DOI QR코드

DOI QR Code

시그니쳐 계층 구조에 기반한 HTTP 트래픽 분석 시스템의 처리 속도 향상

Processing Speed Improvement of HTTP Traffic Classification Based on Hierarchical Structure of Signature

  • Choi, Ji-Hyeok (ETRI) ;
  • Park, Jun-Sang (Korea University Network Management Lab. Dept. of Computer and Information Science) ;
  • Kim, Myung-Sup (Korea University Network Management Lab. Dept. of Computer and Information Science)
  • 투고 : 2013.12.12
  • 심사 : 2014.04.21
  • 발행 : 2014.04.30

초록

최근 웹 기반의 다양한 응용과 서비스의 제공으로 인해 HTTP 트래픽의 양이 급격하게 증가하고 있다. 따라서 안정적인 네트워크 관리를 위해서 HTTP 트래픽에 대한 분석이 필수적으로 요구된다. HTTP 트래픽을 다양한 관점에서 분석하기 위해서는 다양한 시그니쳐 기반 분석 방법 중에 페이로드 시그니쳐 기반 분석 방법이 효과적이다. 하지만 트래픽 분류 있어서 페이로드 시그니쳐 기반 방법은 고속 링크의 대용량 트래픽을 실시간으로 처리하는 과정에서 헤더 정보 및 통계 정보 이용 방법론에 비해 상대적으로 높은 부하를 발생시키며 처리 속도가 느린 단점을 갖는다. 따라서 본 논문에서는 HTTP 시그니쳐의 계층 구조에 기반하여 HTTP 트래픽을 다양하게 분류할 수 있는 방법론을 제시한다. 또한 계층 구조의 특징을 반영하여 패턴 매칭의 처리 속도 향상을 위한 방법을 제안한다. 제안하는 방법을 학내망의 실제 트래픽에 적용하여 평가한 결과, Aho-Corasick 알고리즘 보다 더 빠른 처리속도를 보일 수 있었다.

Currently, HTTP traffic has been developed rapidly due to appearance of various applications and services based web. Accordingly, HTTP Traffic classification is necessary to effective network management. Among the various signature-based method, Payload signature-based classification method is effective to analyze various aspects of HTTP traffic. However, the payload signature-based method has a significant drawback in high-speed network environment due to the slow processing speed than other classification methods such as header, statistic signature-based. Therefore, we proposed various classification method of HTTP Traffic based HTTP signatures of hierarchical structure and to improve pattern matching speed reflect the hierarchical structure features. The proposed method achieved more performance than aho-corasick to applying real campus network traffic.

키워드

참고문헌

  1. W. Li, A. W. Moore, and M. Canini, "Classifying HTTP traffic in the new age," in Proc. ACM SIGCOMM, pp. 479-489, Washington, USA, Aug. 2008.
  2. Y. Bhole and A. Popescu, "Measurement and analysis of HTTP traffic," J. Network and Systems Management, vol. 13, no. 6, pp. 357-371, Dec. 2005. https://doi.org/10.1007/s10922-005-9000-y
  3. J. S. Park, S. H. Yoon, and M. S. Kim, "Performance improvement of the payload signature based traffic classification system using application traffic locality," J. KICS, vol. 38B, no. 7, pp. 519-525, Jul. 2013. https://doi.org/10.7840/kics.2013.38B.7.519
  4. S. H. Yoon, H. G. Roh, and M. S. Kim, "Internet application traffic classification using traffic measurement agent," in Proc. KICS, pp. 1747-1750, Jeju Island, Korea, Jul. 2008.
  5. C. S. Park, J. S. Park, and M. S. Kim, "Study on automatic payload signature generation system using protocol filter," in Proc. KICS, pp. 655-656, Jeju Island, Korea, Jun. 2013.
  6. F. Risso, M. Baldi, O. Morandi, A. Baldini, and P. Monclus, "Lightweight, payload-based traffic classification an experimental evaluation," in Proc. IEEE Commun., pp. 5869-5875, Beijing, China, May 2008.
  7. J. H. Kim, S. H. Yoon, and M. S. Kim, "Study on traffic classification taxonomy for multiliteral and hierarchical traffic classification," in Proc. APNOMS, pp. 1-4, Seoul, Korea, Sept. 2012.
  8. J. H. Kim, S. H. Yoon, and M. S. Kim, "Research on traffic taxonomy for internet traffic classification," in Proc. APNOMS, Taipei, Taiwan, Sept. 2011.
  9. J.L. Garcia-Dorado, J.A. Hernandez, J. Aracil, J.E.L. Vergara, F.J. Montserrat, E. Robles, and T.P. Miguel, "On the duration and spatial characteristics of Internet traffic measurement experiments," IEEE Commun. Mag., vol. 46, no. 11, pp. 148-155, Nov. 2008.
  10. T. Bujlow, T. Riaz, and J. M. Pedersen, "A method for classification of network traffic based on C5.0 Machine Learning Algorithm," in Proc. ICNC, pp. 244-248, Maui, HI, USA, Feb. 2012.
  11. G. Vasiliadis, M. Polychronakis, S. Antonatos, E. P. Markatos, and S. Ioannidis, "Regular expression matching on graphics hardware for intrusion detection," in Proc. RAID, pp. 265-283, Saint-Malo, France, Sept. 2009.
  12. M. Roesch. "Snort - lightweight intrusion detection for networks," in Proc. USENIX LISA, pp. 229-238, Washington, USA, Nov. 1999.
  13. A. V. Aho and M. J. Corasick, "Efficient string matching: An aid to bibliographic search," Commun. ACM, vol. 18, no. 6, pp. 333-340, Jun. 1975. https://doi.org/10.1145/360825.360855
  14. T. H. Cormen, C. E. Leiserson, and R. L. Rivest, and C. Stein, Introduction to Algorithms 3rd Ed., The MIT press, 2009.
  15. ITS Committee, Tool Interface Standard (TIS) Executable and Linking Format (ELF) Specification Version 1.2, May 1995.
  16. B. Jenkins, "A new hash functions for hash table lookup," J. Dr. Dobb's, Sept. 1997.