Abstract
Most tools to recognize the application associated with network connections use well-known signatures as basis for their classification. This approach is very effective in enterprise and campus networks to pinpoint forbidden applications (peer to peer, for instance) or security threats. However, it is easy to use encryption to evade these mechanisms. In particular, Secure Sockets Layer (SSL) libraries such as OpenSSL are widely available and can easily be used to encrypt any type of traffic. In this paper, we propose a method to detect applications in SSL encrypted connections. Our method uses only the size of the first few packets of an SSL connection to recognize the application, which enables an early classification. We test our method on packet traces collected on two campus networks and on manually-encrypted traces. Our results show that we are able to recognize the application in an SSL connection with more than 85% accuracy.
Keywords
- Packet Size
- Encryption Algorithm
- Secure Socket Layer
- Transport Layer Security
- Campus Network
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, access via your institution.
Buying options
Preview
Unable to display preview. Download preview PDF.
References
Karagiannis, T., Broido, A., Brownlee, N., Claffy, K., Faloutsos, M.: Is p2p dying or just hiding? In: Globecom (2004)
Paxson, V.: Bro: a system for detecting network intruders in real-time. Computer Networks 31(23–24), 2435–2463 (1999), citeseer.ist.psu.edu/article/paxson98bro.html
Snort: http://www.snort.org
Ma, Levchenko, Kreibich, Savage, Voelker: Unexpected means of protocol inference. In: Internet Measurement Confererence (2006)
Song, D.X., Wagner, D., Tian, X.: Timing analysis of keystrokes and timing attacks on ssh. In: Proc. 10th USENIX Security Symposium, Aug. 2001 (2001), http://citeseer.ist.psu.edu/song01timing.html
Hintz, A.: Fingerprinting websites using traffic analysis (2002)
Roughan, M., Sen, S., Spatscheck, O., Duffield, N.: A statistical signature-based approach to ip traffic classification. In: IMC (2004)
McGregor, A., Hall, M., Lorier, P., Brunskill, J.: Flow clustering using machine learning techniques. In: Passive and Active Measurement (2004)
Zuev, D., Moore, A.: Traffic classification using a statistical approach. In: Passive and Active Measurement (2005)
Moore, A., Zuev, D.: Internet traffic classification using bayesian analysis. In: Sigmetrics (2005)
Erman, J., Arlitt, M., Mahanti, A.: Traffic classification using clustering algorithms. In: MineNet ’06: Proceedings of the 2006 SIGCOMM workshop on Mining network data, Pisa, Italy, pp. 281–286. ACM Press, New York (2006), doi:10.1145/1162678.1162679
Bernaille, L., Teixeira, R., Akodkenou, I., Soule, A., Salamatian, K.: Traffic classification on the fly. SIGCOMM Comput. Commun. Rev. 36(2), 23–26 (2006), doi:10.1145/1129582.1129589
Bernaille, L., Teixeira, R., Salamatian, K.: Early application identification. In: To appear in Conference on Future Networking Technologies (2006)
Wright, Monrose, Masson: On inferring application protocol behaviors in encrypted network traffic. The Journal of Machine Learning Research, Special Topic on Machine Learning for Computer Security (2006)
Karagiannis, T., Papagiannaki, D., Faloutsos, M.: Blinc: Multilevel traffic classification in the dark. In: SIGCOMM (2005)
Wright, Monrose, Masson: Using visual motifs to classify encrypted traffic. In: Workshop on Visualization for Computer Security (2006)
Netcraft: http://www.netcraft.com
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer Berlin Heidelberg
About this paper
Cite this paper
Bernaille, L., Teixeira, R. (2007). Early Recognition of Encrypted Applications. In: Uhlig, S., Papagiannaki, K., Bonaventure, O. (eds) Passive and Active Network Measurement. PAM 2007. Lecture Notes in Computer Science, vol 4427. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-71617-4_17
Download citation
DOI: https://doi.org/10.1007/978-3-540-71617-4_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-71616-7
Online ISBN: 978-3-540-71617-4
eBook Packages: Computer ScienceComputer Science (R0)