Fingerprinting encrypted network traffic types using machine learning

Leroux, Sam; Bohez, Steven; Maenhaut, Pieter‐Jan; Meheus, Nathan; Simoens, Pieter; Dhoedt, Bart

doi:10.1109/noms.2018.8406218

Cited by 22 publications

(6 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In recent years, the research on encrypted traffic has mainly used feature engineering [8][9][10][11][12][13] to find out the characteristics that best reflect the features of different classes of encrypted traffic and then classify them by selecting an appropriate classifier. Currently, the commonly used classification models are mainly divided into three types: Markov models [14][15][16], traditional machine learning algorithms [17][18][19][20][21], and deep neural network methods [6,[22][23][24][25][26][27][28][29][30][31].…”

Section: Related Workmentioning

confidence: 99%

CLD-Net: A Network Combining CNN and LSTM for Internet Encrypted Traffic Classification

Wei

2021

Security and Communication Networks

View full text Add to dashboard Cite

The development of the Internet has led to the complexity of network encrypted traffic. Identifying the specific classes of network encryption traffic is an important part of maintaining information security. The traditional traffic classification based on machine learning largely requires expert experience. As an end-to-end model, deep neural networks can minimize human intervention. This paper proposes the CLD-Net model, which can effectively distinguish network encrypted traffic. By segmenting and recombining the packet payload of the raw flow, it can automatically extract the features related to the packet payload, and by changing the expression of the packet interval, it integrates the packet interval information into the model. We use the ability of Convolutional Neural Network (CNN) to distinguish image classes, learn and classify the grayscale images that the raw flow has been preprocessed into, and then use the effectiveness of Long Short-Term Memory (LSTM) network on time series data to further enhance the model’s ability to classify. Finally, through feature reduction, the high-dimensional features learned by the neural network are converted into 8 dimensions to distinguish 8 different classes of network encrypted traffic. In order to verify the effectiveness of the CLD-Net model, we use the ISCX public dataset to conduct experiments. The results show that our proposed model can distinguish whether the unknown network traffic uses Virtual Private Network (VPN) with an accuracy of 98% and can accurately identify the specific traffic (chats, audio, or file) of Facebook and Skype applications with an accuracy of 92.89%.

show abstract

Section: Related Workmentioning

confidence: 99%

CLD-Net: A Network Combining CNN and LSTM for Internet Encrypted Traffic Classification

Wei

2021

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…However, this method is ineffective in presenting user behaviors which are crucial in classifying network traffic. Analyzing encrypted packet payload without decrypting has received more attentions recently [15], [16]. Sherry et al [15] only considered the HTTP protocol with TLS encryption which is one of many encryption protocols on the Internet applications.…”

Section: ) Flow-based Methodmentioning

confidence: 99%

“…Sherry et al [15] only considered the HTTP protocol with TLS encryption which is one of many encryption protocols on the Internet applications. S. Leroux et al [16] presented a network traffic analysis method based on packet size and interval time. However, it only works efficiently for some specific applications which have extremely different packet size and transmission time, e.g., HTTP, VoIP, Video streaming, and P2P.…”

Section: ) Flow-based Methodmentioning

confidence: 99%

Time Series Analysis for Encrypted Traffic Classification: A Deep Learning Approach

Thuy

Nguyen

et al. 2018

2018 18th International Symposium on Communications and Information Technologies (ISCIT)

View full text Add to dashboard Cite

We develop a novel time series feature extraction technique to address the encrypted application classification problem. The proposed method consists of two main steps. First, we propose a feature engineering technique to extract significant attributes of the encrypted network traffic behavior through analyzing the time series of receiving packets. In the second step, a deep learning technique is developed to exploit the advantage of time series data samples in providing the strong representation of the encrypted network applications. To evaluate the efficiency of the proposed solution on the encrypted application traffic classification problem, we carry out intensive experiments on a raw network traffic dataset, namely VPN-nonVPN, with three conventional classifier metrics including Precision, Recall, and F1 score. The experimental results demonstrate that our proposed approach can significantly improve the performance in identifying encrypted application traffic in terms of accuracy and computation efficiency.

show abstract

“…We considered using the TCP packet length from Application Data. While we cannot see into the unencrypted content, the packet length is directly linked to the payload of the traffic and usually follows an application-specific profile [46]. Thus, we can use packet length to determine which traffic is benign or malicious based on the specific application profile.…”

Section: Feature Extractionmentioning

confidence: 99%

Encrypted Malicious Traffic Detection Based on Word2Vec

et al. 2022

View full text Add to dashboard Cite

Network-based intrusion detections become more difficult as Internet traffic is mostly encrypted. This paper introduces a method to detect encrypted malicious traffic based on the Transport Layer Security handshake and payload features without waiting for the traffic session to finish while preserving privacy. Our method, called TLS2Vec, creates words from the extracted features and uses Long Short-Term Memory (LSTM) for inference. We evaluated our method using traffic from three malicious applications and a benign application that we obtained from two publicly available datasets. Our results showed that TLS2Vec is promising as a tool to detect such malicious traffic.

show abstract

Fingerprinting encrypted network traffic types using machine learning

Cited by 22 publications

References 12 publications

CLD-Net: A Network Combining CNN and LSTM for Internet Encrypted Traffic Classification

CLD-Net: A Network Combining CNN and LSTM for Internet Encrypted Traffic Classification

Time Series Analysis for Encrypted Traffic Classification: A Deep Learning Approach

Encrypted Malicious Traffic Detection Based on Word2Vec

Contact Info

Product

Resources

About