ogg
video application/x-fcs, flv-application/octet-stream, video/mp4, video/ogg,
video/webm, video/x-flv, video/x-m4v, video/x-ms-asf, video/x-msvideo
web application/atom+xml, application/gif, application/java- a normal decision-tree based classification for two cases: for
archive, application/javascript, application/js, application/json,
application/ocsp-request, application/ocsp-response, HTTP traffic only, and for the whole traffic. In the first case,
application/opensearchdescription+xml, application/pkix-crl, we tried to estimate optimal values for the parameters M and N
application/rdf+xml, application/rss+xml, application/smil,
application/soap+xml, application/x-amf, application/x-director, in the algorithm, so we made several tries with various values
application/x-font, application/x-httpd-cgi, application/x-java, of M and N while observing how it affects the classification
application/x-java-archive, application/x-javasc, application/x-javascri,
application/x-javascrip, application/x-javascript, application/x- error. Both parameters equal to 0 mean that the mechanism of
ns-proxy-autoconfig, application/x-pkcs7-crl, application/x-sdch- switching flows between the web and the file classes is turned
dictionary, application/x-shockwave-flash, application/x-silverlight-app,
application/x-woff, application/x-ww, application/x-www, application/x- off. The matrix of the classification error for HTTP flows while
x509-ca-cert, application/xaml+xml, application/xhtml+xml, using different values of M and N is shown in Table IV.
application/xml, banner/jpg, font/woff, httpd/unix-directory, image/bmp,
image/gif, image/ico, image/jpeg, image/jpg, image/pjpeg, image/png, As shown, the accuracy of the classifier is independent of
image/svg+xml, image/vnd.microsoft.icon, image/x-ico, image/x-icon, the lower and the upper limits (M and N) for the interactive
image/x-ms-bmp, image/x-png, multipart/byteranges, multipart/form-
data, text/css, text/html, text/javascript, text/json, text/plain, text/vdf, web traffic. Moreover, we can turn off the changing-class
text/x-c, text/x-cross-domain-policy, text/x-gwt-rpc, text/x-javascript, mechanism without significant decrease of the accuracy. We
text/x-js, text/x-json, text/x-perl, text/xml
observer this behavior because in order to test the classification
accuracy we use a disjoint set of data obtained in the same
way as the set used for training purposes, so it uses the same
C. The content type to traffic class assignment list values of M and N. It means that the proper values for M
To be able to map the logical HTTP flows to a traffic class, and N should be estimated through observations of the traffic.
we needed to create a mapping table based on the information It ensures that the web class contains as much of the real
contained in the database. This resulted in the assignment list interactive browser traffic as possible, but as the least of the
shown in Table III. The process of obtaining these mappings multimedia and the file transfer traffic.
is described below. The misclassification tables (M=100 and N=300 for the
• extract all the content types from the ContentTypes table HTTP traffic) are shown in Figure 2. For the HTTP traffic we
in the database, changing their names to lowercase and have two major observations. First, we are able to distinguish
trimming the whitespace from both ends the audio and the interactive web traffic among different kinds
• remove from the content type everything beyond the of HTTP traffic. Second, the video traffic and the regular file
type itself, for example, the information about the used transfers seem to be very often confused between themselves
encoding. Then, write the list to a CSV file (while most of them are classified properly). It does not mean
• manually assign a traffic class to all the rows in the file. necessarily that the video and the regular file downloads cannot
If the content type cannot be verified, delete the row. If be distinguished, but that we had numerous errors in both the
the content-type can correspond both to the audio and to training and the test data sets provided to the classifier. During
the video traffic, assign the multimedia class our tests numerous movies were downloaded through the
Unfortunately, relying on mappings between the traffic browser. On account of the content types this traffic appeared
classes and the content types is not always accurate regarding to be the video traffic, while being in fact the regular file
QoS assessment. For example, a movie downloaded from a download. However, it does not make the classification useless.
website through a browser is marked as the video flow. The The classifier learned characteristics of the video traffic mostly
most appropriate action is to mark it as the file download, but based on the correctly recognized flows. It is therefore most
there is no simple way to obtain knowledge about the purpose probable that the downloads of video files were classified
of the traffic beside asking the user what he is currently doing. properly as the regular file downloads, but they were marked
as misclassifications because of errors in the test set.
IV. T HE CLASSIFICATION BY C5.0 During the second part of the experiment we used full data
During the experiment we used the same classification sets containing both the HTTP and the non-HTTP traffic. For
attribute sets (A plus B) as used by us in [3]. We performed the non-HTTP traffic we specified the following traffic classes:

978-1-4673-2713-8/12/$31.00 ©2012 IEEE 000886

 (a) (b) (c) (d) <-classified as
----- ----- ----- -----
46074 187 483 250 (a): class audio
9 180647 48492 2207 (b): class file
31 24869 168716 2680 (c): class video
207 8474 7566 63228 (d): class web
____________________________________________________________________________________

(a) (b) (c) (d) (e) (f) <-classified as

------ ------ ------ ------ ------ ------
62057 416 884 1 1113 244 (a): class audio
39 317093 2641 6 46110 2696 (b): class file
30 1403 1047561 81 39 (c): class p2p
15 1932 7 42 (d): class ssh
42 33437 151 224032 2473 (e): class video
100 9383 123 19 7421 61935 (f): class web

Figure 2. Misclassification table for HTTP (above) and whole traffic (below)

audio, file, p2p, ssh and video. The non-HTTP video streams
Figure 4. Distribution of total payload size in the sample
were played mostly through third-party plugins in the browser,
such as Adobe Flash. The error rate was in this case 6.0 %.
The number of misclassifications between the file and the video HTTP content type information to extract logical HTTP flows
classes decreased (not only in percents, but in some cases also from the transport-layer flows. Later, the traffic classes are
in absolute values). It means that the training process is more assigned based on the particular content type. The centralized
efficient while using the higher number of cases, because it method based on the C5.0 MLA is able to distinguish
causes better classification accuracy. different types of HTTP traffic in the central point of the
V. T HE TRAFFIC PROFILES network. Furthermore, the high classification error rate (17 %)
is possibly caused by numerous mistakes in both the training
Based on the output from the C5.0, we found the most
and the test sets. These mistakes were made by assigning
used classification attributes to distinguish different types of
downloaded movies to the video instead of to the file download
the HTTP traffic. We chose two of them (the number of PSH
class. However, it was discussed that the predicted traffic class
flags for the inbound direction and the total payload size)
is probably correct, but it can be proved only by real-time
to perform the graphical analysis. The distributions of these
observations of what kind of tasks are made by the user.
attributes shown in Figure 3 and in Figure 4 confirm that the
We demonstrated that the classifier did not have problems
audio and the web traffic differ significantly between each
with recognizing interactive voice traffic. The last step of our
other, and from the video traffic and the big file transfers.
experiment was to classify the whole traffic: the HTTP as well
It proves that we can easily catch HTTP-based audio traffic,
as the non-HTTP one. In this case we achieved much lower
which is the most fragile for network performance issues. It
error rate of 6.0 %.
justifies a need for the separate group of interactive web traffic
as well. During this experiment we used M=100 and N=300 R EFERENCES
in the algorithm generating the cases. [1] Jun Li, Shunyi Zhang, Yanqing Lu, Junrong Yan, Real-time P2P Traffic
Identification, IEEE GLOBECOM 2008 PROCEEDINGS, pp. 1–5.
[2] Tomasz Bujlow, Kartheepan Balachandran, Tahir Riaz, Jens Myrup
Pedersen, Volunteer-Based System for classification of traffic in computer
networks, 19th Telecommunications Forum TELFOR 2011, IEEE 2011,
pp. 210–213.
[3] Tomasz Bujlow, Tahir Riaz, Jens Myrup Pedersen, A method for
classification of network traffic based on C5.0 Machine Learning
Algorithm, International Conference on Computing, Networking and
Communications (ICNC 2012), IEEE 2012, pp. 244–248.
[4] Tomasz Bujlow, Tahir Riaz, Jens Myrup Pedersen, A Method for
Assessing Quality of Service in Broadband Networks, Proceedings of the
14th International Conference on Advanced Communication Technology
(ICACT 2012), IEEE 2012, pp. 826–831.
[5] Gerhard Haßlinger, Implications of Traffic Characteristics on Quality of
Service in Broadband Multi Service Networks, Proceedings of the 30th
EUROMICRO Conference (EUROMICRO’04), IEEE Computer Society
2004, pp. 196–204.
[6] Kei Takeshita, Takeshi Kurosawa, Masayuki Tsujino, Motoi Iwashita,
Evaluation of HTTP Video Classification Method Using Flow Group
Figure 3. Distribution of number of PSH flags for the inbound direction Information, 14th International Telecommunications Network Strategy
and Planning Symposium (NETWORKS), IEEE 2010, pp. 1–6.
[7] Samruay Kaoprakhon, Vasaka Visoottiviseth, Classification of Audio
VI. C ONCLUSION and Video Traffic over HTTP Protocol, 9th International Symposium
on Communications and Information Technology (ISCIT 2009), IEEE
This paper presents two novel methods for recognizing 2009, pp. 1534–1539.
different kinds of HTTP traffic in computer networks. The
distributed method implemented among VBS clients uses the

978-1-4673-2713-8/12/$31.00 ©2012 IEEE 000887