Early Recognition of Encrypted Applications

  • Laurent Bernaille
  • Renata Teixeira
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4427)


Most tools to recognize the application associated with network connections use well-known signatures as basis for their classification. This approach is very effective in enterprise and campus networks to pinpoint forbidden applications (peer to peer, for instance) or security threats. However, it is easy to use encryption to evade these mechanisms. In particular, Secure Sockets Layer (SSL) libraries such as OpenSSL are widely available and can easily be used to encrypt any type of traffic. In this paper, we propose a method to detect applications in SSL encrypted connections. Our method uses only the size of the first few packets of an SSL connection to recognize the application, which enables an early classification. We test our method on packet traces collected on two campus networks and on manually-encrypted traces. Our results show that we are able to recognize the application in an SSL connection with more than 85% accuracy.


Packet Size Encryption Algorithm Secure Socket Layer Transport Layer Security Campus Network 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Karagiannis, T., Broido, A., Brownlee, N., Claffy, K., Faloutsos, M.: Is p2p dying or just hiding? In: Globecom (2004)Google Scholar
  2. 2.
    Paxson, V.: Bro: a system for detecting network intruders in real-time. Computer Networks 31(23–24), 2435–2463 (1999), CrossRefGoogle Scholar
  3. 3.
  4. 4.
    Ma, Levchenko, Kreibich, Savage, Voelker: Unexpected means of protocol inference. In: Internet Measurement Confererence (2006)Google Scholar
  5. 5.
    Song, D.X., Wagner, D., Tian, X.: Timing analysis of keystrokes and timing attacks on ssh. In: Proc. 10th USENIX Security Symposium, Aug. 2001 (2001),
  6. 6.
    Hintz, A.: Fingerprinting websites using traffic analysis (2002)Google Scholar
  7. 7.
    Roughan, M., Sen, S., Spatscheck, O., Duffield, N.: A statistical signature-based approach to ip traffic classification. In: IMC (2004)Google Scholar
  8. 8.
    McGregor, A., Hall, M., Lorier, P., Brunskill, J.: Flow clustering using machine learning techniques. In: Passive and Active Measurement (2004)Google Scholar
  9. 9.
    Zuev, D., Moore, A.: Traffic classification using a statistical approach. In: Passive and Active Measurement (2005)Google Scholar
  10. 10.
    Moore, A., Zuev, D.: Internet traffic classification using bayesian analysis. In: Sigmetrics (2005)Google Scholar
  11. 11.
    Erman, J., Arlitt, M., Mahanti, A.: Traffic classification using clustering algorithms. In: MineNet ’06: Proceedings of the 2006 SIGCOMM workshop on Mining network data, Pisa, Italy, pp. 281–286. ACM Press, New York (2006), doi:10.1145/1162678.1162679CrossRefGoogle Scholar
  12. 12.
    Bernaille, L., Teixeira, R., Akodkenou, I., Soule, A., Salamatian, K.: Traffic classification on the fly. SIGCOMM Comput. Commun. Rev. 36(2), 23–26 (2006), doi:10.1145/1129582.1129589CrossRefGoogle Scholar
  13. 13.
    Bernaille, L., Teixeira, R., Salamatian, K.: Early application identification. In: To appear in Conference on Future Networking Technologies (2006)Google Scholar
  14. 14.
    Wright, Monrose, Masson: On inferring application protocol behaviors in encrypted network traffic. The Journal of Machine Learning Research, Special Topic on Machine Learning for Computer Security (2006)Google Scholar
  15. 15.
    Karagiannis, T., Papagiannaki, D., Faloutsos, M.: Blinc: Multilevel traffic classification in the dark. In: SIGCOMM (2005)Google Scholar
  16. 16.
    Wright, Monrose, Masson: Using visual motifs to classify encrypted traffic. In: Workshop on Visualization for Computer Security (2006)Google Scholar
  17. 17.
  18. 18.
  19. 19.
  20. 20.

Copyright information

© Springer Berlin Heidelberg 2007

Authors and Affiliations

  • Laurent Bernaille
    • 1
  • Renata Teixeira
    • 1
  1. 1.Université Pierre et Marie Curie - LIP6-CNRS, ParisFrance

Personalised recommendations