Entropy Estimation for Real-Time Encrypted Traffic Identification (Short Paper)
This paper describes a novel approach to classify network traffic into encrypted and unencrypted traffic. The classifier is able to operate in real-time as only the first packet of each flow is processed. The main metric used for classification is an estimation of the entropy of the first packet payload. The approach is evaluated based on encrypted ground truth traces and on real network traces. Encrypted traffic such as Skype, or encrypted eDonkey traffic are detected as encrypted with probability higher than 94%. Unencrypted protocols such as SMTP, HTTP, POP3 or FTP are detected as unencrypted with probability higher than 99.9%. The presented approach, named real-time encrypted traffic detector (RT-ETD), is well suited to operate as pre-filter for advanced classification approaches to enable their applicability on increased bandwidth.
Keywordsentropy estimation real-time detection traffic filtering
Unable to display preview. Download preview PDF.
- 2.Olivain, J., Goubault-Larrecq, J.: Detecting subverted cryptographic protocols by entropy checking. Research Report LSV-06-13, Laboratoire Spécification et Vérification, ENS Cachan (2006)Google Scholar
- 4.Dorfinger, P., Panholzer, G., Trammell, B., Pepe, T.: Entropy-based traffic filtering to support real-time Skype detection. In: IWCMC, Caen, France, pp. 747–751 (2010)Google Scholar
- 9.Dorfinger, P.: Real-Time Detection of Encrypted Traffic based on Entropy Estimation. Master’s thesis, Salzburg University of Applied Sciences, Austria (2010)Google Scholar
- 10.Hjelmvik, E., John, W.: Breaking and improving protocol obfuscation. Tech. Rep. 2010-05, Computer Science and Engineering, Chalmers University of Technology (2010), http://www.iis.se/docs/hjelmvik_breaking.pdf (28.01.2011)