GT: picking up the truth from the ground for internet traffic

By: 
F. Gringoli, Luca Salgarelli, M. Dusi, N. Cascarano, F. Risso, and k. c. claffy
Appears in: 
CCR October 2009

Much of Internet traffic modeling, firewall, and intrusion detection research requires traces where some ground truth regarding application and protocol is associated with each packet or flow. This paper presents the design, development and experimental evaluation of gt, an open source software toolset for associating ground truth information with Internet traffic traces. By probing the monitored host’s kernel to obtain information on active Internet sessions, gt gathers ground truth at the application level. Preliminary experimental results show that gt’s effectiveness comes at little cost in terms of overhead on the hosting machines. Furthermore, when coupled with other packet inspection mechanisms, gt can derive ground truth not only in terms of applications (e.g., e-mail), but also in terms of protocols (e.g., SMTP vs. POP3).

Public Review By: 
Pablo Rodriguez

Traffic classification has received widespread attention in the last few years. This can be explained by the continuous tussle between network operators that sometimes try to ‘peek’ into their client’s application usage and network services and applications that add layers of evasion to escape such eavesdropping. Accurately assigning applications to observed flows can also help with management, security as well as provisioning of IP networks. A plethora of traffic classification techniques have consequently been developed to address each of the layers of evasion added by applications. All such techniques need reliable inputs to quantify their effectiveness. Such input comes in the form of previously labeled traffic traces and is usually referred to as ground truth.
Two main techniques were used so far to produce traffic that provides such ground truth. The first one manually or programmatically triggers applications on different machines and labels the corresponding generated flows. This has limitations, since the traffic traces can still contain background traffic and the generated workload is not similar to a workload generated by human users. The second technique employs Deep Packet Inspection and tries to match signatures inside each packet. However, multiple signatures might match and also this approach breaks when dealing with encrypted traffic.
This paper presents a client tool called gt that helps to provide ground truth information to evaluate different traffic classification methods by monitoring a host's kernel. This is extremely valuable for validation purposes. The authors show that the gt tool developed addresses some of above limitations: it seemingly integrates with a user’s normal computer usage, keeping a low CPU load (less than 5%), and achieves close to 100% completeness in flow tagging on all operating systems. The gt tool can also help augment exiting classification techniques like DPI to give better results. In fact, the gt tool can be used to address the limitations of existing Deep Packet Inspection techniques both by reducing the number of signatures that need to be matched and by enhancing the accuracy of the matches. One potential avenue for further research that the authors could explore is to evaluate and characterize existing traffic classification methods such as BLINC using the ground truth information generated with the gt tool, thus proving invaluable to help finetune such approaches.