Investigating application behavior in network traffic traces

Author

Foroushani, Vahid Aghaei ; Zincir-Heywood, A. Nur

Author_Institution

Fac. of Comput. Sci., Dalhousie Univ., Halifax, NS, Canada

fYear

2013

fDate

16-19 April 2013

Firstpage

72

Lastpage

79

Abstract

Identifying encrypted application traffic is an important issue for many network tasks including quality of service, firewall enforcement and security. This paper presents a machine learning based approach to identify high level application behavior in a given traffic trace using a holistic approach without looking into the content or without checking a static attribute. We demonstrate the effectiveness of our approach as a forensic analysis tool on five encrypted applications namely SSH, Skype, Gtalk, SSL (No Web) and HTTPS (Web Browsing), using traces captured from different networks. Results indicate that it is possible to identify high level application behavior such as unencrypted versus encrypted as well as identifying services running in encrypted tunnels.

Keywords

cryptography; digital forensics; firewalls; learning (artificial intelligence); quality of service; social networking (online); telecommunication traffic; Gtalk; HTTPS; SSH; SSL; Skype; Web browsing; computer network security; encrypted application traffic identification; encrypted tunnels; firewall enforcement; forensic analysis tool; high level application behavior identification; holistic approach; machine learning based approach; network traffic traces; quality of service; Classification algorithms; Clustering algorithms; Cryptography; Decision trees; Feature extraction; Ports (Computers); Training; Encrypted traffic identification; Performance measures; Security;

fLanguage

English

Publisher

ieee

Conference_Titel

Computational Intelligence for Security and Defense Applications (CISDA), 2013 IEEE Symposium on

Conference_Location

Singapore

Type

conf

DOI

10.1109/CISDA.2013.6595430

Filename

6595430