The classification of IP flows according to the application that generated them is at the basis of any modern network management platform. However, classical techniques such as the ones based on the analysis of transport layer or application layer information are rapidly becoming ineffective. In this paper we present a flow classification mechanism based on three simple properties of the captured IP packets: their size, inter-arrival time and arrival order.
The main contribution of this paper is a statistical method for the classification of Internet flows that does not require to look at packet headers or to parse payload data. Indeed, classifying flows using packet headers and payload data is less and less effective of our days for the simple reasons that applications use more and more encryption and try to avoid the use of standard port numbers that can be easily recognized.