Classifying encrypted traffic using adaptive fingerprints with multi-level attributes

被引:3
作者
Liu, Chang [1 ,2 ]
Xiong, Gang [1 ,2 ]
Gou, Gaopeng [1 ,2 ]
Yiu, Siu-Ming [3 ]
Li, Zhen [1 ,2 ]
Tian, Zhihong [4 ]
机构
[1] Chinese Acad Sci, Inst Informat Engn, Beijing, Peoples R China
[2] Univ Chinese Acad Sci, Sch Cyber Secur, Beijing, Peoples R China
[3] Univ Hong Kong, Dept Comp Sci, Hong Kong, Peoples R China
[4] Guangzhou Univ, Cyberspace Inst Adv Technol, Guangzhou, Peoples R China
来源
WORLD WIDE WEB-INTERNET AND WEB INFORMATION SYSTEMS | 2021年 / 24卷 / 06期
关键词
Encrypted traffic classification; Fingerprint; Multi-attribute; Network management; CLASSIFICATION; NETWORK;
D O I
10.1007/s11280-021-00940-0
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
With the rapid development of Internet, network management and monitoring face a number of challenges, one of which is traffic classification. Meanwhile, SSL/TLS protocols are extensively used to encrypt the communication payloads, which makes traditional rule-based classification methods not applicable. Without fingerprints of sufficient distinguishing power, other existing methods cannot achieve satisfactory performances on encrypted traffic classification. In this paper, we focus on SSL/TLS encrypted traffic, and propose the Adaptive Fingerprint with Multi-level Attributes (AFMA) to classify them. AFMA combines field-level and sequence-level attributes to tackle encrypted traffic classification problem. Specifically, the distribution of server-to-client ciphersuites on applications is first imported to characterize application preferences. Moreover, besides message type sequences, length block sequences are especially designed to highlight the differences in application fingerprints. In addition, AFMA can adaptively learn the distributions for constructing the fingerprint by analyzing the overall statistics of the applications. The performance of AFMA was verified on a real-world dataset of a campus network (with 956,000+ SSL/TLS traffic flows for 18 popular applications). Our experiments show that AFMA could achieve a true positive rate of up to 99.46% and a false positive rate as low as 0.03%, which outperforms the state-of-the-art methods and our previous method.
引用
收藏
页码:2071 / 2097
页数:27
相关论文
共 51 条
  • [1] Toward effective mobile encrypted traffic classification through deep learning
    Aceto, Giuseppe
    Ciuonzo, Domenico
    Montieri, Antonio
    Pescape, Antonio
    [J]. NEUROCOMPUTING, 2020, 409 : 306 - 315
  • [2] Power-Law distribution of the World Wide Web
    Adamic, LA
    Huberman, BA
    Barabási, AL
    Albert, R
    Jeong, H
    Bianconi, G
    [J]. SCIENCE, 2000, 287 (5461)
  • [3] Deciphering malware's use of TLS (without decryption)
    Anderson, Blake
    Paul, Subharthi
    McGrew, David
    [J]. JOURNAL OF COMPUTER VIROLOGY AND HACKING TECHNIQUES, 2018, 14 (03): : 195 - 211
  • [4] Machine Learning for Encrypted Malware Traffic Classification: Accounting for Noisy Labels and Non-Stationarity
    Anderson, Blake
    McGrew, David
    [J]. KDD'17: PROCEEDINGS OF THE 23RD ACM SIGKDD INTERNATIONAL CONFERENCE ON KNOWLEDGE DISCOVERY AND DATA MINING, 2017, : 1723 - 1732
  • [5] Identifying Encrypted Malware Traffic with Contextual Flow Data
    Anderson, Blake
    McGrew, David
    [J]. AISEC'16: PROCEEDINGS OF THE 2016 ACM WORKSHOP ON ARTIFICIAL INTELLIGENCE AND SECURITY, 2016, : 35 - 46
  • [6] Security and Privacy-Preserving Challenges of e-Health Solutions in Cloud Computing
    Chenthara, Shekha
    Ahmed, Khandakar
    Wang, Hua
    Whittaker, Frank
    [J]. IEEE ACCESS, 2019, 7 : 74361 - 74382
  • [7] Cong D., 2020, COMPUT NETW, P176
  • [8] Constantinou F, 2006, NCA 2006: FIFTH IEEE INTERNATIONAL SYMPOSIUM ON NETWORK COMPUTING AND APPLICATIONS, PROCEEDINGS, P93
  • [9] Analyzing Android Encrypted Network Traffic to Identify User Actions
    Conti, Mauro
    Mancini, Luigi Vincenzo
    Spolaor, Riccardo
    Verde, Nino Vincenzo
    [J]. IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, 2016, 11 (01) : 114 - 125
  • [10] Issues and Future Directions in Traffic Classification
    Dainotti, Alberto
    Pescape, Antonio
    Claffy, Kimberly C.
    [J]. IEEE NETWORK, 2012, 26 (01): : 35 - 40