A survey of methods for encrypted traffic classification and analysis

Velan, Petr; Čermák, Milan; Čeleda, Pavel; Drašar, Martin

doi:10.1002/nem.1901

Cited by 281 publications

(147 citation statements)

References 51 publications

Supporting

Mentioning

146

Contrasting

Unclassified

Order By: Relevance

“…We have to use methods from a survey by Velan et al [2] as the basis and a real network data to identify these options. Then, we have to find which of the options are varying the most and if the variability of these options indicates different traffic patterns, e.g., different communicating partners or type of traffic.…”

Section: Analysis Of Encrypted Network Trafficmentioning

confidence: 99%

HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting

Husák

Čermák

Jirsík

et al. 2016

EURASIP J. on Info. Security

Self Cite

View full text Add to dashboard Cite

The encryption of network traffic complicates legitimate network monitoring, traffic analysis, and network forensics. In this paper, we present real-time lightweight identification of HTTPS clients based on network monitoring and SSL/TLS fingerprinting. Our experiment shows that it is possible to estimate the User-Agent of a client in HTTPS communication via the analysis of the SSL/TLS handshake. The fingerprints of SSL/TLS handshakes, including a list of supported cipher suites, differ among clients and correlate to User-Agent values from a HTTP header. We built up a dictionary of SSL/TLS cipher suite lists and HTTP User-Agents and assigned the User-Agents to the observed SSL/TLS connections to identify communicating clients. The dictionary was used to classify live HTTPS network traffic. We were able to retrieve client types from 95.4 % of HTTPS network traffic. Further, we discussed host-based and network-based methods of dictionary retrieval and estimated the quality of the data.

show abstract

Section: Analysis Of Encrypted Network Trafficmentioning

confidence: 99%

HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting

Husák

Čermák

Jirsík

et al. 2016

EURASIP J. on Info. Security

Self Cite

View full text Add to dashboard Cite

show abstract

“…In the article listed below , there was an error with the reference citations in Table 4, column 1. The corrected reference citations are given in the revised Table 4 below.…”

Section: A Summary Table Of Cited Papers and Methods They Used To Detmentioning

confidence: 99%

Erratum

2015

Int J Network Mgmt

View full text Add to dashboard Cite

show abstract

“…Another study of SSL/TLS traffic was raised by Holz and partners in 2011 [3] , who also focus on certificate properties. Roni and Langberg classified encrypted network flows by their application type [4] .Velan and Milan found that the initiation of an encrypted connection and the protocol structure give away much information about traffic clissificaion [5] .The SSL/TLS protocol and its applications were analyzed by Qualys SSL Lab [6] , they proposed the idea of HTTP client fingerprinting using the information of SSL/TLS handshake. Martin Husák and colleagues gave a way to estimate User-Agent of a client in HTTPS communication through the fingerprint of initial SSL/TLS handshake in 2015 [7] .However, due to the fuzziness of the fingerprint, the identification of browsers was not accurate.Salusky and Thomas disclosed for fingerprinting and identifying client applications based on the analysis of client requests in an HTTP-based communication [8] .For the algorithm of traffic identification, Alshammari and his colleagues assessed the robustness of machine learning for classifying encrypted traffic [9] .…”

Section: Related Workmentioning

confidence: 99%

Browser Identification Based on Encrypted Traffic

Liu¹,

Han²,

Wei³

2016

Proceedings of the 2016 International Conference on Communications, Information Management and Network Security

View full text Add to dashboard Cite

Abstract-Network traffic encryption brings security to network communication, however it also brings challenges to network monitoring. As more and more major websites use encryption protocol to protect imformation of visitors, it is a burning issue to identify client when session is encrypted. In this paper, we present browser identification of HTTPS client based on packet length. The sequence of request packet length is different among browsers and our experiment shows that it is possible to recognize what kind of browser the traffic comes from according to length sequence. We theoretically analyze the possibility of using the request packet length to identify browsers and show the method of using length sequence to establish dictionary. The dictionaries are used to distinguish unknown traffic flow. Our experiment results show that we can get accurate results of browser identification in HTTPS communication through packet length analysis.

show abstract

A survey of methods for encrypted traffic classification and analysis

Cited by 281 publications

References 51 publications

HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting

HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting

Erratum

Browser Identification Based on Encrypted Traffic

Contact Info

Product

Resources

About