P2P流量识别关键技术研究

详细信息    本馆镜像全文|  推荐本文 |  |   获取CNKI官网全文

英文题名：Research on Key Identification Method of P2P Traffic 作者：彭建芬 论文级别：博士 学科专业名称：信号与信息处理 中文关键词：P2P ; 流量识别 ; 启发式 ; 基于监督的机器学习 ; 支持向量机 ; 决策树 英文关键词：P2P ; traffic identification ; supervised machine learning ; support vector machine ; decision tree 学位年度：2011 导师：涂序彦 学科代码：081002 学位授予单位：北京邮电大学 论文提交日期：2011-05-10

摘要

网络流量识别是管理大型网络的一个重要任务,同时也是合法截留方法的主要组成部分。随着网络技术的快速发展与广泛应用,许多新的P2P应用层出不穷。P2P应用技术资源利用率高、信息存储的非中心化等特点使得P2P技术在文件共享、分布式计算、协作系统和电子商务中应用广泛。随着P2P应用的不断增多,P2P流量所占网络流量的比重越来越大,国内P2P流量占总流量的70%以上,准确地识别网络中P2P应用的流量对网络规划设计、QoS保证等都有十分重要的作用。另一方面,P2P应用的网络软件设计缺陷使得攻击者易于发起庞大的拒绝服务攻击,从而使得互联网网站轻易地崩溃。P2P网络分散式的存储结构、方便的共享原理和快速的选路机制,有利于木马、病毒等破坏性程序的传播。为了保证网络的正常运行,需要对P2P流量进行快速、准确地识别。
     目前P2P技术采用动态端口技术和载荷加密技术逃避基于端口和基于应用载荷签名的P2P流量识别算法的检测。当今普遍研究的流量识别算法是基于行为特征的流量识别算法和基于机器学习的流量识别算法。本文提出的P2P流量早期快速识别算法和改进的启发式P2P流量识别算法术分别属于基于机器学习的P2P流量识别算法和基于行为的P2P流量识别算法。P2P流量早期快速识别算法利用监督的机器学习算法对流初期几个包提取的特征进行分类,识别正确率高,适合于对P2P流及具体的P2P应用的早期识别。改进的快速启发式P2P流量识别算法利用P2P流与非P2P流之间在传输层表现出的不同,能快速地识别出P2P流以及P2P部分具体流行的应用。最后本文研究了P2P应用主机TCP流的连接特性和自相似性。
     本文的主要研究工作包括以下几个方面：
     (1)为了对P2P的TCP数据流进行及时、快速并准确地识别,起到对P2P流量预警和控制的作用,本文提出了一种基于SVM的TCP流量早期识别算法。该算法根据不同应用流的包到达的实际情况,利用TCP流初期的三个数据包的载荷大小和服务器端口作为流量特征,利用支持向量机的高斯径向基核函数进行一对一多类分类。实验结果比较和分析表明：根据提取的特征,采用无偏训练样本,选择合适的参数能快速而有效地识别WEB、MAIL、P2P中的BitTorrent和eMule流量,这种早期流量识别算法的特征值的得到无需等待流的结束,特征提取简单。由于提取的特征不涉及到协议签名,因此早期流量识别算法对加密流量或伪装特性的业务流量识别同样适用；
     (2)为了减少建模的时间和提高分类的正确率,在基于SVM的TCP流量早期识别算法的基础上,提出了基于C4.5决策树的P2P流量早期快速识别算法。分类结果比较和分析表明：相对于其它两种分类算法,C4.5决策树进行分类时识别正确率高,分类速度快。因此这种早期快速识别算法利用TCP流初期的三个数据包的载荷大小和服务器端口作为特征能快速有效地识别出WEB、MAIL、P2P中的BitTorrent和eMule流量；
     (3)为了提高Karagiannis等人提出的P2P流启发式算法的识别正确率,利用端口4662、有效数据流的计数原理、BitTorrent对等协议握手消息数据包的载荷大小固定特点以及Skype流的包载荷特点对其进行改进,提出了一种改进的快速P2P流量启发式识别算法。实验结果比较和分析表明：在识别P2P流和Non-P2P流时,选择合适的对等点阈值,能有效识别出P2P流以及P2P流对应的部分具体应用；
     (4)为了识别出P2P应用主机,对P2P应用主机TCP流从连接特性和自相似性两个方面进行了研究。P2P系统的主机扮演双重角色：服务器和客户端。非P2P系统的连接模式采用传统的客户/服务器模式,发起连接时以很高的连接成功率进行,与之相反的是,由于P2P系统的动态性,P2P主机不断地向其它在线主机发起连接以保证稳定的下载速度。与系统动态性和连接成功率相关的参数为：传输的SYN包数、传输的SYN+ACK、传输的SYN包不同目的地址数、接收的SYN+ACK包的不同源地址数包数、传输的SYN包不同目的端口数、接收的SYN+ACK包的不同源端口数。实验结果比较和分析表明：在识别P2P和非P2P传统应用主机的TCP流时,利用后四个参数比利用六个参数作为流量特征有效。主机流量的自相似性从时间上和行为上进行了分析,行为上的自相似性研究表明P2P应用主机在收到一定数量的数据包后,其数据包载荷变化很小。
The internet traffic identification is one of the crucial tasks for the large network management and the major component of the lawful interception. With the rapid development and wide application of the network technology, more and more applications based on the peer-to-peer (P2P) protocols appear. The characteristics of the P2P techniques, including the high utilization of resources and the non-centralized storage requirement, which accelerate the application of itself in file-sharing, distributed computation, collaborative systems and e-commerce. Since more and more network bandwidth is occupied by the large-scale P2P applications, more than 70% of the whole traffic in China, it is emergent to identify the P2P traffic for the QoS guarantee in the plan and design of network. Meanwhile, the existing vulnerabilities of the P2P applications cause them be easily attacked by the denial of service attacks and intensify the collapse of the Internet. Actually, it is the inherent characteristics that facilitate the spread of the Trojans, viruses and other destructive programs, for instance, the decentralized network storage structure, the principle for convenient file-sharing and the fast routing mechanism. Therefore, to ensure the normal operations of the network, it is urging to identify the P2P traffic quickly and accurately.
     However, the popular P2P techniques prefer to employ the technologies of dynamic port and encrypted payload to evade either the port-based or the signature-based P2P traffic identification. Currently, the state-of-the-art traffic identification techniques are based on either the network behavior or the machine learning. In this paper, the early and fast P2P traffic identification method and the improved fast identification method of P2P traffic based on heuristics are respectively belonging to the traffic identification technologies based on the machine learning and the behavior. The early traffic identification algorithm uses the size of the first three packets and the server port number extracted from the TCP flows as the features and conducts the supervised learning for classifying the traffic, it can achieve the high accuracy, thus it is suitable for early P2P traffic identification. Improved fast identification method of P2P traffic based on heuristics uses the differentiation between P2P flow and non-P2P flow at the transport layer, which can quickly identify P2P traffic and the specific application of the popular P2P applications. Finally, TCP traffic of P2P application host on the responds success rate and self-similarity are analyzed.
     The main contributions of this paper are concluded as follows:
     1. In order to identify P2P traffic quickly and accurately as early as possible, early TCP traffic identification method based on support vector machines(SVM) is proposed for early warning and control of P2P traffic. The method uses the size of early three packets payload and server port number obtained from the TCP flow as flow features and conducts SVM using one against all classification strategy for classifying the traffic. Both theoretical analysis and experimental results show that the method meets the following conditions:extracted features used, training samples selected under the unbiased conditions, it can identify the Internet traffic into application among WEB, MAIL, BitTorrent and eMule categories efficiently. The extracted features are not related to packet payload, so the method is suitable for early identification of encrypted traffic.
     2. In order to reduce modeling time and improve classification accuracy, early and fast P2P traffic identification method based on C4.5 decision tree. Both theoretical analysis and experimental results show that the C4.5 decision tree has the following superiority compared to two other supervised machine learning algorithms in traffic identification: higher accuracy, computational time saved in traffic identification. Therefore, the method using the size of early three packets payload and server port number obtained from the TCP flow as flow features can quickly and effectively identify internet traffic related to WEB, MAIL, BitTorrent and eMule.
     3. In order to improve the accuracy and efficiency of transport layer P2P traffic identification method proposed by Karagiannis et al, the port 4662, effective counting mechanisms, the fixed size of BitTorrent peer protocol handshake message packet payload and the payload characteristics of Skype are used to improve the method, the improved fast identification method of P2P traffic based on heuristics is proposed. Both theoretical analysis and experimental results show that the accuracy and efficiency of improved identification method have improved. It can identify the P2P traffic and specific applications of the P2P traffic, such as BitTorrent, eDonkey, Skype.
     4. In order to identify P2P host, we study connection characteristics and self-similarity of host TCP traffic. P2P host acts as server and client. Non-P2P system connects using the traditional client/server model and achieves a high success rate, as opposed to that, P2P host constantly initiate connections to other online host to guarantee a stable download speed because of dynamic nature of P2P systems. Parameters associated with the dynamic of system and connection success rate include:number of transmitted SYN packets, number of transmitted SYN/ACK packets, number of different destination IPs of transmitted SYN packets, number of different source IPs of received SYN/ACK packets, number of different destination port of transmitted SYN packet, number of different source port of received SYN/ACK packets. Both theoretical analysis and experimental results show that the feature combination of the last four parameters outperforms the other combinations of features while being employed in the identification of P2P host TCP flows. The self-similarity of host TCP flow is analyzed under behavior scale and under time scale. We conclude the received payload of packets of host TCP only have little change after host receives a certain number of packets.

引文

[1]Baker F, Foster B, Sharp C. Cisco architecture for lawful intercept in IP networks[EB/OL]. Internet Engineering Task Force, RFC 3924,2004. http://www.ietf.org/rfc/rfc3924.txt.
    [2]陈德伟,许斌,蔡月茹等.服务部署与发布绑定的基于P2P网络的Web服务发现机制[J].计算机学报,2005,28(4)：615-626.
    [3]罗杰文Peer to Peer(P2P)综述[EB/OL]. http://docs.huihoo.com/ p2p/1/index.html.
    [4]Internet Study 2008/2009[EB/OL]. http://www.ipoque.com/resources/internet-studies/internet-study-2008_2009.
    [5]Zhou L.D, Zhang L.T. McSherry F, et al. A first look at peer-to-peer worms: Threats and defenses[C]//In Proceedings of the IPTPS. Lecture Notes in Computer Science,3640,2005:24-35.
    [6]Damiani E, di Vimercati S. D. C, Paraboschi S, et al. A reputation based approach for choosing reliable resources in peer-to-peer networks[C]//In ACM Conference on Computers and Communications Security. Washington, DC:ACM Press, October 2002:207-216.
    [7]Khiat N, Carlinet Y, Agoulmine. N The emerging threat of peer-to peer worms[C]//In Workshop on Monitoring, Attack Detection and Mitigation (MonAM).Germany:IEEE press,2006:1-3.
    [8]Walsh K, Sirer E. G. Experience with a distributed object reputation system for peer-to-peer filesharing[C]//In Proceedings of the Symposium on Networked System Design and Implementation (NSDI). San Jose, California:ACM Press, May 2006.
    [9]Grimmelmann J.Peer-to-peer terrosrism[EB/OL]. http://www.salon.com/ technology/feature/2001/09/26/osama_bin_napster.
    [10]Internet Assigned Numbers Authority, TCP/UDP Port Numbers[EB/OL]. http://www.iana.org/assignments/port-numbers.
    [11]Yi M.G. Identifying P2P users using traffic analysis [EB/OL]. http://www. securityfocus.com/infocus/1 843/1～3.
    [12]Chen Z.X, Wan G H.Y, Peng L.Z, et al. A Novel Method of P2P Hosts Detection Based on Flexible Neural Tree [C]//In Proceedings of the Sixth International Conference on Intelligent Systems Design and Applications. Jinan, China:IEEE Press,2006:556-561.
    [13]Napster[EB/OL].http://www.napster.com.
    [14]Moore A, Papagiannaki K. Toward the accurate identification of network applications[C]//In Proc. Passive and Active Measurement Workshop(PAM2005). Boston, MA, USA:ACM Press, March/April 2005:41-54.
    [15]Madhukar A, Williamson C. A longitudinal study of P2P traffic classification[C]//In 14th IEEE International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems. Los Alamitos, CA:IEEE Computer Society, September 2006:179-188.
    [16]Sen S, Spatscheck O, Wang D. Accurate, scalable in network identification of P2P traffic using application signatures[C]//In WWW2004.New York, NY, USA:ACM Press, May 2004:512-521.
    [17]Dews C, Wichmann A, Feldmann A. An analysis of Internet chat systems[C]// In Proc of IMC'03. New York:ACM Press,2003:51-64.
    [18]Haffner P, Sen S, Spatscheck O, et al. ACAS:Automated construction of application signatures[C]//In Proc of SIGCOMM'05 MineNet Workshop. New York:ACM Press,2005:197-202.
    [19]TCPdump[EB/OL].http://www.tcpdump.org.
    [20]Ethereal[EB/OL].http://www.ethereal.com.
    [21]Wireshark[EB/OL].http://www.wireshark.org.
    [22]QQ直播[EB/OL]. http://tv.qq.com.
    [23]Kazaa[EB/OL].http://www.kazaa.com.
    [24]Barford P, Plonka D. Characteristics of Network Traffic Flow Anomalies[C]//In Proceedings of ACM SIGCOMM Internet Measurement Workshop. San Francisco, California, USA:ACM Press, October 2001:69-73.
    [25]Moore D, Voelker G, Savage S. Inferring Internet Denial of Service Activity[EB/OL]. http://www.cs.ucsd.edu/.savage/papers/UsenixSec01.pdf.
    [26]Sen S, Wang J. Analyzing peer-to-peer traffic across large networks[J]. IEEE/ACM Trans.on Networking,12(2), Apr 2004:219-232.
    [27]Saroiu S, Gummadi K. P, Dunn R. J, et al. An Analysis of Internet Content Delivery Systems[C]//In Proceedings of the 5th Symposium on Operating Systems Design and Implementation. New York, NY, USA:ACM Press,2002: 315-327.
    [28]Karagiannis T, Broido A, Brownlee N, et al. File-sharing in the Internet:A characterization of P2P traffic in the backbone.Technical report[EB/OL]. http://www.cs.ucr.edu/>>tkarag.
    [29]Gummadi K. P, Dunn R. J, Saroiu S, et al. Measurement, modeling, and analysis of a peer-to-peer file-sharing workload[C]//In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP-19). New York, USA:ACM Press, October 2003:314-329.
    [30]Sen S, Spatscheck O, Wang D. Accurate, Scalable In-Network Identification of P2P Traffic Using Application Signatures[C]//In WWW 2004. New York:ACM Press,2004:512-521.
    [31]Kim H.A, Karp B. Autograph:Toward Automated, Distributed Worm Signature Detection[C]//In Proceedings of the 13th Usenix Security Symposium. San Diego, USA, Aug.2004:223-238.
    [32]Li Z, Sanghi M, Chen Y, et al. Hamsa:Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience[C]//in IEEE Symposium on Security and Privacy 2006. Berkeley, California, USA:IEEE Computer Society 2006,2006:33-47.
    [33]Markatos E. P, Antonatos S, Polychronakis, M, et al. Exclusion-based Signature Matching for Intrusion Detection[C]//In Proc. IASTED International Conference on Communications and Computer Networks. Combridge, USA: ACM Press,2002:146-152.
    [34]Erdogan O, Cao P. Hash-AV:Fast Virus Signature Scanning by Cache-Resident Filters[C]//In IEEE Global Telecommunications Conference. St. Louis, Missouri:IEEE Communications Society,2005:1767-1772.
    [35]Snort[EB/OL].http://www.snort.org.
    [36]NetFlow[EB/OL]. http://www.cisco.com/warp/public/732/netflow/.
    [37]Allot Communications Ltd [EB/OL]. http://www.allot.com,2007.
    [38]CacheLogic [EB/OL]. http://www.cachelogic.com,2007.
    [39]Verso Technologies [EB/OL]. http://www.verso.com/,2007.
    [40]王蛟.基于行为的网络流量检测技术研究[博士学位论文].北京：北京邮电大学,2008.
    [41]Skype[EB/OL].http://www.skype.com.
    [42]BitComet[EB/OL].http://www.bitcomet.com.
    [43]迅雷[EB/OL]. http://www.xunlei.com.
    [44]脱兔[EB/OL]. http://www.tuotu.com.
    [45]Karagiannis T, Broido A, Faloutsos M, et al. Transport layer identification of p2p traffic[C]//In ACM SIGCOMM/USENIX Internet Measurement Conference. Italy:ACM Press, October,2004:121-134.
    [46]Bolla R, Canini M, Rapuzzi R, et al. Characterizing the network behavior of P2P traffic[C]//In Telecolmrnunication Networking Workshop on QoS in Multiserviee IP Networks,2008.IT-NEWS 2008.4th International. Piseataway Unite States, Venice, Italy:institute of Electrical and Electronics Engineers Computer Society,2008:14-19.
    [47]徐鹏,刘琼,林森.改进的对等网络流量传输层识别方法[J],计算机研究与发展.45(5),2008：794—802.
    [48]Constantinou F, Mavrommatis P. Identifying known and unknown peer-to-peer traffic[C]//In Fifth IEEE International Symposium on Network Computing and Applications (NCA'06).2006 Washington,DC:IEEE Computer Society,2006: 93-102.
    [49]Silver B. Netman:A learning network traffic controller[C]//In Proc. Third International Conference on Industrial and Engineering Applications of Artificial Intelligence and Expert Systems- IEA/AIE.1990:923-931.
    [50]Frank J. Machine learning and intrusion detection:Current and future directions[C]//In Proceedings of the National 17th Computer Security Conference.Baltimore,MD,1994.
    [51]Paxson V. Empirically derived analytic models of wide-area TCP connections[J]. IEEE/ACM Trans. Networking,2(4),1994:316-336.
    [52]Dewes A, Wichmann A, Feldmann A. An analysis of Internet chat systems[C]//In ACM/SIGCOMM Internet Measurement Conference 2003. Miami, Florida, USA:ACM Press, October 2003.
    [53]Claffy K. Internet traffic characterization[Dissertation], PhD Thesis, University of California, San Diego,1994.
    [54]Lang T, Armitage G, Branch P, et al. A synthetic traffic model for Half-life[C]//In Proceedings of Australian Telecommunications Networks and Applications Conference 2003 (ATNAC 2003). Melbourne, Australia:IEEE Press. December 2003.
    [55]Lang T, Branch P, Armitage G. A synthetic traffic model for Quake 3[C]//In Proceedings of ACM. New York, USA:ACM Press, June 2004:233-238.
    [56]Nguyen T T.T, Armitage G. A Survey of Techniques for Internet Traffic Classification using Machine Learning[J]. IEEE Communications Surveys and Tutorials,10(4),2008:56-76.
    [57]Duda O R, Hart P, Stork D. Pattern Classification (2nd edition) [M]. New York:JWiley-Interscience,2001.
    [58]Ma Y.L, Qian Z.J, Shou G.C, et al. Study on preliminary performance of algorithms for network traffic identification[C]//The 2008 International Conference on Computer Science and Software Engineering. Wuhan,CHINA: IEEE Computer Society,2008:629-633.
    [59]Quinlan J R.C4.5:programs for machine learning[M].San Mateo:Morgan Kaufmann,1993:22-24.
    [60]Moore A W, Zuev D. Internet Traffic Classification Using Bayesian Analysis Techniques [C]//ACM SIGMETRICS 2005. Banff, Alberta, Canada:ACM Press,2005:50-60.
    [61]Williams N, Zander S, Armitage G. A preliminary performance comparison of five machine learning algorithms for practical IP traffic flow classification[J]. Special Interest Group on Data Communication (SIGCOMM) Computer Communication Review,36(5),2006:5-16.
    [62]Auld T, Moore A. W, Gull S. F. Bayesian neural networks for Internet traffic classification[J]. IEEE Transactions on Neural Networks,18(1),2007:223-239.
    [63]F.J.Gonzalez-Castano,P.S. Rodriguez-Hernandez, R.P. Martinez-Alvarez, et al. Support Vector Machine Detection of Peer-to-Peer Traffic in High-Performance Routers with Packet Sampling:Nonlinear Kernel Approach[C]//ICCS2007.Part Ⅲ, LNCS 4489,2007:637-644.
    [64]William H. Turkett, Jr., Andrew V, et al. In-the-Dark Network Traffic Classification Using Support Vector Machines[C]//In Proceedings of the AAAI. Menlo Park, CA:AAAI press,2008:1745-1750.
    [65]Este A, Gringoli F, Salgarelli L. Support Vector Machines for TCP traffic classification[J]. Elsevier Computer Networks(COMNET),53(14),2009:2476-2490.
    [66]Yuan R.X, Zhu L, Guan X.H,et al. An SVM-based machine learning method for accurate internet traffic classification[J].Information Systems Frontiers, 12(2),2010:149-156.
    [67]Witten I, Frank E. Data Mining:Pratical Machine Learning Tools and Techniques(2nd ed) [M]. San Francisco:Morgan Kaufmann,2005.
    [68]McGregor A, Hall M, Lorier P, et al. Flow clustering using machine learning techniques[C]//in PAM 2004.LNCS,3015,2004:205-214.
    [69]Dempster A, Laird N, Rubin D. Maximum likelihood from incomplete data via the EM algorithm[J]. Journal of Royal Statistical Society,30(1),1977:1-38.
    [70]Zander S, Nguyen T, Armitage G. Automated traffic classification and application identification using machine learning [C]//in IEEE 30th Conference on Local Computer Networks (LCN 2005), Sydney, Australia:IEEE Press,November 2005:15-17.
    [71]Cheeseman P, Strutz J. Bayesian Classification (AutoClass):Theory and Results[C]//In Advances in Knowledge Discovery and DataMining, USA:AAI/MIT Press,1996:61-83.
    [72]Erman J, Mahanti A, Arlitt M, Internet traffic identification using machine learning techniques[C]//in Proc. of 49th IEEE Global Telecommunications Conference (GLOBECOM 2006). San Francisco,USA, December 2006.
    [73]Erman J, Arlitt M., Mahanti A. Traffic classification using clustering algorithms[C]//in MineNet'06:Proceedings of the 2006 SIGCOMM workshop on Mining network data. New York, NY, USA:ACM Press,2006: 281-286.
    [74]Bemaille L, Teixeira R, Akodkenou I, et al.Traffic classification on the fly[J]. ACM Special Interest Group on Data Communication (SIGCOMM) Computer Communication Review,36(2),2006:23-26.
    [75]Bernaille L, Teixeira R, Salamatian K. Early application identication[C] //Proceedings of the 2006 ACM CoNEXT conference. New York:ACM.2006: 1-12.
    [76]Bernaille L, Laurent; R.Teixeira, et al. Akodkenou, Ismael; Soule, Augustin and Salamantian, Kave, Traffic Classification On The Fly[J], ACM SIGCOMM Computer Communication Review,36(2), April 2006:23-26.
    [77]Bernaille L, Laurent, Teixeira R, et al. Early Recognition of Encrypted Applications[C]//in Proc.8th International Conference, Passive and Active Measurement Conference, Louvain-la-Neuve, Belgium, April 2007.
    [78]JFlow[EB/OL].http://www.juniper.net/techpubs/software/erx/junose80/swconf ig- ip- services/html/ip-jflow-stats-config2.html.
    [79]Roughan M, Sen S, Spatscheck O, et al. Class-of-service mapping for QoS:A statistical signature-based approach to IP traffic classification[C]//in Proceedings of ACM/ SIGCOMM Internet Measurement Conference (IMC) 2004. Taormina, Sicily, Italy,2004:135-148.
    [80]马永立,钱宗珏,寿国础,胡怡红.机器学习用于网络流量识别[J].北京邮电大学学报,32(1),2009：65—68.
    [81]Moore A, Zuev D. Internet Traffic Classification Using Bayesian Analysis Techniques[C]//in ACM International Conference on Measurement and Modeling of Computer Systems (SIGMETRICS) 2005. Banff, Canada:ACM Press,2005:50-60.
    [82]Vapnik V, The nature of statistical learning theory[M], Springer-Verlag:New York,1995.
    [83]边肇祺,张学工等.模式识别[M].北京：清华大学出版社.2000年1月第二版.296—298.
    [84]Vapnik V, Levin E.Le C Y. Measuring the VC-dimension of a learning machine [J]. Neural Computation,6(5),Sept 1994:851-876.
    [85]Keerthi S. S, Lin C.J. Asymptotic behaviors of support vector machines with Gaussian kernel[J]. Neural Computation,15(7), July 2003:1667-1689.
    [86]Lin, H.T., Lin C.J. A study on sigmoid kernels for SVM and the training of non-PSD kernels by SMO-type methods[EB/OL]. Technical report, Department of Computer Science and Information Engineering, National Taiwan University. Available at http://www.csie.ntu.edu.tw/～cjlin/ papers/tanh.pdf.
    [87]Hsu C.W, Chang C.C, Lin C.J. A practical guide to support vector classification[EB/OL]. Technical report, Department of Computer Science, National Taiwan University. July,2003. http://www.csie.ntu.edu.tw/-cjlin/ papers/guide/guide.pdf.
    [88]Hsu C.W, Lin C. A comparison of methods for multiclass support vectormachines[J]. IEEE Transaction Neural Network,2002,13(2):415-425.
    [89]李宏东,姚天翔等译.模式分类[M].北京：机械工业出版社.2003年9月：150-157.
    [90]Fonseca J, Reza B, Fjeldsted L. BitTorrent Protocol-BTP 1.0[EB/OL], (2005-04)[2010-9-8].http://mongie.navidot.com/nv_btp.htm.
    [91]The UNIBS Anonymized 2009 Internet Traces [EB/OL]. (2010-03-18)[2010-9-8].http://www.ing.unibs.it/ntw/tools/traces.
    [92]Callado A, Kamienski, Szabo G, et al. A Survey on Internet Traffic Identification and Classification [J], IEEE Communications Surveys & Tutorials,11 (3),2009:37-52.
    [93]Lim Y.S, Kim H.C, Jeong J, et al. Internet Traffic Classification Demystified: On the Sources of the Discriminative Power[C]//In Proceedings of ACM CoNext 2010. Philadelphia,USA:Association for Computing Machinery, Inc,November 2010.
    [94]杨岳湘,王锐,唐川,等.基于双重特征的P2P流量检测方法[J].通信学报.z1(27),2006.：134-139.
    [95]Collins M, Reiter M. Finding peer-to-peer file-sharing using coarse network behaviors[C]//In Proceedings of the 11th European Symposium on Research in Computer Security. Hamburg, Germany:Springer 2006:1-17.
    [96]4662端口的使用情况[EB/OL].http://www.speedguide.net/ port.php?port=4662.
    [97]CacheLogic[EB/OL].2006. http://www.cachelogic.com/.
    [98]Frost V. S, Melamed B. Traffic Modeling for Telecommunications Networks [J]. IEEE Communications Magazine,32(3), March 1994:70-81.
    [99]Paxson, V. Empirically-Derived Analytic Models of Wide-Area TCP Connections [J]. IEEE/ACM Transactions on Networking,2(4),1994:316-336.
    [100]Garrett, M. W. and Willinger, W. Analysis, Modeling and Generation of Self-Similar Video Traffic[C]//In Proceedings of of the ACM SIGCOMM'94. New York:ACM Press,1994:269-280.
    [101]Paxson V, Floyd S. Wide Area traffic:the failure of Poisson modeling[J]. IEEE/ACM Transactions on Networking,1(3),1995:226-244.
    [102]Marron, J. S, Hernandez-Campos, Smith F. A SiZer analysis of IP flow start times[C]//in Proceedings of Conference in Honor of Erich Lehmann, Institute of Mathematical Statistics Lecture Notes-Monograph Series. J. Rojo and V. Perez-Abreu (Eds). Volume 44,2004:87-105.
    [103]Leland W.E, Taqqu, M.S. Willinger W, et al. On the Self-Similarity Nature of Ethernet Traffic [J].IEEE Trans. Networking,2(1), Feb.1994:1-15.
    [104]Klivansky S, Mukherjee A, Song C. On long-range dependence in NSFNET traffic. Technical Report, GIT-CC-94-61, Atlanta:Georgia Institute of Technology,1994.
    [105]Crovella M.E, Bestavros A. Self-Similarity in World Wide Web traffic: Evidence and possible causes[J]. IEEE/ACM Trans. On Networking,5(6), 1997:835-846.
    [106]Sahinoglu Z, Tekinay S. On Multimedia Networks:Self-Similar Traffic and Network Performance[J].IEEE Communications Magazine,37(1),January 1999:48-52.
    [107]Karagiannis T, Molle M, Faloutsos M. Long-range dependence-Ten years of Internet traffic modeling[J]. IEEE Internet Computing,8(5), September 2004: 57-64.
    [108]Willinger W, Taqqu M.S, Sherman R, et al. Self-similarity through high-variability:statistical analysis of Ethernet LAN traffic at the source level[J]. IEEE/ACM Transactions on Networking,5(1),1997:71-86.
    [109]Erramilli A, Roughan M, Veitch D, et al. Self-similar traffic and network dynamics[J]. Proceedings of the IEEE,90(5), May 2002:800-819.
    [110]Kettani H, Gubner J. A Novel Approach to the Estimation of the Long-Range Dependence Parameter[J]. IEEE Transactions on Circuits and Systems,53(6), June 2006:463-467.
    [111]Sen S, Wang J. Analyzing Peer-To-Peer Traffic Across Large Networks[J].IEEE/ACM TRANSACTIONS ON NETWORKING,12(2), APR 2004:219-231.
    [112]金纯,陈林星,杨吉云译IEEE802.11无线局域网[M].北京：电子工业出版社.2004年1月.
    [113]Feldmeier A. Fast Software Implementation of Error Detection Codes[J], IEEE/ACM Trans. Networking,3(6), Dec.1995:640-651.
    [114]Griffiths G, Stones G.C. The Tea-Leaf Reader Algorithm:An Efficient Implementation of CRC-16 and CRC-32[J]. Comm. ACM,30(7), July 1987: 617-620.
    [115]Heard C.M. AAL2 CPS-PH HEC Calculations Using Table Lookups[EB/OL], ftp://ftp.wnet.com/aa12_hec/crc5.c,2007.
    [116]Joshi S.M, Dubey P.K, Kaplan M.A. A New Parallel Algorithm for CRC Generation[C]//Proc. IEEE Int'l Conf. Comm. (ICC),2000.
    [117]Nielson M.C. Method for High Speed CRC Computation[J]. IBM Technical Disclosure Bull,27(6), Nov.1984:3572-3576.
    [118]Ramabadran T.V, Gaitonde S.V. A Tutorial on CRC Computations[J]. IEEE Micro,8(4), Aug.1988:62-75.
    [119]Sarwate D.V. Computation of Cyclic Redundancy Checks via Table Lookup [J].Comm. ACM,31(8), Aug.1988:1008-1013.
    [120]Kounavis M. E, Berry F. L. Novel Table Lookup-Based Algorithms for High-Performance CRC Generation[J]. IEEE Trans.on Computer Society, 57(11), Nov.2008:1550-1560.
    [121]Peng J.F, Zhou Y.J, Yang Y.X. Cyclic redundancy code check algorithm based on small lookup table[C]//ICCTA2009. Beijing, CHINA:Insutute of Electrical and Electronics Engineers, Inc, Oct 2009:596-599.
    [122]Shi J, Zhu H. Merging and splitting self-similar traffic[C]//5th Asia-Paciflc Confere on communications and 4th Optoelectronics and communications conference(APCC/OECC'99).1999:1:18-22.
    [123]Zhang L, Bao P. Wang X.L.Wavelet estimation of fractional Brownian motion Embedded in a noisy environment[J].IEEETrans.on InformationTheory, 50(9),2004:2194-2200.
    [124]ShengMa, Ji C Y.Modeling video traffic using wavelets[J]. Communications Letters,2(4),1998:100-103.
    [125]EANY, Georganas N D.On merging and splitting of self—similar traffic in high-speed networks[C]//In Proceeding of ICCC'95, Seoul, Korea,1995.
    [126]沈宇,徐启建,钟静月.自相似业务流建模及其合成性能分析[J]通信学报.25(4),2004：98—105.
    [127]于秦.无线网络流量分形特性分析与建模[博士学位论文].电子科技大学.2006：57—58.
    [128]Perenyi M, Dang T, Gefferth A, et al. Identification and Analysis of Peer-to-Peer Traffic[J], Journal of Communications, 1(7),2006:36-46.
    [129]谢希仁.计算机网络(第四版)[M].北京：电子工业出版社,2003.6：271—273.
    [130]Zhou L.J, Li Z.T, Liu B. P2P Traffic Identification by TCP Flow Analysis[C]//In Proceeding IWNAS '06 Proceedings of the 2006 International Workshop on Networking, Architecture, and Storages,2006:47-50.
    [131]Wang J.S, Liu W.W. P2P Traffic Identification based on NetFlow TCP Flag[C]//In International Conference on Future Computer and Communication, IEEE Computer Society Press,2009:700-703.
    [132]Lincoln Laboratory Massachusetts Institute of Technology[EB/OL]. http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/index.ht ml.
    [133]Ingsw S. High-Speed Networks and Internets Performance and Quality of Service [M]. New Jersey:Prentice Hall,2001.