A Survey on Encrypted Traffic Classification

Published on Nov 26, 2014
· DOI :10.1007/978-3-662-45670-5_8
Zigang Cao5
Estimated H-index: 5
(CAS: Chinese Academy of Sciences),
Gang Xiong14
Estimated H-index: 14
(CAS: Chinese Academy of Sciences)
+ 2 AuthorsLi Guo24
Estimated H-index: 24
(CAS: Chinese Academy of Sciences)
With the widespread use of encryption techniques in network applications, encrypted network traffic has recently become a great challenge for network management. Studies on encrypted traffic classification not only help to improve the network service quality, but also assist in enhancing network security. In this paper, we first introduce the basic information of encrypted traffic classification, emphasizing the influences of encryption on current classification methodology. Then, we summarize the challenges and recent advances in encrypted traffic classification research. Finally, the paper is ended with some conclusions.
  • References (35)
  • Citations (21)
📖 Papers frequently viewed together
4 Authors (Zigang Cao, ..., Li Guo)
4 Citations
73 Citations
4 Authors (Petr Velan, ..., Martin Drašar)
37 Citations
78% of Scinapse members use related papers. After signing in, all features are FREE.
Jul 8, 2014 in INFOCOM (International Conference on Computer Communications)
#1Maciej Korczynski (RU: Rutgers University)H-Index: 1
#2Andrzej Duda (Grenoble Institute of Technology)H-Index: 44
In this paper, we propose stochastic fingerprints for application traffic flows conveyed in Secure Socket Layer/Transport Layer Security (SSL/TLS) sessions. The fin- gerprints are based on first-order homogeneous Markov chains for which we identify the parameters from observed training application traces. As the fingerprint parameters of chosen applications considerably differ, the method results in a very good accuracy of application discrimination and provides a possibility of detecting abnorm...
59 CitationsSource
Nov 4, 2013 in CCS (Computer and Communications Security)
#1Kevin P. Dyer (PSU: Portland State University)H-Index: 7
#2Scott E. Coull (Silver Spring Networks)H-Index: 15
Last. Thomas Shrimpton (PSU: Portland State University)H-Index: 24
view all 4 authors...
Deep packet inspection (DPI) technologies provide much-needed visibility and control of network traffic using port-independent protocol identification, where a network flow is labeled with its application-layer protocol based on packet contents. In this paper, we provide the first comprehensive evaluation of a large set of DPI systems from the point of view of protocol misidentification attacks, in which adversaries on the network attempt to force the DPI to mislabel connections. Our approach us...
60 CitationsSource
May 19, 2013 in S&P (IEEE Symposium on Security and Privacy)
#1Amir Houmansadr (University of Texas at Austin)H-Index: 22
#2Chad Brubaker (University of Texas at Austin)H-Index: 3
Last. Vitaly Shmatikov (University of Texas at Austin)H-Index: 50
view all 3 authors...
In response to the growing popularity of Tor and other censorship circumvention systems, censors in non-democratic countries have increased their technical capabilities and can now recognize and block network traffic generated by these systems on a nationwide scale. New censorship-resistant communication systems such as Skype Morph, Stego Torus, and Censor Spoofer aim to evade censors' observations by imitating common protocols like Skype and HTTP. We demonstrate that these systems completely fa...
103 CitationsSource
#1Yuyu YuanH-Index: 1
#2Xu WuH-Index: 1
Last. Yueming LuH-Index: 1
view all 3 authors...
8 CitationsSource
#1Ernst W. Biersack (EURECOM: Institut Eurécom)H-Index: 46
#2Christian Callegari (UniPi: University of Pisa)H-Index: 13
Last. Maja Matijasevic (University of Zagreb)H-Index: 17
view all 3 authors...
High-Performance Network Traffic Processing Systems Using Commodity Hardware.- Active Techniques for Available Bandwidth Estimation: Comparison and Application.- Internet Topology Discovery.- Internet PoP Level Maps.- Analysis of Packet Transmission Processes in Peer-to-Peer Networks by Statistical Inference Methods.- Reviewing Traffic Classification.- A Methodological Overview on Anomaly Detection.- Changepoint Detection Techniques for VoIP Traffic.- Distribution-Based Anomaly Detection in Netw...
34 CitationsSource
Jan 1, 2013 in TMA (Traffic Monitoring and Analysis)
#1Silvio Valenti (ENST: Télécom ParisTech)H-Index: 12
#2Dario Rossi (ENST: Télécom ParisTech)H-Index: 31
Last. Marco Mellia (Polytechnic University of Turin)H-Index: 37
view all 6 authors...
Traffic classification has received increasing attention in the last years. It aims at offering the ability to automatically recognize the application that has generated a given stream of packets from the direct and passive observation of the individual packets, or stream of packets, flowing in the network. This ability is instrumental to a number of activities that are of extreme interest to carriers, Internet service providers and network administrators in general. Indeed, traffic classificati...
46 CitationsSource
Oct 16, 2012 in CCS (Computer and Communications Security)
#1Hooman Mohajeri Moghaddam (UW: University of Waterloo)H-Index: 1
#2Baiyu Li (UW: University of Waterloo)H-Index: 1
Last. Ian Goldberg (UW: University of Waterloo)H-Index: 40
view all 4 authors...
The Tor network is designed to provide users with low-latency anonymous communications. Tor clients build circuits with publicly listed relays to anonymously reach their destinations. However, since the relays are publicly listed, they can be easily blocked by censoring adversaries. Consequently, the Tor project envisioned the possibility of unlisted entry points to the Tor network, commonly known as bridges. We address the issue of preventing censors from detecting the bridges by observing the ...
125 CitationsSource
Oct 16, 2012 in CCS (Computer and Communications Security)
#1Zachary Weinberg (CMU: Carnegie Mellon University)H-Index: 5
#2J Wang (Stanford University)H-Index: 3
Last. Dan Boneh (Stanford University)H-Index: 101
view all 7 authors...
Internet censorship by governments is an increasingly common practice worldwide. Internet users and censors are locked in an arms race: as users find ways to evade censorship schemes, the censors develop countermeasures for the evasion tactics. One of the most popular and effective circumvention tools, Tor, must regularly adjust its network traffic signature to remain usable. We present StegoTorus, a tool that comprehensively disguises Tor from protocol analysis. To foil analysis of packet conte...
91 CitationsSource
Sep 27, 2012 in IWCMC (International Conference on Wireless Communications and Mobile Computing)
#1Alfonso Iacovazzi (Sapienza University of Rome)H-Index: 6
#2Andrea Baiocchi (Sapienza University of Rome)H-Index: 19
Traffic flow features like packet lengths, direction, gap times have been shown to carry significant information on conveyed the traffic flows they belong to, e.g. enabling application classification with high accuracy and even privacy breaking, even if encryption is used. Such a leakage of user related information can be stopped by modifying the traffic flow features, e.g. for packet lengths by padding, fragmenting or inserting dummy packets. We outline a general approach aiming at full masking...
2 CitationsSource
Sep 27, 2012 in IWCMC (International Conference on Wireless Communications and Mobile Computing)
#1Yu Wang (Deakin University)H-Index: 1
#2Yang Xiang (Deakin University)H-Index: 63
Last. Shun-Zheng Yu (SYSU: Sun Yat-sen University)H-Index: 10
view all 4 authors...
Due to the limitations of the traditional port-based and payload-based traffic classification approaches, the past decade has seen extensive work on utilizing machine learning techniques to classify network traffic based on packet and flow level features. In particular, previous studies have shown that the unsupervised clustering approach is both accurate and capable of discovering previously unknown application classes. In this paper, we explore the utility of side information in the process of...
8 CitationsSource
Cited By21
#1Amit DvirH-Index: 9
#2Yehonatan ZionH-Index: 2
Last. Ran DubinH-Index: 5
view all 6 authors...
Desktops and laptops can be maliciously exploited to violate privacy. In this paper, we consider the daily battle between the passive attacker who is targeting a specific user against a user that may be adversarial opponent. In this scenario, while the attacker tries to choose the best vector attack by surreptitiously monitoring the victims encrypted network traffic in order to identify users parameters such as the Operating System (OS), browser and apps. The user may use tools such as a Virtual...
#1Ola Salman (AUB: American University of Beirut)H-Index: 7
#2Imad H. Elhajj (AUB: American University of Beirut)H-Index: 20
Last. Ali Chehab (AUB: American University of Beirut)H-Index: 18
view all 4 authors...
Traffic classification acquired the interest of the Internet community early on. Different approaches have been proposed to classify Internet traffic to manage both security and Quality of Service (QoS). However, traditional classification approaches consisting of modifying the Transmission Control Protocol/Internet Protocol (TCP/IP) scheme have not been adopted due to their complex management. In addition, port-based methods and deep packet inspection have limitations in dealing with new traffi...
#1Youting Liu (CAS: Chinese Academy of Sciences)
#2Shu Li (CAS: Chinese Academy of Sciences)
Last. Qingyun Liu (CAS: Chinese Academy of Sciences)H-Index: 2
view all 6 authors...
As video dominates internet traffic, researchers tend to pay attention to video-related fields, such as video shaping, differentiated service, multimedia protocol tunneling detection. Some video-related fields, e.g., traffic measurement and the metrics for Quality of Experience, are based on video flow identification. However, video flow identification faces challenges. Firstly, the increasing adoption of Transport Layer Security makes payload-based methods no longer applicable. Secondly, traffi...
#1Ola Salman (AUB: American University of Beirut)H-Index: 7
#2Imad H. Elhajj (AUB: American University of Beirut)H-Index: 20
Last. Ali Chehab (AUB: American University of Beirut)H-Index: 18
view all 4 authors...
Traffic classification is key for managing both QoS and security in the Internet of Things (IoT). However, new traffic obfuscation techniques have been developed to thwart classification. Traffic mutation is one such obfuscation technique, that consists of modifying the flow’s statistical characteristics to mislead the traffic classifier. In fact, this same technique can also be used to hide normal traffic characteristics for the sake of privacy. However, the concern is its use by attackers to b...
1 CitationsSource
#1Feras N. Al-Obeidat (ZU: Zayed University)H-Index: 7
#2El-Sayed M. El-Alfy (UPM: King Fahd University of Petroleum and Minerals)H-Index: 12
Traffic classification in computer networks has very significant roles in network operation, management, and security. Examples include controlling the flow of information, allocating resources effectively, provisioning quality of service, detecting intrusions, and blocking malicious and unauthorized access. This problem has attracted a growing attention over years and a number of techniques have been proposed ranging from traditional port-based and payload inspection of TCP/IP packets to superv...
4 CitationsSource
#1Minghao Jiang (CAS: Chinese Academy of Sciences)
#2Gaopeng Gou (CAS: Chinese Academy of Sciences)H-Index: 2
Last. Gang Xiong (CAS: Chinese Academy of Sciences)H-Index: 5
view all 4 authors...
Remote desktop enables users to remotely access their computers via the Internet, which is widely used as a basic tool in areas such as remote work, remote assistance and remote administration. However, existing remote desktop is designed to work in the mode of updating user’s real-time command and remote screen’s state interactively for a better user experience, such working mode may cause serious side-channel information leakage problem in spite of encryption of the traffic, as revealed in thi...
#1Arkadiusz Biernacki (Silesian University of Technology)H-Index: 6
Due to the popularity of Dynamic Adaptive Streaming Over HTTP (DASH), broadband and Internet service providers’ links transmit mainly multimedia content. As the most popular providers encrypt their video services, the attempts to identify their traffic through Deep Packet Inspection (DPI) encounter difficulties. Therefore, encrypted DASH traffic requires new classification methods. In this work, we propose to identify DASH traffic taking into account statistical dependencies among video flows. F...
May 20, 2019 in ICC (International Conference on Communications)
#1Sina Fathi-Kazerooni (NJIT: New Jersey Institute of Technology)H-Index: 2
#2Yagiz Kaymak (NJIT: New Jersey Institute of Technology)H-Index: 5
Last. Roberto Rojas-Cessa (NJIT: New Jersey Institute of Technology)H-Index: 18
view all 3 authors...
An eavesdropper may infer the computer applications a person uses by collecting and analyzing the network traffic they generate. Such inference may be performed despite applying encryption on the generated packets. In this paper, we investigate the extent of the ability of several machine learning algorithms to perform this privacy breach on the network traffic generated by a user. We measure their accuracy in identifying different applications by analyzing several statistical properties of the ...
#1Sina Fathi-Kazerooni (NJIT: New Jersey Institute of Technology)H-Index: 2
#2Yagiz Kaymak (NJIT: New Jersey Institute of Technology)H-Index: 5
Last. Roberto Rojas-Cessa (NJIT: New Jersey Institute of Technology)H-Index: 18
view all 3 authors...
A network eavesdropper may invade the privacy of an online user by collecting the passing traffic and classifying the applications that generated the network traffic. This collection may be used to build fingerprints of the user’s Internet usage. In this paper, we investigate the feasibility of performing such breach on encrypted network traffic generated by actual users. We adopt the random forest algorithm to classify the applications in use by users of a campus network. Our classification sys...
1 CitationsSource
#1Weina Niu (Sichuan University)H-Index: 1
#2Zhongliu Zhuo (University of Electronic Science and Technology of China)H-Index: 1
Last. Mohsen Guizani (Qatar University)H-Index: 54
view all 6 authors...
In recent years, malware with strong concealment uses encrypted protocol to evade detection. Thus, encrypted traffic identification can help security analysts to be more effective in narrowing down those encrypted network traffic. Existing methods are protocol independent, such as statistical-based and machine-learning-based approaches. Statistical-based approaches, however, are confined to payload length and machine-learning-based approaches have a low recognition rate for encrypted traffic usi...
6 CitationsSource