A Survey on Encrypted Traffic Classification

  • Zigang Cao
  • Gang Xiong
  • Yong Zhao
  • Zhenzhen Li
  • Li Guo
Part of the Communications in Computer and Information Science book series (CCIS, volume 490)


With the widespread use of encryption techniques in network applications, encrypted network traffic has recently become a great challenge for network management. Studies on encrypted traffic classification not only help to improve the network service quality, but also assist in enhancing network security. In this paper, we first introduce the basic information of encrypted traffic classification, emphasizing the influences of encryption on current classification methodology. Then, we summarize the challenges and recent advances in encrypted traffic classification research. Finally, the paper is ended with some conclusions.


traffic classification encrypted traffic statistical classification fine-grained behavior based 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
    BitTorrent protocol encryption-Wikipedia, http://en.wikipedia.org/wiki/BitTorrent_protocol_encryption
  3. 3.
  4. 4.
    Goldschlag, D., Reed, M., Syverson, P.: Onion routing. Communications of the ACM 42(2), 39–41 (1999)CrossRefGoogle Scholar
  5. 5.
    Tankard, C.: Advanced Persistent threats and how to monitor and deter them. Network Security 2011(8), 16–19 (2011)CrossRefGoogle Scholar
  6. 6.
    Valenti, S., Rossi, D., Dainotti, A., Pescapè, A., Finamore, A., Mellia, M.: Reviewing traffic classification. In: Biersack, E., Callegari, C., Matijasevic, M., et al. (eds.) Data Traffic Monitoring and Analysis. LNCS, vol. 7754, pp. 123–147. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  7. 7.
    Dainotti, A., Pescape, A., Claffy, K.: Issues and future directions in traffic classification. IEEE Network 26(1), 35–40 (2012)CrossRefGoogle Scholar
  8. 8.
    Hu, B., Shen, Y.: Machine learning based network traffic classification: A Survey. Journal of Information and Computational Science 9(11), 3161–3170 (2012)MathSciNetGoogle Scholar
  9. 9.
    Nguyen, T., Armitage, G.: A survey of techniques for internet traffic classification using machine learning. IEEE Communications Surveys and Tutorials 10(4), 56–76 (2008)CrossRefGoogle Scholar
  10. 10.
  11. 11.
    JAP – ANONYMITY & PRIVACY, http://anon.inf.tu-dresden.de/index_en.html
  12. 12.
    Service Name and Transport Protocol Port Number Registry, http://www.iana.org/assignments/service-names-port-numbers
  13. 13.
    Dubrawsky, I.: Firewall evolution - deep packet inspection. Infocus (July 2003), http://www.symantec.com/connect/articles/firewall-evolution-deep-packet-inspection
  14. 14.
    Finamore, A., Mellia, M., Meo, M., et al.: Kiss: Stochastic packet inspection. In: The First International Workshop on Traffic Monitoring and Analysis, pp. 117–125 (2009)Google Scholar
  15. 15.
    Tsirtsis, G.: Network address translation-protocol translation (NAT-PT). RFC 2766, IETF (2000)Google Scholar
  16. 16.
    Alshammari, R., Zincir-Heywood, A.N.: A flow based approach for SSH traffic detection. In: IEEE International Conference on Systems, Man and Cybernetics, pp. 296–301 (2007)Google Scholar
  17. 17.
    Wright, C., Coulls, S., Monrose, F.: Traffic morphing: an efficient defense against statistical traffic analysis. In: The 14th Annual Network and Distributed Systems Symposium (2009)Google Scholar
  18. 18.
    Mohajeri, M.H., Li, B., Derakhshani, M., et al.: Skypemorph: protocol obfuscation for tor bridges. In: 2012 ACM Conference on Computer and Communications Security, pp. 97–108 (2012)Google Scholar
  19. 19.
    Dyer, K.P., Coull, S.E., Ristenpart, T., et al.: Protocol misidentification made easy with format-transforming encryption. In: 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 61–72 (2013)Google Scholar
  20. 20.
    Alshammari, R., Zincir-Heywood, A.: Machine learning based encrypted traffic classification: identifying SSH and skype. In: the 2009 IEEE Symposium on Computation Intelligence in Security and Defense Applications, pp. 1–8 (2009)Google Scholar
  21. 21.
    Bacquet, C., Gumus, K., Tizer, D., Zincir-Heywood, A., Heywood, M.: A comparison of unsupervised learning techniques for encrypted traffic identification. Journal of Information Assurance and Security 5, 464–472 (2010)Google Scholar
  22. 22.
    Bar - Yanai, R., Langberg, M., Peleg, D., Roditty, L.: Realtime classification for encrypted traffic. In: Festa, P., et al. (eds.) SEA 2010. LNCS, vol. 6049, pp. 373–385. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  23. 23.
    Dainotti, A., Pescapé, A., Sansone, C.: Early classification of network traffic through multi-classification. In: Domingo-Pascual, J., Shavitt, Y., Uhlig, S. (eds.) TMA 2011. LNCS, vol. 6613, pp. 122–135. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  24. 24.
    Jaber, M., Cascella, R.G., Barakat, C.: Using host profiling to refine statistical application identification. In: The 2012 IEEE INFOCOM, pp. 2746–2750 (2012)Google Scholar
  25. 25.
    Bacquet, C., Zincir-Heywood, A., Heywood, M.: Genetic optimization and hierarchical clustering applied to encrypted traffic identification. In: IEEE Symposium on Computational Intelligence on Cyber Security, pp. 194–201 (2011)Google Scholar
  26. 26.
    Xie, G., Iliofotou, M., Keralapura, R., et al.: SubFlow: towards practical flow-level traffic classification. In: IEEE INFOCOM, pp. 2541–2545 (2012)Google Scholar
  27. 27.
    Hirvonen, M., Sailio, M.: Two-phased method for identifying ssh encrypted application flows. In: The 7th International Conference on Wireless Communications and Mobile Computing (IWCMC), pp. 1033–1038 (2011)Google Scholar
  28. 28.
    Adami, D., Callegari, C., Giordano, S., et al.: Skype-Hunter: A real-time system for the detection and classification of Skype traffic. International Journal of Communication Systems 25(3), 386–403 (2012)CrossRefGoogle Scholar
  29. 29.
    Korczynski, M., Duda, A.: Classifying service flows in the encrypted skype traffic. In: 2012 IEEE International Conference on Communications (ICC), pp. 1064–1068 (2012)Google Scholar
  30. 30.
    Grimaudo, L., Mellia, M., Baralis, E.: Hierarchical learning for fine grained internet traffic classification. In: The 8th International Wireless Communications and Mobile Computing Conference (IWCMC), pp. 463–468 (2012)Google Scholar
  31. 31.
    Karagiannis, T., Papagiannaki, K., Faloutsos, M.: BLINC: multilevel traffic classification in the dark. ACM SIGCOMM Computer Communication Review 35(4), 229–240 (2005)CrossRefGoogle Scholar
  32. 32.
    Li, B., Ma, M., Jin, Z.: A VoIP traffic identification scheme based on host and flow behavior analysis. Journal of Network and Systems Management 19(1), 111–129 (2011)CrossRefGoogle Scholar
  33. 33.
    Hurley, J., Garcia-Palacios, E., Sezer, S.: Host-based P2P flow identification and use in real-time. ACM Transactions on the Web (TWEB) 5(2), 7 (2011)Google Scholar
  34. 34.
    Schatzmann, D., Mühlbauer, W., Spyropoulos, T., et al.: Digging into HTTPS: flow-based classification of webmail traffic. In: 10th ACM SIGCOMM Conference on Internet Measurement, pp. 322–327 (2010)Google Scholar
  35. 35.
    Bermolen, P., Mellia, M., Meo, M., et al.: Abacus: Accurate behavioral classification of P2P-TV traffic. Computer Networks 55(6), 1394–1411 (2011)CrossRefGoogle Scholar
  36. 36.
    Xiong, G., Huang, W., Zhao, Y., Song, M., Li, Z., Guo, L.: Real-time detection of encrypted thunder traffic based on trustworthy behavior association. In: Yuan, Y., Wu, X., Lu, Y. (eds.) ISCTCS 2012. CCIS, vol. 320, pp. 132–139. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  37. 37.
    Korczynski, M., Duda, A.: Markov chain fingerprinting to classify encrypted traffic. In: 2014 IEEE INFOCOM, pp. 781–789 (2014)Google Scholar
  38. 38.
  39. 39.
    Weinberg, Z., Wang, J., Yegneswaran, V., et al.: StegoTorus: a camouflage proxy for the Tor anonymity system. In: The 2012 ACM Conference on Computer and Communications Security, pp. 109–120 (2012)Google Scholar
  40. 40.
    Iacovazzi, A., Baiocchi, A.: From ideality to practicability in statistical packet features masking. In: The 8th International Wireless Communications and Mobile Computing Conference (IWCMC), pp. 456–462 (2012)Google Scholar
  41. 41.
    Dyer, K., Coull, S., Ristenpart, T., Shrimpton, T.: Peek-a-boo, i still see you: why efficient traffic analysis countermeasures fail. In: The 2012 IEEE Symposium on Security and Privacy, pp. 332–346 (2012)Google Scholar
  42. 42.
    Houmansadr, A., Brubaker, C., Shmatikov, V.: The parrot is dead: observing unobservable network communications. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 65–79 (2013)Google Scholar
  43. 43.
    Wang, Y., Xiang, Y., Zhang, J., et al.: Internet traffic clustering with constraints. In: The 8th International Wireless Communications and Mobile Computing Conference (IWCMC), pp. 619–624 (2012)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Zigang Cao
    • 1
    • 2
  • Gang Xiong
    • 2
  • Yong Zhao
    • 2
  • Zhenzhen Li
    • 2
  • Li Guo
    • 2
  1. 1.Beijing University of Posts and TelecommunicationsBeijingChina
  2. 2.Institute of Information EngineeringChinese Academy of SciencesBeijingChina

Personalised recommendations