=========================================================================== CCR Review #203A Updated Wednesday 19 Oct 2011 9:03:48am EDT --------------------------------------------------------------------------- Paper #203: Libprotoident: Traffic Classification Using Lightweight Packet Inspection --------------------------------------------------------------------------- Timeliness: 3. Well-established topic but still being worked on Novelty: 2. Solid but incremental contribution Clarity: 3. Clear, but with rough patches Recommendation: 2. Revise-and-resubmit to next issue ===== Summary of contribution ===== This paper describes a light-weight packet inspection tool that can identify flow applications using at most four bytes of payload. The authors compare the tool with other software and show that this tool is reasonably accurate, fast, and memory efficient. Authoring such a tool and making it open source and publicly available is a major contribution. Overall this paper is very well written and easy to understand. After reading the paper, however, I still have a few questions, as detailed below. ===== Detailed comments ===== 1, Section 3, IMPLEMENTATION. During reading this paper, the reader expected this section to contain more detailed description of your design and algorithm used in libprotoident. This section includes only very shallow touch on a few related technologies used (i.e., 4B payload , payload size, port, ip), and they are not united in a coherent way in your description. This is the weakest point of the paper. 2, Section 4, EVALUATION. You used PACE as the ground truth, but as you said in the 2nd last paragraph of Subsection 4.2, "PACE reported 25 MB of EDonkey traffic and 50 MB of Gnutella. By contrast, there was 19 GB of BitTorrent traffic observed in the ISP dataset." So it seems that PACE is not very accurate at least in some situation. Therefore comparing all other tools against PACE can be misleading. You must provide more evidence that PACE is sufficiently accurate to serve as a standard to compare against. 3, Why do you need to fix the required payload size to 4 bytes? As shown in your HTTP results, that can make your tool very inaccurate since 4B payload does not provide you sufficient information in this case. Therefore, my suggestion is, could you make it a tunable parameter which the users can set according to their needs and the cost/privacy constraints? This might make your tool more accurate at some extra cost, but you leave the decision to the users, which could be a nice feature. =========================================================================== CCR Review #203B Updated Saturday 5 Nov 2011 2:08:57am EDT --------------------------------------------------------------------------- Paper #203: Libprotoident: Traffic Classification Using Lightweight Packet Inspection --------------------------------------------------------------------------- Timeliness: 3. Well-established topic but still being worked on Novelty: 1. Little to add to existing work Clarity: 3. Clear, but with rough patches Recommendation: 3. Reject ===== Summary of contribution ===== This paper proposes libprotoident, a library for light-weight packet classification that uses only 4 bytes of payload. ===== Detailed comments ===== The paper really needs to compare this work against the state of the art in this area. For example, the work on "early application identification" only uses the packet size information of the first few packets in a connection and requires no access to packet payload at all. See: Early Application Identification. Laurent Bernaille, Renata Teixeira and Kavé Salamatian. Conference on Future Networking Technologies (CONEXT 2006) Early Recognition of Encrypted Applications. Laurent Bernaille, Renata Teixeira. Passive and Active Measurement Conference (PAM). April, 2007. Louvain-la-neuve, Belgium http://rp.lip6.fr/~teixeira/bernaill/earlyclassif.html