|
| Category | Classification methodology | Attribute(s) used | Granularity | Processing time | Sample tools/ML techniques |
|
| Port based | Protocol port | Protocol ports | High | Low | Any (custom), PRTG network monitor [55], Nagios [56], Wireshark [48] |
|
| Payload inspection | Deep packet inspection | Payload inspection of, for example, first packets, first packet per direction | High | High | OpenDPI [1], nDPI [45], L7 (TIE) [35] |
| Stochastic packet inference | Statistical properties inherent in packet header and payload | High | High | Netzob [57], Polyglot [58], KISS [8] |
|
| Behavioural techniques | End-point behaviour monitoring | Identifying host (communication) behaviour pattern | Low | Moderate | BLINC [46], SVM [59], naïve Bayes [60] |
| Traffic accounting | Heuristic analysis of inspected packets, flows | High | High | ANTCs [61], naïve Bayes [60], Bayesian network [62] |
|
| Statistical approaches | Packet based | Packet and payload size, interpacket arrival time | High | Moderate | NN [63], Hidden Markov/Gaussian Mixture Models |
| Flow based | Duration, transmission rate, multiple flow features | Low | Low | -means/hierarchical clustering [27], J48 [30], C5.0 [31], BFTree [64], SVM [59] |
|
