I Know What You Saw Last Minute—Encrypted HTTP Adaptive Video Streaming Title Classification

Published on Dec 1, 2017in IEEE Transactions on Information Forensics and Security6.211
· DOI :10.1109/TIFS.2017.2730819
Ran Dubin5
Estimated H-index: 5
(BGU: Ben-Gurion University of the Negev),
Amit Dvir8
Estimated H-index: 8
(Ariel University)
+ 1 AuthorsOfer Hadar16
Estimated H-index: 16
(Ariel University)
Desktops can be exploited to violate privacy. There are two main types of attack scenarios: active and passive. We consider the passive scenario where the adversary does not interact actively with the device, but is able to eavesdrop on the network traffic of the device from the network side. In the near future, most Internet traffic will be encrypted and thus passive attacks are challenging. Previous research has shown that information can be extracted from encrypted multimedia streams. This includes video title classification of non HTTP adaptive streams. This paper presents algorithms for encrypted HTTP adaptive video streaming title classification. We show that an external attacker can identify the video title from video HTTP adaptive streams sites, such as YouTube. To the best of our knowledge, this is the first work that shows this. We provide a large data set of 15000 YouTube video streams of 2100 popular video titles that was collected under real-world network conditions. We present several machine learning algorithms for the task and run a thorough set of experiments, which shows that our classification accuracy is higher than 95%. We also show that our algorithms are able to classify video titles that are not in the training set as unknown and some of the algorithms are also able to eliminate false prediction of video titles and instead report unknown. Finally, we evaluate our algorithm robustness to delays and packet losses at test time and show that our solution is robust to these changes.
  • References (48)
  • Citations (9)
📖 Papers frequently viewed together
2 Citations
8 Citations
3 Authors (Feng Li, ..., Mark Claypool)
5 Citations
78% of Scinapse members use related papers. After signing in, all features are FREE.
#1Martin Husák (Masaryk University)H-Index: 5
#2Milan Čermák (Masaryk University)H-Index: 5
Last. Pavel Čeleda (Masaryk University)H-Index: 11
view all 4 authors...
The encryption of network traffic complicates legitimate network monitoring, traffic analysis, and network forensics. In this paper, we present real-time lightweight identification of HTTPS clients based on network monitoring and SSL/TLS fingerprinting. Our experiment shows that it is possible to estimate the User-Agent of a client in HTTPS communication via the analysis of the SSL/TLS handshake. The fingerprints of SSL/TLS handshakes, including a list of supported cipher suites, differ among cl...
14 CitationsSource
#1Ran Dubin (BGU: Ben-Gurion University of the Negev)H-Index: 5
#2Ofer Hadar (BGU: Ben-Gurion University of the Negev)H-Index: 16
Last. Ofir Pele (Ariel University)H-Index: 8
view all 6 authors...
The increasing popularity of HTTP adaptive video streaming services has dramatically increased bandwidth requirements on operator networks, which attempt to shape their traffic through Deep Packet Inspection (DPI). However, Google and certain content providers have started to encrypt their video services. As a result, operators often encounter difficulties in shaping their encrypted video traffic via DPI. This highlights the need for new traffic classification methods for encrypted HTTP adaptive...
5 CitationsSource
#1Vincent F. Taylor (University of Oxford)H-Index: 5
#2Riccardo Spolaor (UNIPD: University of Padua)H-Index: 7
Last. Ivan Martinovic (University of Oxford)H-Index: 23
view all 4 authors...
Automatic fingerprinting and identification of smartphone apps is becoming a very attractive data gathering technique for adversaries, network administrators, investigators and marketing agencies. In fact, the list of apps installed on a device can be used to identify vulnerable apps for an attacker to exploit, uncover a victim's use of sensitive apps, assist network planning, and aid marketing. However, app fingerprinting is complicated by the vast number of apps available for download, the wid...
63 CitationsSource
#1Mauro Conti (UNIPD: University of Padua)H-Index: 36
#2Luigi V. ManciniH-Index: 31
Last. Nino Vincenzo VerdeH-Index: 14
view all 4 authors...
Mobile devices can be maliciously exploited to violate the privacy of people. In most attack scenarios, the adversary takes the local or remote control of the mobile device, by leveraging a vulnerability of the system, hence sending back the collected information to some remote web service. In this paper, we consider a different adversary, who does not interact actively with the mobile device, but he is able to eavesdrop the network traffic of the device from the network side (e.g., controlling ...
68 CitationsSource
#1Xianhui Che (UNNC: The University of Nottingham Ningbo China)H-Index: 7
#2Barry Ip (UNNC: The University of Nottingham Ningbo China)H-Index: 11
Last. Ling Lin (UNNC: The University of Nottingham Ningbo China)H-Index: 1
view all 3 authors...
Given the impact of YouTube on Internet services and social networks, a healthy quantity of research has been conducted over the past few years. The majority of studies on traffic capture and evaluation were carried out prior to Google's acquisition of YouTube in 2007. Since then, there have been some changes made to the user policy and service infrastructure, including limits placed on video duration, file size, and resolution. This article depicts the latest YouTube traffic profiles and delive...
29 CitationsSource
#1Michael Seufert (University of Würzburg)H-Index: 18
#2Sebastian EggerH-Index: 23
Last. Phuoc Tran-Gia (University of Würzburg)H-Index: 30
view all 6 authors...
Changing network conditions pose severe problems to video streaming in the Internet. HTTP adaptive streaming (HAS) is a technology employed by numerous video services that relieves these issues by adapting the video to the current network conditions. It enables service providers to improve resource utilization and Quality of Experience (QoE) by incorporating information from different layers in order to deliver and adapt a video in its best possible quality. Thereby, it allows taking into accoun...
387 CitationsSource
#1Zigang Cao (CAS: Chinese Academy of Sciences)H-Index: 4
#2Gang Xiong (CAS: Chinese Academy of Sciences)H-Index: 12
Last. Li Guo (CAS: Chinese Academy of Sciences)H-Index: 25
view all 5 authors...
With the widespread use of encryption techniques in network applications, encrypted network traffic has recently become a great challenge for network management. Studies on encrypted traffic classification not only help to improve the network service quality, but also assist in enhancing network security. In this paper, we first introduce the basic information of encrypted traffic classification, emphasizing the influences of encryption on current classification methodology. Then, we summarize t...
20 CitationsSource
May 27, 2013 in IM (Integrated Network Management)
#1Christian Sieber (University of Würzburg)H-Index: 8
#2Tobias Hobfeld (University of Würzburg)H-Index: 32
Last. Christian Timmerer (Adria Airways)H-Index: 29
view all 5 authors...
The MPEG-DASH standard allows the client-centric access to different representations of video content via the HTTP protocol. The client can flexibly switch between different qualities, i.e., different bit rates and thus avoid waiting times during the video playback due to empty playback buffers. However, quality switches and the playback of lower qualities is perceived by the user which may reduce the Quality of Experience (QoE). Therefore, novel algorithms are required which manage the streamin...
65 Citations
Jan 1, 2013 in TMA (Traffic Monitoring and Analysis)
#1Silvio Valenti (ENST: Télécom ParisTech)H-Index: 12
#2Dario Rossi (ENST: Télécom ParisTech)H-Index: 30
Last. Marco Mellia (Polytechnic University of Turin)H-Index: 37
view all 6 authors...
Traffic classification has received increasing attention in the last years. It aims at offering the ability to automatically recognize the application that has generated a given stream of packets from the direct and passive observation of the individual packets, or stream of packets, flowing in the network. This ability is instrumental to a number of activities that are of extreme interest to carriers, Internet service providers and network administrators in general. Indeed, traffic classificati...
44 CitationsSource
Oct 16, 2012 in CCS (Computer and Communications Security)
#1Hooman Mohajeri Moghaddam (UW: University of Waterloo)H-Index: 1
#2Baiyu Li (UW: University of Waterloo)H-Index: 1
Last. Ian Goldberg (UW: University of Waterloo)H-Index: 40
view all 4 authors...
The Tor network is designed to provide users with low-latency anonymous communications. Tor clients build circuits with publicly listed relays to anonymously reach their destinations. However, since the relays are publicly listed, they can be easily blocked by censoring adversaries. Consequently, the Tor project envisioned the possibility of unlisted entry points to the Tor network, commonly known as bridges. We address the issue of preventing censors from detecting the bridges by observing the ...
125 CitationsSource
Cited By9
#1Anqi Teng (UJN: University of Jinan)
#2Lizhi Peng (UJN: University of Jinan)H-Index: 12
Last. Zhenxiang Chen (UJN: University of Jinan)H-Index: 18
view all 5 authors...
Abstract In the last decade, the increasing video traffic, especially illegal videos brought big challenges for Internet management. Generally, abnormal videos, such as illegal videos only account for a small percentage which makes the detection of such videos to be a typical imbalanced classification problem. In this study, we propose a new imbalanced learning method, namely, the imbalanced data gravitational classification model based the gradient descent (IDGC-GD), to handle imbalanced proble...
#1Youting Liu (CAS: Chinese Academy of Sciences)
#2Shu Li (CAS: Chinese Academy of Sciences)
Last. Qingyun Liu (CAS: Chinese Academy of Sciences)H-Index: 2
view all 6 authors...
#1Amit Dvir (Ariel University)H-Index: 8
#2Angelos K. Marnerides (Lancaster University)H-Index: 8
Last. Chen Hajaj (Ariel University)H-Index: 3
view all 5 authors...
Abstract Cyber threat intelligence officers and forensics investigators often require the behavioural profiling of groups based on their online video viewing activity. It has been demonstrated that encrypted video traffic can be classified under the assumption of using a known subset of video titles based on temporal video viewing trends of particular groups. Nonetheless, composing such a subset is extremely challenging in real situations. Therefore, this work exhibits a novel profiling scheme f...
#1Frank Loh (University of Würzburg)H-Index: 3
#2Florian Wamser (University of Würzburg)H-Index: 14
Last. Tobias Hobfeld (University of Würzburg)H-Index: 32
view all 7 authors...
Today’s traffic projections speak of almost 58% video traffic across the Internet. Nearly all video traffic is encrypted, accounting for more than 50% encrypted traffic worldwide. To analyze video traffic today, or even estimate its quality in the network, a deep look into the traffic characteristics has to be done. But then, important quality metrics from the traffic behavior can be derived. Based on extensive measurements we show in this work how to measure and estimate video stalls for mobile...
#2Gaopeng Gou (CAS: Chinese Academy of Sciences)H-Index: 1
Last. Gang Xiong (CAS: Chinese Academy of Sciences)H-Index: 4
view all 4 authors...
Remote desktop enables users to remotely access their computers via the Internet, which is widely used as a basic tool in areas such as remote work, remote assistance and remote administration. However, existing remote desktop is designed to work in the mode of updating user’s real-time command and remote screen’s state interactively for a better user experience, such working mode may cause serious side-channel information leakage problem in spite of encryption of the traffic, as revealed in thi...
#1Giuseppe AcetoH-Index: 11
#2Domenico CiuonzoH-Index: 21
view all 5 authors...
Network traffic analysis, i.e., the umbrella of procedures for distilling information from network traffic, represents the enabler for highly-valuable profiling information, other than being the workhorse for several key network management tasks. While it is currently being revolutionized in its nature by the rising share of traffic generated by mobile and hand-held devices, existing design solutions are mainly evaluated on private traffic traces, and only a few public datasets are available, th...
#1Yan ShiH-Index: 4
#2Dezhi FengH-Index: 1
Last. Subir BiswasH-Index: 27
view all 3 authors...
This paper presents a deep-learning based traffic classification method for identifying multiple streaming video sources at the same time within an encrypted tunnel. The work defines a novel feature inspired by Natural Language Processing (NLP) that allows existing NLP techniques to help the traffic classification. The feature extraction method is described, and a large dataset containing video streaming and web traffic is created to verify its effectiveness. Results are obtained by applying sev...
May 20, 2019 in S&P (IEEE Symposium on Security and Privacy)
#1Ben Nassi (BGU: Ben-Gurion University of the Negev)H-Index: 3
#2Raz Ben-Netanel (BGU: Ben-Gurion University of the Negev)H-Index: 2
Last. Yuval Elovici (BGU: Ben-Gurion University of the Negev)H-Index: 39
view all 4 authors...
In an "open skies" era in which drones fly among us, a new question arises: how can we tell whether a passing drone is being used by its operator for a legitimate purpose (e.g., delivering pizza) or an illegitimate purpose (e.g., taking a peek at a person showering in his/her own house)? Over the years, many methods have been suggested to detect the presence of a drone in a specific location, however since populated areas are no longer off limits for drone flights, the previously suggested metho...
9 CitationsSource
#1Amit Dvir (Ariel University)H-Index: 8
#2Angelos K. Marnerides (Lancaster University)H-Index: 8
Last. Nehor Golan (Ariel University)
view all 4 authors...
Recent stringent end-user security and privacy requirements caused the dramatic rise of encrypted video streams in which YouTube encrypted traffic is one of the most prevalent. Regardless of their encrypted nature, metadata derived from such traffic flows can be utilized to identify the title of a video, thus enabling the classification of video streams into a single video title using a given video title set. Nonetheless, scenarios where no video title set is present and a supervised approach is...
1 CitationsSource
Oct 1, 2018 in ICCT (International Conference on Communication Technology)
#1Mengdie Huang (CUC: Communication University of China)
#2Cheng Yang (CUC: Communication University of China)
Last. Yuan Zhang (CUC: Communication University of China)
view all 3 authors...
The rise of 4K and 8K techniques has led to the growth of video data streaming. Consequently, the greater challenges of encryption efficiency and information leakage facing selective encryption (SE) makes it necessary to reduce the encryption ratio as much as possible. In this paper, we design a SE scheme for H.264/AVC video which achieves a trade-off between low encryption ratio and high safety, for both cryptographic attack and sketch attack point of view. As a starting point, we propose a nov...