LPI      OpenDPI         Nmap    L7 Filter   Classifier

Matched                        51.356       88.258       38.142       46.310       44.504
HTTP Subclassing               37.545        0.839        0.000       33.695       31.591
SSL Subclassing                 6.486        0.000        0.000        0.000        0.000
Reported Different              1.823        0.195       48.076        5.740        4.220
Reported Unknown                2.790       10.709       13.782       14.255       19.685


This table shows how the relative accuracy of each of the evaluated traffic
classifiers by comparing their classifications against those reported by PACE,
a commercial DPI tool. The values given in the table are the percentage of
traffic (in bytes) that fell into each of the 5 categories for any given 
traffic classifier.

A few definitions to help interpret the table:

LPI = libprotoident (our software!), 4 bytes of payload only
OpenDPI = essentially an open source of PACE, full DPI
Nmap = using port numbers to infer application
L7 Filter = well-known open source DPI library
Classifier = "the state of the art" according to a reviewer of our paper, requires no payload

Matched: The classifier matched PACE's classification.

HTTP Subclassing: DPI software can often further classify HTTP traffic based
on the Content-Type field, i.e. as mpeg video, flash, mp3 etc., while other
tools (notably libprotoident) can only classify it as HTTP. In these cases,
the classifications differ but both can be technically regarded as correct.

SSL Subclassing: Same as above, but for SSL traffic. Interestingly, in this
case, it is libprotoident that does the subclassing (between HTTPS, IMAPS and
other SSL).

Reported Different: The classifier suggested a specific protocol/application,
but the suggestion differed to the classification provided by PACE (and were 
not a subclass instance). We treat these as a failure.

Reported Unknown: The classifier did not classify the traffic, but PACE was
able to. This is also a failure case.