User login

Weekly Report -- 18/11/2011




Managed to create a new model for use with the Bernaille traffic classification technique, based on an hour of ISP traffic and using PACE to determine ground truth. The model does not perform much better than the default one I tested last week, despite including a few extra protocols.

Developed a new technique for comparing the various traffic classification schemes. My main problem is that even the commercial tools are not reliable enough to act as a genuine ground truth, so it becomes difficult to evaluate the accuracy of any given approach. My new approach evaluates each tool by comparing the classifications against the results produced by each other tool in turn, treating all flows that are unknown or classified differently as failure cases. The average failure rate is then calculated across all the tools compared against to produce an estimated accuracy rating for the evaluated tool.

So far, the results produced by this comparison approach have matched my expectations (libprotoident and PACE have lower failure rates, nmap has the highest) and have also highlighted the high quality of libprotoident's classifications. Hopefully, we will continue to have good results when NAVL is added to the mix.

On that note, still waiting on Vineyard to provide me with a binary that fixes the bug I reported last week - it has been acknowledged as a bug and are in the process of testing the fix now.