Skip to main content
SpringerLink
Log in
Book cover

International Symposium on Research in Attacks, Intrusions, and Defenses

RAID 2018: Research in Attacks, Intrusions, and Defenses pp 315–334Cite as

OTTer: A Scalable High-Resolution Encrypted Traffic Identification Engine

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11050))

Abstract

Several security applications rely on monitoring network traffic, which is increasingly becoming encrypted. In this work, we propose a pattern language to describe packet trains for the purpose of fine-grained identification of application-level events in encrypted network traffic, and demonstrate its expressiveness with case studies for distinguishing Messaging, Voice, and Video events in Facebook, Skype, Viber, and WhatsApp network traffic. We provide an efficient implementation of this language, and evaluate its performance by integrating it into our proprietary DPI system. Finally, we demonstrate that the proposed pattern language can be mined from traffic samples automatically, minimizing the otherwise high ruleset maintenance burden.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    We discard the TCP packets with only the ACK flag set. PUSH/ACK packets are kept.

  2. 2.

    Through the dataset collection we make use of different application versions per application. This allows us to verify the generalisation ability and scalability of our methodology.

  3. 3.

    These samples were generated using dummy accounts and non-personal mobile devices.

  4. 4.

    In the following section, we discuss about how the signature formation affects the balance between TP and FP rates.

  5. 5.

    False discovery rate can be calculated as \(FDR = FP/(TP + FP)\).

References

  1. Android tcpdump. https://www.androidtcpdump.com. Accessed 09 Mar 2018-

  2. Busybox (android application). https://play.google.com/store/apps/details?id=stericson.busybox&hl=en. Accessed 09 Mar 2018

  3. netstat(8) - Linux man page. https://linux.die.net/man/8/netstat. Accessed 09 Mar 2018

  4. Aceto, G., Ciuonzo, D., Montieri, A., Pescapé, A.: Multi-classification approaches for classifying mobile app traffic. J. Netw. Comput. Appl. 103, 131–145 (2018)

    Article  Google Scholar 

  5. Aho, A.V., Corasick, M.J.: Efficient string matching: an aid to bibliographic search. Commun. ACM 18(6), 333–340 (1975)

    Article  MathSciNet  Google Scholar 

  6. Alan, H.F., Kaur, J.: Can android applications be identified using only TCP/IP headers of their launch time traffic? In: Proceedings of the 9th ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 61–66. ACM (2016)

    Google Scholar 

  7. Anonymized for submission: DPI engine anonymized for submission

    Google Scholar 

  8. Ateniese, G., Hitaj, B., Mancini, L.V., Verde, N.V., Villani, A.: No place to hide that bytes won’t reveal: sniffing location-based encrypted traffic to track a user’s position. Network and System Security. LNCS, vol. 9408, pp. 46–59. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-25645-0_4

    Chapter  Google Scholar 

  9. Bernaille, L., Teixeira, R.: Early recognition of encrypted applications. In: Uhlig, S., Papagiannaki, K., Bonaventure, O. (eds.) PAM 2007. LNCS, vol. 4427, pp. 165–175. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-71617-4_17

    Chapter  Google Scholar 

  10. Chen, C., Asoni, D.E., Perrig, A., Barrera, D., Danezis, G., Troncoso, C.: Taranet: traffic-analysis resistant anonymity at the network layer. arXiv preprint arXiv:1802.08415 (2018)

  11. Conti, M., Mancini, L.V., Spolaor, R., Verde, N.V.: Can’t you hear me knocking: identification of user actions on android apps via traffic analysis. In: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, pp. 297–304. ACM (2015)

    Google Scholar 

  12. Conti, M., Mancini, L.V., Spolaor, R., Verde, N.V.: Analyzing android encrypted network traffic to identify user actions. IEEE Trans. Inf. Forensics Secur. 11(1), 114–125 (2016)

    Article  Google Scholar 

  13. Corrigan-Gibbs, H., Boneh, D., Mazières, D.: Riposte: an anonymous messaging system handling millions of users. In: 2015 IEEE Symposium on Security and Privacy (SP), pp. 321–338. IEEE (2015)

    Google Scholar 

  14. Coull, S.E., Dyer, K.P.: Traffic analysis of encrypted messaging services: apple imessage and beyond. ACM SIGCOMM Comput. Commun. Rev. 44(5), 5–11 (2014)

    Article  Google Scholar 

  15. Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation onion router. Technical report, Naval Research Lab Washington DC (2004)

    Google Scholar 

  16. Enck, W., et al.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 5 (2014)

    Article  Google Scholar 

  17. Fu, Y., Xiong, H., Lu, X., Yang, J., Chen, C.: Service usage classification with encrypted internet traffic in mobile messaging apps. IEEE Trans. Mobile Comput. 15(11), 2851–2864 (2016)

    Article  Google Scholar 

  18. Gomariz, A., Campos, M., Marin, R., Goethals, B.: ClaSP: an efficient algorithm for mining frequent closed sequences. In: Pei, J., Tseng, V.S., Cao, L., Motoda, H., Xu, G. (eds.) PAKDD 2013. LNCS (LNAI), vol. 7818, pp. 50–61. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-37453-1_5

    Chapter  Google Scholar 

  19. Herrmann, D., Wendolsky, R., Federrath, H.: Website fingerprinting: attacking popular privacy enhancing technologies with the multinomial Naïve-Bayes classifier. In: Proceedings of the 2009 ACM Workshop on Cloud Computing Security, CCSW 2009, pp. 31–42. ACM, New York (2009)

    Google Scholar 

  20. Karagiannis, T., Papagiannaki, K., Faloutsos, M.: BLINC: multilevel traffic classification in the dark. ACM SIGCOMM Comput. Commun. Rev. 35, 229–240 (2005)

    Article  Google Scholar 

  21. Kwon, A., Corrigan-Gibbs, H., Devadas, S., Ford, B.: Atom: horizontally scaling strong anonymity. In: Proceedings of the 26th Symposium on Operating Systems Principles, pp. 406–422. ACM (2017)

    Google Scholar 

  22. Le Blond, S., Choffnes, D., Caldwell, W., Druschel, P., Merritt, N.: Herd: a scalable, traffic analysis resistant anonymity network for VoIP systems. ACM SIGCOMM Comput. Commun. Rev. 45, 639–652 (2015)

    Article  Google Scholar 

  23. Li, W., Moore, A.W.: A machine learning approach for efficient traffic classification. In: 15th International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems, MASCOTS 2007, pp. 310–317. IEEE (2007)

    Google Scholar 

  24. Liu, J., Fu, Y., Ming, J., Ren, Y., Sun, L., Xiong, H.: Effective and real-time in-app activity analysis in encrypted internet traffic streams. In: Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 335–344. ACM (2017)

    Google Scholar 

  25. Papadopoulos, E.P., Diamantaris, M., Papadopoulos, P., Petsas, T., Ioannidis, S., Markatos, E.P.: The long-standing privacy debate: mobile websites vs mobile apps. In: Proceedings of the 26th International Conference on World Wide Web, pp. 153–162. International World Wide Web Conferences Steering Committee (2017)

    Google Scholar 

  26. Partridge, C., Allman, M.: Ethical considerations in network measurement papers. Commun. ACM 59(10), 58–64 (2016)

    Article  Google Scholar 

  27. Rapoport, M., Suter, P., Wittern, E., Lhótak, O., Dolby, J.: Who you gonna call? Analyzing web requests in android applications. In: 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR), pp. 80–90. IEEE (2017)

    Google Scholar 

  28. Razaghpanah, A., et al.: Haystack: In situ mobile traffic analysis in user space. ArXiv e-prints (2015)

    Google Scholar 

  29. Saltaformaggio, B., et al.: Eavesdropping on fine-grained user activities within smartphone apps over encrypted network traffic. In: WOOT (2016)

    Google Scholar 

  30. Taylor, V.F., Spolaor, R., Conti, M., Martinovic, I.: AppScanner: automatic fingerprinting of smartphone apps from encrypted network traffic. In: 2016 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 439–454. IEEE (2016)

    Google Scholar 

  31. Taylor, V.F., Spolaor, R., Conti, M., Martinovic, I.: Robust smartphone app identification via encrypted network traffic analysis. IEEE Trans. Inf. Forensics Secur. 13(1), 63–78 (2018)

    Article  Google Scholar 

  32. Van Den Hooff, J., Lazar, D., Zaharia, M., Zeldovich, N.: Vuvuzela: scalable private messaging resistant to traffic analysis. In: Proceedings of the 25th Symposium on Operating Systems Principles, pp. 137–152. ACM (2015)

    Google Scholar 

  33. Vasiliadis, G., Ioannidis, S.: GrAVity: a massively parallel antivirus engine. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 79–96. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15512-3_5

    Chapter  Google Scholar 

  34. Vasiliadis, G., Koromilas, L., Polychronakis, M., Ioannidis, S.: GASPP: a GPU-accelerated stateful packet processing framework. In: USENIX Annual Technical Conference, pp. 321–332 (2014)

    Google Scholar 

  35. Vasiliadis, G., Polychronakis, M., Ioannidis, S.: MiDeA: a multi-parallel intrusion detection architecture. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 297–308. ACM (2011)

    Google Scholar 

  36. Wang, Q., Yahyavi, A., Kemme, B., He, W.: I know what you did on your smartphone: inferring app usage over encrypted data traffic. In: 2015 IEEE Conference on Communications and Network Security (CNS), pp. 433–441. IEEE (2015)

    Google Scholar 

  37. Wei, X., Gomez, L., Neamtiu, I., Faloutsos, M.: ProfileDroid: multi-layer profiling of android applications. In: Proceedings of the 18th Annual International Conference on Mobile Computing and Networking, pp. 137–148. ACM (2012)

    Google Scholar 

  38. Wolinsky, D.I., Corrigan-Gibbs, H., Ford, B., Johnson, A.: Dissent in numbers: making strong anonymity scale. In: OSDI, pp. 179–182 (2012)

    Google Scholar 

  39. Wright, C.V., Ballard, L., Coull, S.E., Monrose, F., Masson, G.M.: Spot me if you can: uncovering spoken phrases in encrypted VoIP conversations. In: IEEE Symposium on Security and Privacy, SP 2008, pp. 35–49. IEEE (2008)

    Google Scholar 

  40. Xu, Q., et al.: Automatic generation of mobile app signatures from traffic observations. In: IEEE Conference on Computer Communications (INFOCOM), pp. 1481–1489. IEEE (2015)

    Google Scholar 

  41. Yao, H., Ranjan, G., Tongaonkar, A., Liao, Y., Mao, Z.M.: SAMPLES: self adaptive mining of persistent lexical snippets for classifying mobile application traffic. In: Proceedings of the 21st Annual International Conference on Mobile Computing and Networking, pp. 439–451. ACM (2015)

    Google Scholar 

  42. Yu, L., Wang, Q., Barrineau, G., Oakley, J., Brooks, R.R., Wang, K.C.: TARN: a SDN-based traffic analysis resistant network architecture. arXiv preprint arXiv:1709.00782 (2017)

  43. Zhai, E., Wolinsky, D.I., Chen, R., Syta, E., Teng, C., Ford, B.: AnonRep: towards tracking-resistant anonymous reputation. In: NSDI, pp. 583–596 (2016)

    Google Scholar 

Download references

Acknowledgements

The authors would like to thank their shepherd Roya Ensafi.

Author information

Authors and Affiliations

  1. Niometrics, Singapore, Singapore

    Eva Papadogiannaki, Constantinos Halevidis, Periklis Akritidis & Lazaros Koromilas

Authors
  1. Eva Papadogiannaki
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Constantinos Halevidis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Periklis Akritidis
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Lazaros Koromilas
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Eva Papadogiannaki .

Editor information

Editors and Affiliations

  1. University of Illinois at Urbana-Champaign, Urbana, IL, USA

    Michael Bailey

  2. Ruhr-Universität Bochum, Bochum, Germany

    Thorsten Holz

  3. Vrije Universiteit Amsterdam, Amsterdam, The Netherlands

    Manolis Stamatogiannakis

  4. Foundation for Research & Technology – Hellas, Heraklion, Crete, Greece

    Sotiris Ioannidis

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Papadogiannaki, E., Halevidis, C., Akritidis, P., Koromilas, L. (2018). OTTer: A Scalable High-Resolution Encrypted Traffic Identification Engine. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2018. Lecture Notes in Computer Science(), vol 11050. Springer, Cham. https://doi.org/10.1007/978-3-030-00470-5_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-00470-5_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-00469-9

  • Online ISBN: 978-3-030-00470-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation