Computer networks are carrying an ever increasing number of traffic flows with diverse characteristics. In many cases, these characteristics are benign, such as user-generated, Hypertext Transfer Protocol (HTTP) flows to benign servers. In other cases, traffic flows can also exhibit malicious characteristics, such as flows associated with malware, data exfiltration, denial of service (DoS) attacks, etc.
Capturing traffic characteristics improves the functioning of the network by enabling network devices and network administrators to adjust the operations of the network dynamically. For example, a router or other networking device may leverage information about the application associated with a particular traffic flow, to prioritize communication of the flow (e.g., video conferencing traffic may be much more sensitive to jitter or delays than that of email traffic). In another example, a networking device may use the captured traffic information to detect, and often prevent, network attacks and other anomalies in the network. In both examples, classification is typically performed in real-time or in near real-time, allowing the network to adapt quickly to changes in the traffic flows and the traffic flow characteristics that are present in the network.