+=======================+=======+=============================+
   | Method                | Layer | Description                 |
   +=======================+=======+=============================+
   | Port-based            | L4    | Well-known ports (SSH=22)   |
   +-----------------------+-------+-----------------------------+
   | Protocol Signature    | L7    | Pattern matching in payload |
   +-----------------------+-------+-----------------------------+
   | TLS/SNI Analysis      | L7    | Server Name Indication      |
   +-----------------------+-------+-----------------------------+
   | DNS Correlation       | L7    | Map DNS queries to flows    |
   +-----------------------+-------+-----------------------------+
   | Certificate Analysis  | L7    | X.509 certificate fields    |
   +-----------------------+-------+-----------------------------+
   | Behavioral Heuristics | L3-L7 | Traffic patterns/timing     |
   +-----------------------+-------+-----------------------------+
   | Machine Learning      | L3-L7 | Trained classifiers         |
   +-----------------------+-------+-----------------------------+
   | IP Reputation         | L3    | Known service IP ranges     |
   +-----------------------+-------+-----------------------------+