In recent years, information leakage through the Internet has become a new social problem. Many information leakage incidents are caused by illegal applications such as Peer-to-Peer (P2P) file sharing software. To prevent information leakage, early detection and blocking of the traffic exchanged by illegal applications is strongly required. We have proposed a method for application identification based on the transition pattern of payload length of startup phase of the communication. The method can identify applications without using port numbers, which can be easily spoofed. However, the method can identify only applications which the method learned and cannot discriminate unlearned applications. In this paper, we propose a new application identification method by introducing "Unknown" category to handle flows of unlearned applications.