A framework for tunneled traffic analysis

Research in traffic classification is reaching into ever more difficult areas. Traditional techniques such as header and payload inspection are not providing sufficient information due to usage of non-standard ports and encryption. Promising alternative methods have been proposed based on the statistical behaviour of traffic flows. Although these methods can achieve quite high accuracies in non-encrypted traffic flows, traffic identification of encrypted traffic flows is still in its early stages. We argue that the results to date for encrypted traffic cannot help a network device such as a firewall make any useful decision, nor are there any indications that this may be achieved in the future. We propose a novel approach to cope with encrypted peer to peer network layer tunnels which are a particular problem in schools, universities, and larger corporate networks. First statistical techniques are used to identify the protocols present, a process that may take in the order of seconds. Next, based on the protocols discovered, and enterprise policies, a network device is advised to block, band-limit, or allow the whole tunnel, or a range of packet sizes within that tunnel. Preliminary research has concluded that VoIP traffic can be successfully handled by this approach and that advise to a network device can be practically useful. Work continues to apply these techniques to other protocols and mixes of protocols within a peer to peer tunnels.