Characterization of Encrypted and VPN Traffic using Time-related Features

Gerard Draper-Gil, Arash Habibi Lashkari, Mohammad Saiful Islam Mamun, Ali A. Ghorbani

Abstract

Traffic characterization is one of the major challenges in today’s security industry. The continuous evolution and generation of new applications and services, together with the expansion of encrypted communications makes it a difficult task. Virtual Private Networks (VPNs) are an example of encrypted communication service that is becoming popular, as method for bypassing censorship as well as accessing services that are geographically locked. In this paper, we study the effectiveness of flow-based time-related features to detect VPN traffic and to characterize encrypted traffic into different categories, according to the type of traffic e.g., browsing, streaming, etc. We use two different well-known machine learning techniques (C4.5 and KNN) to test the accuracy of our features. Our results show high accuracy and performance, confirming that time-related features are good classifiers for encrypted traffic characterization.

References

  1. Aceto, G., Dainotti, A., de Donato, W., and Pescape, A. (2010). Portload: Taking the best of two worlds in traffic classification. InIEEE Conference on Computer Communications Workshops, INFOCOM 2010, pages 1-5. IEEE.
  2. Aghaei-Foroushani, V. and Zincir-Heywood, A. (2015). A proxy identifier based on patterns in traffic flows. In IEEE 16th International Symposium on High Assurance Systems Engineering, HASE 2015, pages 118- 125. IEEE.
  3. Bernaille, L. and Teixeira, R. (2007). Early recognition of encrypted applications. In Proceedings of the 8th International Conference on Passive and Active Network Measurement, PAM'07, pages 165-175, Berlin, Heidelberg. Springer-Verlag.
  4. Bernaille, L., Teixeira, R., Akodkenou, I., Soule, A., and Salamatian, K. (2006). Traffic classification on the fly. ACM SIGCOMM Computer Communication Review, 36(2):23-26.
  5. Callado, A., Kamienski, C., Szabo, G., Gero, B., Kelner, J., Fernandes, S., and Sadok, D. (2009). A survey on internet traffic identification. Communications Surveys & Tutorials, IEEE, 11(3):37-52.
  6. Coull, S. E. and Dyer, K. P. (2014). Traffic analysis of encrypted messaging services: Apple imessage and beyond. ACM SIGCOMM Computer Communication Review, 44(5):5-11.
  7. Gómez Sena, G. and Belzarena, P. (2009). Early traffic classification using support vector machines. InProceedings of the 5th International Latin American Networking Conference, LANC 7809, pages 60-66, New York, NY, USA. ACM.
  8. Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., and Witten, I. H. (2009). The WEKA data mining software: An update. ACM SIGKDD Explorations Newsletter, 11(1):10-18.
  9. Iliofotou, M., Pappu, P., Faloutsos, M., Mitzenmacher, M., Singh, S., and Varghese, G. (2007). Network monitoring using traffic dispersion graphs (tdgs). In Proceedings of the 7th ACM SIGCOMM Conference on Internet Measurement, IMC 7807, pages 315-320, New York, NY, USA. ACM.
  10. Karagiannis, T., Papagiannaki, K., and Faloutsos, M. (2005). Blinc: Multilevel traffic classification in the dark. In Proceedings of the 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, SIGCOMM 7805, pages 229-240, New York, NY, USA. ACM.
  11. Kim, H., Claffy, K., Fomenkov, M., Barman, D., Faloutsos, M., and Lee, K. (2008). Internet traffic classification demystified: Myths, caveats, and the best practices. In Proceedings of the 2008 ACM CoNEXT Conference, CoNEXT 7808, pages 11:1-11:12, New York, NY, USA. ACM.
  12. Li, W., Canini, M., Moore, A. W., and Bolla, R. (2009). Efficient application identification and the temporal and spatial stability of classification schema. Computer Networks: The International Journal of Computer and Telecommunications Networking, 53(6):790-809.
  13. Mauro, M. D. and Longo, M. (2015). Revealing encrypted webrtc traffic via machine learning tools. InProceedings of the 12th International Conference on Security and Cryptography, SECRYPT 7815, pages 259-266. SciTePress.
  14. McGregor, A., Hall, M., Lorier, P., and Brunskill, J. (2004). Flow clustering using machine learning techniques. In Passive and Active Network Measurement, volume 3015 of Lecture Notes in Computer Science, pages 205-214. Springer Berlin Heidelberg.
  15. Mohammad S.I. Mamun, N. S. and Ghorbani, A. A. (2015). An entropy-based encrypted traffic classification using machine learning. In Proceedings of the 17th International Conference on Information and Communication Security, ICICS 2015, Berlin, Heidelberg. Springer-Verlag.
  16. Moore, A. W. and Zuev, D. (2005). Internet traffic classification using bayesian analysis techniques. In Proceedings of the 2005 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems, SIGMETRICS 7805, pages 50-60, New York, NY, USA. ACM.
  17. Palmieri, F. and Fiore, U. (2009). A nonlinear, recurrencebased approach to traffic classification.Computer Networks: The International Journal of Computer and Telecommunications Networking, 53(6):761-773.
  18. Paxson, V. (1994). Empirically derived analytic models of wide-area tcp connections. IEEE/ACM Transactions on Networking, 2(4):316-336.
  19. Paxson, V. and Floyd, S. (1995). Wide area traffic: The failure of poisson modeling. IEEE/ACM Transactions on Networking, 3(3):226-244.
  20. Rao, A., Legout, A., Lim, Y.-s., Towsley, D., Barakat, C., and Dabbous, W. (2011). Network characteristics of video streaming traffic. In Proceedings of the Seventh COnference on Emerging Networking EXperiments and Technologies, CoNEXT 7811, pages 25:1- 25:12, New York, NY, USA. ACM.
  21. Sherry, J., Lan, C., Popa, R. A., and Ratnasamy, S. (2015). Blindbox: Deep packet inspection over encrypted traffic. In Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication, SIGCOMM 7815, pages 213-226, New York, NY, USA. ACM.
  22. Wang, D., Zhang, L., Yuan, Z., Xue, Y., and Dong, Y. (2014). Characterizing application behaviors for classifying p2p traffic. In International Conference on Computing, Networking and Communications, ICNC'14, pages 21-25. IEEE.
  23. Williams, N., Zander, S., and Armitage, G. (2006). A preliminary performance comparison of five machine learning algorithms for practical ip traffic flow classification. ACM SIGCOMM Computer Communication Review, 36(5):5-16.
  24. Yeganeh, S., Eftekhar, M., Ganjali, Y., Keralapura, R., and Nucci, A. (2012). Cute: Traffic classification using terms. In 21st International Conference on Computer Communications and Networks, ICCCN 7812, pages 1- 9. IEEE.
  25. Zander, S., Nguyen, T., and Armitage, G. (2005). Automated traffic classification and application identification using machine learning. In Proceedings of the The IEEE Conference on Local Computer Networks 30th Anniversary, LCN 7805, pages 250-257, Washington, DC, USA. IEEE Computer Society.
Download


Paper Citation


in Harvard Style

Draper-Gil G., Lashkari A., Mamun M. and A. Ghorbani A. (2016). Characterization of Encrypted and VPN Traffic using Time-related Features . In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-167-0, pages 407-414. DOI: 10.5220/0005740704070414


in Bibtex Style

@conference{icissp16,
author={Gerard Draper-Gil and Arash Habibi Lashkari and Mohammad Saiful Islam Mamun and Ali A. Ghorbani},
title={Characterization of Encrypted and VPN Traffic using Time-related Features},
booktitle={Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2016},
pages={407-414},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005740704070414},
isbn={978-989-758-167-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Characterization of Encrypted and VPN Traffic using Time-related Features
SN - 978-989-758-167-0
AU - Draper-Gil G.
AU - Lashkari A.
AU - Mamun M.
AU - A. Ghorbani A.
PY - 2016
SP - 407
EP - 414
DO - 10.5220/0005740704070414