At a glance

  • Grant: nr 2011/01/N/ST6/07202, funded by the Polish National Science Centre
  • Project name: Multilevel traffic classification in the Internet
  • Polish name: Wielopoziomowa klasyfikacja ruchu w sieci Internet
  • Time: 7 Dec 2011 - 6 Dec 2013 (closed)
  • Principal investigator: Paweł Foremski, MSc Eng., IITiS PAN, email: <pjf [at] iitis.pl>
  • Research supervisor: Prof. Michele Pagano, University of Pisa, email: <m.pagano [at] iet.unipi.it>


The Internet has been constantly evolving since its inception. For more than a decade it has been growing in capacity and versatility with a great pace, often requiring the Internet Service Providers to update and extend their infrastructure in a timely manner.

These changes are connected with the inventions of new kinds of computer software, which in turn generate new types of network traffic. However, the fundamental protocol of the Internet – the IP protocol – does not provide a robust and universal mean to differentiate one traffic type from another. Thus, identification of a particular application in Internet transmissions is not a trivial task, yet it is very important.

For instance, a typical Internet end-user demands a safe and fast Internet access. An Internet Service Provider which is to fulfil such a requirement must be able to monitor the traffic for potential threats and to impose a proper prioritization on the traffic. Moreover, there are political and research organizations which monitor the global Internet. Observing the share of P2P traffic in Internet transmissions of a particular country could reveal trends in its society. Work in these areas cannot be done without a reliable source of information.

A fundamental question remains: given an Internet transmission, what is the name of application that produced it? This is the problem of traffic classification.

Project goals

Project goal is development of an Internet traffic classification system working in real-time. Fundamental research is planned on simultaneous usage of diverse levels of traffic features. The system will be able to determine kind of traffic, identify particular applications and highlight potential security threats.

Project will bring two key innovations to traffic classification science: a new performance evaluation utility and a classification decision combiner, able to provide detailed information and to signal traffic anomalies.

Project results will be computer software implementing the system and research documentation, in a form of scientific publications. New improvements to traffic classification research - and usage in general - are expected to be found.


 Dec 2011
Mar 2012
  • Collecting IP traffic samples for performance evaluation.
  • Work on a research method for automatic collection of traffic samples on the level of operating system.
  • Software implementation.
  • Preparation of research tools for next task.
 Apr 2012
Sep 2012
  • Survey and comparison of existing classification algorithms for usage in the research project.
 Oct 2012
May 2013
  • Development of the key classification and anomaly signalization method by decision integration.
  • Implementation prototype and preliminary performance evaluation.
 June 2013
Aug 2013
  • Final software implementation of the system.
Sep 2013
Sep 2013
  • System performance evaluation.
 Oct 2013
Nov 2013
  • Summary.
  • Evaluation of the level of project goals fulfillment, suggestions for future research.
  • Popularization of the results.


  • Research tool: a C library for capturing application network traffic using the Linux ptrace function.
  • Method for automated capture of network traffic samples from a particular application.
  • Survey and comparison of existing traffic classification methods.
  • Development of traffic classification and anomaly detection methods by combining multiple views on the traffic.
  • Implementation of the methods developed in the project as software running under Linux.
  • Publication of articles on findings of the project.