Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis
www.caida.org > publications : bib : networking : entries : bernaille07early.xml
Bibliography Details
L. Bernaille and R. Teixeira, "Early Recognition of Encrypted Application", in Passive and Active Measurement Conference (PAM), Apr 2007.
Early Recognition of Encrypted Application
Authors: L. Bernaille
R. Teixeira
Published: Passive and Active Measurement Conference (PAM), 2007
URL:http://www-rp.lip6.fr/site_npa/site_rp/_publications/785-pam.pdf
Entry Dates: 2009-02-09
Abstract: The automatic detection of applications associated with network traffic is an essential step for network security and traffic engineering. Unfortunately, simple port-based classification methods are not always efficient and systematic analysis of packet payloads is too slow. Most recent research proposals use flow statistics to classify traffic flows once they are finished, which limit their applicability for online classification. In this paper, we evaluate the feasibility of application identification at the beginning of a TCP connection. Based on an analysis of packet traces collected on eight different networks, we find that it is possible to distinguish the behavior of an application from the observation of the size and the direction of the first few packets of the TCP connection. We apply three techniques to cluster TCP connections: K-Means, Gaussian Mixture Model and spectral clustering. Resulting clusters are used together with assignment and labeling heuristics to design classifiers. We evaluate these classifiers on different packet traces. Our results show that the first four packets of a TCP connection are sufficient to classify known applications with an accuracy over 90% and to identify new applications as unknown with a probability of 60%.
Results:
  • datasets: two campus networks and on manually-encrypted traces 1) collected at the edge of the Paris 6 network, in 2004 and in 2006; 2) a packet trace collected at the edge of the Umass campus in 2005 (58 bytes for each packet)
  • it runs in three steps: recognition of SSL connections, detection of the first packet containing application data, and recognition of the encrypted applications; use a clustering algorithm based on Gaussian Mixture Model;
  • detect applications in SSL encrypted connections. Use only the size of the first few packets of an SSL connection to recognize the application; recognize the application in an SSL connection with more than 85% accuracy;
  Last Modified: Fri Oct-25-2019 12:31:28 PDT
  Page URL: http://www.caida.org/publications/bib/networking/entries/bernaille07early.xml