Application identification from encrypted traffic based on characteristic changes by encryption

Application identification is paid much attention by network operators to manage application based traffic control in the Internet. However, encryption is one of the factors to make application identification difficult, because it is so hard to infer the original (unencrypted) packets from encrypted packets. Therefore the accuracy of application identification is getting worse as the increase of encrypted traffic. In this paper, the changes in traffic features due to encryption are analyzed, and two methods are developed that can be used with an existing method for identifying applications from encrypted traffic. Experimental results show that these methods improve identification accuracy up to 28.5% for encrypted traffic compared to existing methods. Moreover, identification using the best combination of flow features enables high accuracy with less computation due to the elimination of features that do not flow a Gaussian distribution and thus degrade accuracy.

[1]  Yanghee Choi,et al.  Internet traffic classification demystified: on the sources of the discriminative power , 2010, CoNEXT.

[2]  Naohisa Komatsu,et al.  Evaluation of HTTP video classification method using flow group information , 2010, 2010 14th International Telecommunications Network Strategy and Planning Symposium (NETWORKS).

[3]  Mark Coates,et al.  Controlling False Alarm/Discovery Rates in Online Internet Traffic Flow Classification , 2009, IEEE INFOCOM 2009.

[4]  John W. Lockwood,et al.  Fast and scalable pattern matching for content filtering , 2005, 2005 Symposium on Architectures for Networking and Communications Systems (ANCS).

[5]  Dongsheng Wang,et al.  An Novel Hybrid Method for Effectively Classifying Encrypted Traffic , 2010, 2010 IEEE Global Telecommunications Conference GLOBECOM 2010.

[6]  Sebastian Zander,et al.  A preliminary performance comparison of five machine learning algorithms for practical IP traffic flow classification , 2006, CCRV.

[7]  Anirban Mahanti,et al.  Traffic classification using clustering algorithms , 2006, MineNet '06.

[8]  Ming Zhang,et al.  Detecting traffic differentiation in backbone ISPs with NetPolice , 2009, IMC '09.

[9]  Anja Feldmann,et al.  On dominant characteristics of residential broadband internet traffic , 2009, IMC '09.

[10]  Andrew W. Moore,et al.  A Machine Learning Approach for Efficient Traffic Classification , 2007, 2007 15th International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems.

[11]  Andrew W. Moore,et al.  Internet traffic classification using bayesian analysis techniques , 2005, SIGMETRICS '05.

[12]  Patrick Haffner,et al.  ACAS: automated construction of application signatures , 2005, MineNet '05.

[13]  Andrew W. Moore,et al.  Discriminators for use in flow-based classification , 2013 .

[14]  Anja Feldmann,et al.  Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection , 2006, USENIX Security Symposium.