Investigating application behavior in network traffic traces

Identifying encrypted application traffic is an important issue for many network tasks including quality of service, firewall enforcement and security. This paper presents a machine learning based approach to identify high level application behavior in a given traffic trace using a holistic approach without looking into the content or without checking a static attribute. We demonstrate the effectiveness of our approach as a forensic analysis tool on five encrypted applications namely SSH, Skype, Gtalk, SSL (No Web) and HTTPS (Web Browsing), using traces captured from different networks. Results indicate that it is possible to identify high level application behavior such as unencrypted versus encrypted as well as identifying services running in encrypted tunnels.

[1]  Renata Teixeira,et al.  Traffic classification on the fly , 2006, CCRV.

[2]  A. Nur Zincir-Heywood,et al.  A Comparison of three machine learning techniques for encrypted network traffic analysis , 2011, 2011 IEEE Symposium on Computational Intelligence for Security and Defense Applications (CISDA).

[3]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[4]  Robert Tibshirani,et al.  An Introduction to the Bootstrap , 1994 .

[5]  Malcolm I. Heywood,et al.  A Comparison of Unsupervised Learning Techniques for Encrypted Traffic Identification , 2009 .

[6]  Philip K. Chan,et al.  Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security , 2004, CCS 2004.

[7]  Sebastian Zander,et al.  A preliminary performance comparison of five machine learning algorithms for practical IP traffic flow classification , 2006, CCRV.

[8]  Anirban Mahanti,et al.  Traffic classification using clustering algorithms , 2006, MineNet '06.

[9]  Andrew W. Moore,et al.  Internet traffic classification using bayesian analysis techniques , 2005, SIGMETRICS '05.

[10]  Patrick Haffner,et al.  ACAS: automated construction of application signatures , 2005, MineNet '05.

[11]  Andrew W. Moore,et al.  Discriminators for use in flow-based classification , 2013 .

[12]  A. Nur Zincir-Heywood,et al.  An investigation on identifying SSL traffic , 2011, 2011 IEEE Symposium on Computational Intelligence for Security and Defense Applications (CISDA).

[13]  Konstantina Papagiannaki,et al.  Toward the Accurate Identification of Network Applications , 2005, PAM.

[14]  Carey L. Williamson,et al.  A Longitudinal Study of P2P Traffic Classification , 2006, 14th IEEE International Symposium on Modeling, Analysis, and Simulation.

[15]  Malcolm I. Heywood,et al.  Genetic optimization and hierarchical clustering applied to encrypted traffic identification , 2011, 2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS).

[16]  Michalis Faloutsos,et al.  BLINC: multilevel traffic classification in the dark , 2005, SIGCOMM '05.

[17]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[18]  Ieee Staff 2015 IEEE Symposium on Computational Intelligence for Security and Defense Applications (CISDA) , 2015 .

[19]  Oliver Spatscheck,et al.  Accurate, scalable in-network identification of p2p traffic using application signatures , 2004, WWW '04.

[20]  Catherine Rosenberg,et al.  Behavioral authentication of server flows , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[21]  Riyad Alshammari,et al.  Can encrypted traffic be identified without port numbers, IP addresses and payload inspection? , 2011, Comput. Networks.

[22]  Charles V. Wright,et al.  HMM profiles for network traffic classification , 2004, VizSEC/DMSEC '04.