Solution: Traffic Classification in the Dark
“Traffic classification in the dark” is a particularly effective protocol detection technique that involves the “pipelining” of two different detection applications: the first based on a payload-signature model and the second based on a behavioral-signature model. In this method, all TCP and UDP streams are processed first by the payload-signature application. If no match with current known signatures is found, the stream is then forwarded to the behavioral-signature application that analyzes the characteristics of the packet streams and very accurately detects even the most complex Internet Applications.
Payload-signature model: TCP and UDP streams of packets are processed first by the payload-signature application. The payload of each incoming packet is matched against a large set of constantly signatures. A match is achieved using proprietary algorithms that guarantee excellent performance at very high-speed (up to OC48). The majority of standard protocols (and their associated applications) are promptly classified by this application.
Behavioral-signature model: Any TCP and UDP streams not classified by the Payload-signature application are forwarded to the Behavioral-signature application. Streams of packets with encrypted payloads, emerging P2P protocols for which a signature is not available, or multimedia applications using proprietary technologies (such as VoIP, Video, Gaming, File Transfer, Chat, etc) fall into this family.