Entropy Estimation for Real-Time Encrypted Traffic Identification (Short Paper)

  • Peter Dorfinger
  • Georg Panholzer
  • Wolfgang John
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6613)


This paper describes a novel approach to classify network traffic into encrypted and unencrypted traffic. The classifier is able to operate in real-time as only the first packet of each flow is processed. The main metric used for classification is an estimation of the entropy of the first packet payload. The approach is evaluated based on encrypted ground truth traces and on real network traces. Encrypted traffic such as Skype, or encrypted eDonkey traffic are detected as encrypted with probability higher than 94%. Unencrypted protocols such as SMTP, HTTP, POP3 or FTP are detected as unencrypted with probability higher than 99.9%. The presented approach, named real-time encrypted traffic detector (RT-ETD), is well suited to operate as pre-filter for advanced classification approaches to enable their applicability on increased bandwidth.


entropy estimation real-time detection traffic filtering 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Lyda, R., Hamrock, J.: Using entropy analysis to find encrypted and packed malware. IEEE Security & Privacy 5(2), 40–45 (2007)CrossRefGoogle Scholar
  2. 2.
    Olivain, J., Goubault-Larrecq, J.: Detecting subverted cryptographic protocols by entropy checking. Research Report LSV-06-13, Laboratoire Spécification et Vérification, ENS Cachan (2006)Google Scholar
  3. 3.
    Pescape, A.: Entropy-based reduction of traffic data. IEEE Communications Letters 11(2), 191–193 (2007)CrossRefGoogle Scholar
  4. 4.
    Dorfinger, P., Panholzer, G., Trammell, B., Pepe, T.: Entropy-based traffic filtering to support real-time Skype detection. In: IWCMC, Caen, France, pp. 747–751 (2010)Google Scholar
  5. 5.
    Shannon, C.E.: A mathematical theory of communication. Bell System Technical Journal 27, 379–423, 625–656 (1948)MathSciNetCrossRefMATHGoogle Scholar
  6. 6.
    Schürmann, T.: Bias analysis in entropy estimation. Journal of Physics A: Mathematical and General 37(27), L295–L301 (2004)MathSciNetCrossRefMATHGoogle Scholar
  7. 7.
    Paninski, L.: A coincidence-based test for uniformity given very sparsely sampled discrete data. IEEE Transactions on Information Theory 54(10), 4750–4755 (2008)MathSciNetCrossRefMATHGoogle Scholar
  8. 8.
    Paninski, L.: Estimation of entropy and mutual information. Neural Computation 15(6), 1191–1253 (2003)CrossRefMATHGoogle Scholar
  9. 9.
    Dorfinger, P.: Real-Time Detection of Encrypted Traffic based on Entropy Estimation. Master’s thesis, Salzburg University of Applied Sciences, Austria (2010)Google Scholar
  10. 10.
    Hjelmvik, E., John, W.: Breaking and improving protocol obfuscation. Tech. Rep. 2010-05, Computer Science and Engineering, Chalmers University of Technology (2010), http://www.iis.se/docs/hjelmvik_breaking.pdf (28.01.2011)
  11. 11.
    Adami, D., Callegari, C., Giordano, S., Pagano, M., Pepe, T.: A Real-Time Algorithm for Skype Traffic Detection and Classification. In: Balandin, S., Moltchanov, D., Koucheryavy, Y. (eds.) ruSMART 2009. LNCS, vol. 5764, pp. 168–179. Springer, Heidelberg (2009)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Peter Dorfinger
    • 1
  • Georg Panholzer
    • 1
  • Wolfgang John
    • 2
  1. 1.Salzburg ResearchSalzburgAustria
  2. 2.Chalmers University of TechnologyGöteborgSweden

Personalised recommendations