Impact of Packet Inter-arrival Time Features for Online Peer-to-Peer (P2P) Classification

Received Apr 12, 2018 Revised Jul 20, 2018 Accepted Jul 26, 2018 Identification of bandwidth-heavy Internet traffic is important for network administrators to throttle high-bandwidth application traffic. Flow features based classification have been previously proposed as promising method to identify Internet traffic based on packet statistical features. The selection of statistical features plays an important role for accurate and timely classification. In this work, we investigate the impact of packet inter-arrival time feature for online P2P classification in terms of accuracy, Kappa statistic and time. Simulations were conducted using available traces from University of Brescia, University of Aalborg and University of Cambridge. Experimental results show that the inclusion of inter-arrival time (IAT) as an online feature increases simulation time and decreases classification accuracy and Kappa statistic. Keyword:


INTRODUCTION
Today, peer-to-peer (P2P) is as an architecture for sharing a wide range of media on the Internet. P2P traffic represents about 27% to 60% of the total Internet traffic, depending on geographic location [1], [2]. The high volume of P2P traffic is due to file sharing, video streaming, on-line gaming and other activities that client-server architecture cannot accomplish as fast or as efficient as the P2P architecture. Rapid progression of P2P traffic volume throughout the years have resulted in deteriorated network performance and congestion due to the high bandwidth consumption of P2P applications [3]. Therefore, traffic identification is required to improve traffic management.
First generation P2P application traffic were relatively easy to be identified due to the use of fixed ports numbers. However, current P2P applications are able to circumvent port-based identification by using anonymous port numbers or port disguise [4], [2]. Besides, methods that rely on inspecting application payload signatures have also been proposed [5]. For privacy and impractical reasons, this method is ineffective. The effectiveness of the port-based and payload-based methods prompted the use of flow statistics as features for traffic identification. These strategies offer flexibility to detect P2P traffic compared to using signature-based and port-based methods.
Several techniques have been proposed over the last two decades that focused on the attainable identification accuracy using several machine learning (ML) algorithms. However, the impact of exploring the effect of distinct sets of statistical features has not been researched in-depth. Work in [6] has reported that feature selection is a vital task to improve the classification and identification performance compared to selection of the classification algorithm. Presently, several feature selection algorithms have been introduced, e.g., [7]- [11]. However, most of the introduced methods do not consider the impact of integrating online features with inter-arrival time (IAT) for online P2P classification. This paper proposes an approach based on analytic methods one-way analysis of variance and incremental traffic classification algorithm. One-way analysis of variance is implemented using KNAME tool and Hoeffding Tree incremental machine learning algorithm is implemented using MOA (Massive Online Analysis) tool in order to investigate the impact of packet IAT feature for online P2P classification.
The remainder of this paper is organized as follows. Section 2 introduces related works including ML concepts, traffic classification and feature selection. Section 3 discusses the methodology to investigate the impact of packet inter-arrival time feature for online P2P classification. The experimental setup, result and discussion are discussed in Section 4. Section 5 presents the conclusion.

RELATED WORK
Machine learning (ML) is apromising technique that has been used for data mining and knowledge discovery [12]. Unsupervised learning strategies basiclly clusters flows with similar parttern behaviour. Supervised learning needs a set of labeled data to train its model in advance for identification and classification of data [12].
Classification using flow features mainly deploys machine learning to perform training and classification. From the extracted flow features, the classifier predicts the class of new flow. This process is called a data mining problem. The first work using this technique was by [13]. Generally, classification can be performed in three steps, extracting the features, selection of feature and generating classifier [14].
Moore et al. [15] has suggested 249 features that can be potentially used in ML traffic identification. However most of these features can only be obtained in an off-line mode. Off-line features such as maximum and minimum bytes in packet only can be obtained with complete flows. Work in [16] employed all 249 features suggested in [15] derived from packet streams consisting of one or more packet headers. Most of these features cannot be extracted online from live traffic for online traffic identification.
Feature selection (FS) is used to select optimal subset features from the input which can efficiently describe the input data while reducing effects from irrelevant or noise features yet still provide good prediction of its class [7], [17]. Traffic identification can be improved with reference to computational performance and accuracy by using the most relevant features [18].
Loo et al. [8] proposed 12 online features without features related time. Monemi et al. [19] has proposed 35 real-time flow features that can be easily extracted from flow records. These flows include number of packets, port address, protocol, overall Transmission Control Protocol (TCP) flags, average volume in byte, volume in byte per packet, flow duration, payload volume in byte, flow duration, average number of packet per second, average volume in byte per second, average payload volume in byte per second, average payload volume in byte per packet, and average time interval. Erman et al. [16] has performed backward greedy search on various datasets and found that the use of time-related features such as duration, IAT and flow throughput are not useful in traffic classification.
Online features techniques have been proposed in [7], [20]. These works used Cambridge datasets and Naive Bayes to evaluate two feature selection algorithms named Bias Coefficient Results (BFS) and Selected Online Feature. These works achieved accuracy of 90.92% and 93.20%, respectively. Besides, the work in [7] has considered IAT as one of the proposed on-line features.
Most researches have focused on online features with IAT as suggested in [7], [11], [19], [21]. However, the impact of packet inter-arrival time feature for online P2P classification still plays an important role for accurate and timely classification.

OVERVIEW OF THE METHODS
Our proposed method to invisticate the impact of packet IAT feature for online P2P classification consist of two main stages, test the signficance of packet IAT feature and investigate the impact of packet IAT feature for online P2P identification with reference to accuracy, kappa statistic and time. The first stage one-way analysis of variance analytics using KNAME tool to test the signficance of IAT. In the second stage, Hoeffding Tree incremental machine learning algorithm is implemented in MOA tool. All stages will be discussed in details in Section 3.1. Figure 1 shows the overview of the proposed method to investigate the impact of packet IAT feature for online P2P classification.  (Knime) is a recent open-source data analytics platform that allows for undertaking complete statistics and data mining analysis. One-way ANOVA is implemented in KNIME benchmark [22]. WEKA workspace tools also is used for classification [23]. One-way ANOVA is the most effective method available for analyzing the more complex data sets [24]. In this work, we computed the Fstatistic using ANOVA. Equations (5) and (1) represents sum of square (SS) in ANOVA. While the sum of squares for Treatment (SST) is given by Equation (2). Sum of squares for Error (SSE) is computed using Equation (3). The Variance between Treatments (MST) is computed by Equation (4). The VarianceWithin Treatments (MSE) is computed using Equation (5). F-statistic is obtained by dividing MST to MSE is given by Equation (6). Using 95% confidence interval for mean difference, ANOVA is calculated as: Then (4) Thus, with ANOVA test null hypothesis , which means that there are no treatment effects. Where bar is the samples mean, is the sample size, is the specified population mean. Massive Online Analysis (MOA) [25]: MOA is a data stream mining suite that was written in Java. Userscan use MOA using Graphic User Interface (GUI) or through command lines. Different from WEKA [23] whichis for batch data mining, MOA specializes on processing and analyzing data streams. The suite includes evaluation tools such as concept drift evaluation, and interleave-test-then-train evaluation. It is also built with a collection of data stream identification techniques such as Naive Bayes, Hoeffding Tree, Bagging and Boosting techniques. In this paper, MOA is used to analyze the impact of integrating online features with IAT for online P2P classification.

EXPERIMENTAL SETUP, RESULTS AND DISCUSSION
This section, presents and dicusses the network traffic datasets used and the evaluation method used to evaluate the impact of integrating online features with inter-arrival time for online P2P classification.

Dataset
Network traces are used to validate the performance of the proposed technique. These datasets are PAM [26], UNIBS [27] and Cambridge [15]. Table 1 summarizes the used datasets, which the description of each dataset as follows: a. PAM traces was captured in Aalborg University from 25th February 2013 to 1st May 2013 and reported in [26]. The label of the dataset was collected using Volunteer-Based System (VBS). A total of 1,262,022 flows were captured, where 535,438 flows were labeled as reported in [26]. However, only 339,061 flows could be used as most flows have less than five packets and the netflow and feature extractor modules only extract flows that contain five packets or more. By using the provided information files, the flows are labeled into four classes: WEB, FTP, P2P, and Others. b. The UNIBS datasets [27] were obtained from a series of workstations at the University of Bresciafrom

Dataset preprocessing
Online features are extracted and online features with IAT and without IAT as suggested in our previous work [28] are selected. For the UNIBS and PAM datasets, the features are extracted based on the first five packets statistic of each flow. However, for the Cambridge dataset, the statistics of the first 5 packets are not available without access to the raw packets. Thus, for this dataset, the complete flow statistic is used (not only first 5 packets). In order to have a fair comparison of all datasets, the mean features in Cambridge dataset are modified to total features. Table 2 shows the list of feature that had been extracted.

Evalution
Prequential evaluation using fading factors forgetting mechanism proposed by Gama et al. [29] is adopted as the evaluation method. This method is suitable for evaluating incremental learning algorithm. The prequential parameters used in our experiment are as stated below, unless specified otherwise: a. Classifier to train: Hoeffding Tree b. Stream to learn from: PAM, Cambridge and UNIBS dataset and average accuracy (Acc). Average accuracy is the overall accuracy for a dataset. Let the total correct identification in a dataset with (N) flow instances is η. The performance indicators used in this paper are: while : classifier's prequential accuracy is: probability of correct prediction. Kappa has preferable properties such that value of 1 with perfect agreement ( ) is used. The value approximately zero when the observed agreement is almost the same as would be expected by chance ( ). Furthermore, Kappa statistic does not assume marginal probabilities to be the same for different observers.

One-way ANOVA test results
This subsection explains the significant of selected features by using ANOVA test with 95% confidence interval for the mean difference. The result explains all selected features are significant because after tested with ANOVA the P-value less than 0.05. Also, this test explains the IAT features are less significant than other features as shown in Figure 2.

Online classification results
The experimental results presented in Figure 3 to Figure 8, illustrate the effect of IAT inclusion as an online feature for P2P identification. The result as presented in Table 3 indicates that packet IAT feature as online feature decreases identification accuracy and Kapaa statistic. Furthermore, packet IAT feature increases the experimental evaluation time. This is as a result of packet IAT feature morphing which involves alternation on direction pattern which is dependent on network locations. Also these results prove previous offline studies that: a. Time-related features do not help to distinguish among applications [20], [30]. b. The use and statistical features of application dependent only on inter-packet time is a challenging task due to the time required by an application to generate and transfer packets to the transport layer is masked by the fact that additional time is added due to the network conditions and the TCP layer [31].

CONCLUSION
In this paper, we investigated the impact of packet IAT feature for online P2P classification with reference to accuracy, kappa statistic and evaluation time. The simulation results indicate that the packet IAT features for online P2P classification decrease accuracy and Kappa statistic, and also increase evaluation time. These results because IAT morphing usually involves alternation on direction pattern and depend on different network locations. The acknowledgment section is optional. The funding source of the research can be put here.