Skip to main content

Early Recognition of Encrypted Applications

  • Conference paper
Passive and Active Network Measurement (PAM 2007)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 4427))

Included in the following conference series:


Most tools to recognize the application associated with network connections use well-known signatures as basis for their classification. This approach is very effective in enterprise and campus networks to pinpoint forbidden applications (peer to peer, for instance) or security threats. However, it is easy to use encryption to evade these mechanisms. In particular, Secure Sockets Layer (SSL) libraries such as OpenSSL are widely available and can easily be used to encrypt any type of traffic. In this paper, we propose a method to detect applications in SSL encrypted connections. Our method uses only the size of the first few packets of an SSL connection to recognize the application, which enables an early classification. We test our method on packet traces collected on two campus networks and on manually-encrypted traces. Our results show that we are able to recognize the application in an SSL connection with more than 85% accuracy.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others


  1. Karagiannis, T., Broido, A., Brownlee, N., Claffy, K., Faloutsos, M.: Is p2p dying or just hiding? In: Globecom (2004)

    Google Scholar 

  2. Paxson, V.: Bro: a system for detecting network intruders in real-time. Computer Networks 31(23–24), 2435–2463 (1999),

    Article  Google Scholar 

  3. Snort:

  4. Ma, Levchenko, Kreibich, Savage, Voelker: Unexpected means of protocol inference. In: Internet Measurement Confererence (2006)

    Google Scholar 

  5. Song, D.X., Wagner, D., Tian, X.: Timing analysis of keystrokes and timing attacks on ssh. In: Proc. 10th USENIX Security Symposium, Aug. 2001 (2001),

  6. Hintz, A.: Fingerprinting websites using traffic analysis (2002)

    Google Scholar 

  7. Roughan, M., Sen, S., Spatscheck, O., Duffield, N.: A statistical signature-based approach to ip traffic classification. In: IMC (2004)

    Google Scholar 

  8. McGregor, A., Hall, M., Lorier, P., Brunskill, J.: Flow clustering using machine learning techniques. In: Passive and Active Measurement (2004)

    Google Scholar 

  9. Zuev, D., Moore, A.: Traffic classification using a statistical approach. In: Passive and Active Measurement (2005)

    Google Scholar 

  10. Moore, A., Zuev, D.: Internet traffic classification using bayesian analysis. In: Sigmetrics (2005)

    Google Scholar 

  11. Erman, J., Arlitt, M., Mahanti, A.: Traffic classification using clustering algorithms. In: MineNet ’06: Proceedings of the 2006 SIGCOMM workshop on Mining network data, Pisa, Italy, pp. 281–286. ACM Press, New York (2006), doi:10.1145/1162678.1162679

    Chapter  Google Scholar 

  12. Bernaille, L., Teixeira, R., Akodkenou, I., Soule, A., Salamatian, K.: Traffic classification on the fly. SIGCOMM Comput. Commun. Rev. 36(2), 23–26 (2006), doi:10.1145/1129582.1129589

    Article  Google Scholar 

  13. Bernaille, L., Teixeira, R., Salamatian, K.: Early application identification. In: To appear in Conference on Future Networking Technologies (2006)

    Google Scholar 

  14. Wright, Monrose, Masson: On inferring application protocol behaviors in encrypted network traffic. The Journal of Machine Learning Research, Special Topic on Machine Learning for Computer Security (2006)

    Google Scholar 

  15. Karagiannis, T., Papagiannaki, D., Faloutsos, M.: Blinc: Multilevel traffic classification in the dark. In: SIGCOMM (2005)

    Google Scholar 

  16. Wright, Monrose, Masson: Using visual motifs to classify encrypted traffic. In: Workshop on Visualization for Computer Security (2006)

    Google Scholar 

  17. SSLv2:

  18. SSLv3.0:

  19. TLS:

  20. Netcraft:

Download references

Author information

Authors and Affiliations


Editor information

Steve Uhlig Konstantina Papagiannaki Olivier Bonaventure

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer Berlin Heidelberg

About this paper

Cite this paper

Bernaille, L., Teixeira, R. (2007). Early Recognition of Encrypted Applications. In: Uhlig, S., Papagiannaki, K., Bonaventure, O. (eds) Passive and Active Network Measurement. PAM 2007. Lecture Notes in Computer Science, vol 4427. Springer, Berlin, Heidelberg.

Download citation

  • DOI:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-71616-7

  • Online ISBN: 978-3-540-71617-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics