A Survey on Encrypted Network Traffic Analysis Applications, Techniques, and Countermeasures

Papadogiannaki, Eva; Ioannidis, Sotiris

doi:10.1145/3457904

Cited by 105 publications

(40 citation statements)

References 150 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…To overcome the limitations of port-and payload-based classification models, researchers have focused on traffic classification models that use features from observable encrypted traffic metadata [21], [34].…”

Section: B Encrypted Traffic Classificationmentioning

confidence: 99%

See 1 more Smart Citation

Extensible Machine Learning for Encrypted Network Traffic Application Labeling via Uncertainty Quantification

Jorgensen¹,

Holodnak²,

Dempsey³

et al. 2022

Preprint

View full text Add to dashboard Cite

With the increasing prevalence of encrypted network traffic, cyber security analysts have been turning to machine learning (ML) techniques to elucidate the traffic on their networks. However, ML models can become stale as known traffic features can shift between networks and as new traffic emerges that is outside of the distribution of the training set. In order to reliably adapt in this dynamic environment, ML models must additionally provide contextualized uncertainty quantification to their predictions, which has received little attention in the cyber security domain. Uncertainty quantification is necessary both to signal when the model is uncertain about which class to choose in its label assignment and when the traffic is not likely to belong to any pre-trained classes.We present a new, public dataset of network traffic that includes labeled, Virtual Private Network (VPN)-encrypted network traffic generated by 10 applications and corresponding to 5 application categories. We also present an ML framework that is designed to rapidly train with modest data requirements and provide both calibrated, predictive probabilities as well as an interpretable "out-of-distribution" (OOD) score to flag novel traffic samples. We describe how to compute a calibrated OOD score from p-values of the so-called relative Mahalanobis distance.We demonstrate that our framework achieves an F1 score of 0.98 on our dataset and that it can extend to an enterprise network by testing the model: (1) on data from similar applications, (2) on dissimilar application traffic from an existing category, and (3) on application traffic from a new category. The model correctly flags uncertain traffic and, upon retraining, accurately incorporates the new data. We additionally demonstrate good performance (F1 score of 0.97) when packet sizes are made to be uniform, as occurs for certain encryption protocols.

show abstract

Section: B Encrypted Traffic Classificationmentioning

confidence: 99%

“…We consider this unfortunate and believe that in a dynamic environment such as a computer network, it is critically important to quantify model uncertainty. A recent review highlighted the need to reduce errors (false positives) when moving from a closed training set to real-world data for encrypted network traffic analysis [21].…”

Section: Introductionmentioning

confidence: 99%

Extensible Machine Learning for Encrypted Network Traffic Application Labeling via Uncertainty Quantification

Jorgensen¹,

Holodnak²,

Dempsey³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Network traffic classification is extremely crucial in modern networks as it allows network operators to know the original application which generated any particular traffic. Due to its crucial importance, there have been numerous research efforts to produce network traffic classifiers using various innovative techniques [3,4].…”

Section: Introductionmentioning

confidence: 99%

“…Although these techniques have succeeded in the past, their effectiveness is Malaysian Journal of Computer Science, Vol. 35 (3), 2022 continuously diminishing in modern networks. For example, dynamic port allocation leads to non-standard port assignment, making the port-based technique obsolete on its own [6].…”

Section: Introductionmentioning

confidence: 99%

Granular Network Traffic Classification for Streaming Traffic Using Incremental Learning and Classifier Chain

Zaki

Afifi²,

Gani³

et al. 2022

MJCS

View full text Add to dashboard Cite

In modern networks, network visibility is of utmost importance to network operators. Accordingly, granular network traffic classification quickly rises as an essential technology due to its ability to provide high network visibility. Granular network traffic classification categorizes traffic into detailed classes like application names and services. Application names represent parent applications, such as Facebook, while application services are the individual actions within the parent application, such as Facebook-comment. Most studies on granular classification focus on classification at the application name level. Besides that, evaluations in existing studies are also limited and utilize only static and immutable datasets, which are insufficient to reflect the continuous and evolving nature of real-world traffic. Therefore, this paper aims to introduce a granular classification technique, which is evaluated on streaming traffic. The proposed technique implements two Adaptive Random Forest classifiers linked together using a classifier chain to simultaneously produce classification at two granularity levels. Performance evaluation on a streaming testbed setup using Apache Kafka showed that the proposed technique achieved an average F1 score of 99% at the application name level and 88% at the application service level. Additionally, the performance benchmark on ISCX VPN non-VPN public dataset also maintained comparable results, besides recording classification time as low as 2.6 ms per packet. The results conclude that the proposed technique proves its advantage and feasibility for a granular classification in streaming traffic.

show abstract

“…In this survey article, we present existing research on NTA and related areas primarily focusing on TLS-encrypted malware traffic, which can be utilized by security experts in SOCs. While there are multiple related surveys [18][19][20][21][22][23][24][25][26][27] available on NTA and traffic classification areas, our approach has the following distinguished contributions:…”

Section: Introductionmentioning

confidence: 99%

A Survey on TLS-Encrypted Malware Network Traffic Analysis Applicable to Security Operations Centers

Roh

2021

Applied Sciences

View full text Add to dashboard Cite

Recently, a majority of security operations centers (SOCs) have been facing a critical issue of increased adoption of transport layer security (TLS) encryption on the Internet, in network traffic analysis (NTA). To this end, in this survey article, we present existing research on NTA and related areas, primarily focusing on TLS-encrypted traffic to detect and classify malicious traffic with deployment scenarios for SOCs. Security experts in SOCs and researchers in academia can obtain useful information from our survey, as the main focus of our survey is NTA methods applicable to malware detection and family classification. Especially, we have discussed pros and cons of three main deployment models for encrypted NTA: TLS interception, inspection using cryptographic functions, and passive inspection without decryption. In addition, we have discussed the state-of-the-art methods in TLS-encrypted NTA for each component of a machine learning pipeline, typically used in the state-of-the-art methods.

show abstract

A Survey on Encrypted Network Traffic Analysis Applications, Techniques, and Countermeasures

Cited by 105 publications

References 150 publications

Extensible Machine Learning for Encrypted Network Traffic Application Labeling via Uncertainty Quantification

Extensible Machine Learning for Encrypted Network Traffic Application Labeling via Uncertainty Quantification

Granular Network Traffic Classification for Streaming Traffic Using Incremental Learning and Classifier Chain

A Survey on TLS-Encrypted Malware Network Traffic Analysis Applicable to Security Operations Centers

Contact Info

Product

Resources

About