Classifying encrypted traffic using adaptive fingerprints with multi-level attributes

With the rapid development of Internet, network management and monitoring face a number of challenges, one of which is traffic classification. Meanwhile, SSL/TLS protocols are extensively used to encrypt the communication payloads, which makes traditional rule-based classification methods not applicable. Without fingerprints of sufficient distinguishing power, other existing methods cannot achieve satisfactory performances on encrypted traffic classification. In this paper, we focus on SSL/TLS encrypted traffic, and propose the Adaptive Fingerprint with Multi-level Attributes (AFMA) to classify them. AFMA combines field-level and sequence-level attributes to tackle encrypted traffic classification problem. Specifically, the distribution of server-to-client ciphersuites on applications is first imported to characterize application preferences. Moreover, besides message type sequences, length block sequences are especially designed to highlight the differences in application fingerprints. In addition, AFMA can adaptively learn the distributions for constructing the fingerprint by analyzing the overall statistics of the applications. The performance of AFMA was verified on a real-world dataset of a campus network (with 956,000+ SSL/TLS traffic flows for 18 popular applications). Our experiments show that AFMA could achieve a true positive rate of up to 99.46% and a false positive rate as low as 0.03%, which outperforms the state-of-the-art methods and our previous method.