Author :
Rocha, Eduardo ; Salvador, Paulo ; Nogueira, António ; Rodrigues, Joel
Author_Institution :
Dept. of Electron., Telecommun. & Inf., U. of Aveiro, Aveiro, Portugal
Abstract :
Internet usage has increased drastically in the past years due to the emergence of new services and applications such as voice, video streaming, video-conference, e-banking, etc. As the number of Internet users increased, the number of illegal activities, like spam, data and identity theft, among others, also increased in an exponential way. Identifying Internet applications became a very important task for several purposes, such as traffic engineering, quality of service, network optimization and, obviously, security. Several identification methodologies have been proposed, ranging from simple approaches like port-based methodologies to more generic approaches, like protocol statistical analysis. However, the frequent use of traffic encryption does not allow to perform inspection based on the packet payload, triggering the need for new methodologies that can provide an accurate mapping of traffic to their generating protocols based only on traffic flow statistics. This paper presents an identification methodology that relies on a multi-scale analysis of sampled traffic flows, enabling the identification of illicit activities on encrypted communications scenarios. Several multi-scale quantifiers are obtained from the multi-scale analysis of captured flows and the classification of these flows is then based on identifying the time-scales where the different multi-scale quantifiers are better discriminated. Two different approaches are used in the classification procedure: one that is based on the distances between the quantiles of the empirical distributions, assuming that the multi-scale quantifiers follow a generic probability distribution, and another methodology that assumes that the multi-scale quantifiers follow Gaussian Distributions. The methodology was applied to some of the mostly used licit Internet applications and two popular illicit applications, and the results obtained show that the proposed approach is able to accurately classify Internet traffic and- - identify illicit activities.
Keywords :
Gaussian distribution; Internet; cryptographic protocols; statistical analysis; telecommunication security; Gaussian distributions; Internet users; encrypted communications; multiscale analysis; multiscale behavior modeling; protocol statistical analysis; sampled traffic flows; traffic encryption; traffic flow statistics; Cryptography; Gaussian distribution; Internet; Payloads; Protocols; Stochastic processes; Illicit traffic; encrypted communications; multi-scale analysis; multi-scale modeling;
