KeyClass: Efficient keyword matching for network traffic classification

Network traffic classification is required for a range of network management activities like meeting the Quality of Service demands of applications and security monitoring. Deep Packet Inspection (DPI) based methods achieve better classification accuracy compared to other techniques. However, DPI is computationally demanding and requires searching patterns in the payload. Methods found in the literature suffer from performance issues as they perform multiple scans of payload. In this paper, we describe KeyClass, which is a DPI based traffic classifier and can classify network flows with single scan of payload using keyword based signatures. KeyClass achieves performance gains (speed of classification) with a combination of two things. It quickly identifies potential application(s) by scanning few initial bytes of payload and optimize the number of character comparisons while searching remaining keywords of potential application(s). In order to identify potential applications, it uses a finite state machine constructed with first keyword of every application using classic Aho-Corasick multi-pattern matching algorithm. KeyClass has an application specific signature which is generated with the remaining set of keywords of an application. By skipping portions of payload from inspection, coupled with an efficient string matching algorithm, it practically achieves sub-linear search complexity. We evaluate the classification and execution performance of KeyClass with experiments using two large datasets containing 173619 and 885405 network flows and report that it has a good average classification accuracy of approximate to 98%. In our evaluation, KeyClass is found to be 3.79 times faster than state of the art methods.