Detection of applications within encrypted tunnels using packet size distributions

In protocol tunnelling, one application protocol is encapsulated within another carrier protocol. Application-layer tunnels are security threat for networks because those applications which are sometimes restricted by firewalls like high data-rate games, peer-to-peer file sharing, video streaming, etc are carried through the allowed protocols like HTTP, SSH, hence the firewall policy is thwarted. The existing techniques for detection of applications across the network, e.g. packet data analysis are not very successful, especially in encrypted tunnels i.e ones using HTTPS, TLS/SSL protocols as the carrier. This work describes a statistical approach to detect applications which are running using encrypted tunnels. Previous work has shown the packet size distribution to be an effective metric for detecting most network applications. Here the same technique is applied for encrypted tunnels. Statistical Chi-square test is used for the analysis of the selected applications´ packet size distributions. From the results, it is shown that tunneled applications can be detected using packet size distribution in encrypted tunnels.