Abstract
Detecting encrypted traffic is increasingly important for deep packet inspection (DPI) to improve the performance of intrusion detection systems. We propose a machine learning approach with several randomness tests to achieve high accuracy detection of encrypted traffic while requiring low overhead incurred by the detection procedure. To demonstrate how effective the proposed approach is, the performance of four classification methods (Naïve Bayesian, Support Vector Machine, CART and AdaBoost) are explored. Our recommendation is to use CART which is not only capable of achieving an accuracy of 99.9% but also up to about 2.9 times more efficient than the second best candidate (Naïve Bayesian).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alshammari, R., Zincir-Heywood, A.N.: Investigating two different approaches for encrypted traffic classification. In: Proceedings of the 6th IEEE Annual Conference on Privacy, Security and Trust (2008)
Alshammari, R., Zincir-Heywood, A.N.: Generalization of signatures for SSH encrypted traffic identification. In: IEEE Symposium on Computational Intelligence in Cyber Security (2009)
Alshammari, R., Zincir-Heywood, A.N.: Can encrypted traffic be identified without port numbers, IP addresses and payload inspection? Comput. Netw. 55(6), 1326–1350 (2011)
Breiman, L., Friedman, J., Stone, C.J., Olshen, R.A.: Classification and Regression Trees. CRC Press (1984)
Cristianini, N., Shawe-Taylor, J.: An introduction to support vector machines and other kernel-based learning methods. Cambridge University Press (2000)
Domingos, P., Pazzani, M.: On the optimality of the simple Bayesian classifier under zero-one loss. Mach. Learn. 29(2–3), 103–130 (1997)
Dorfinger, P., Panholzer, G., John, W.: Entropy estimation for real-time encrypted traffic identification. In: Proceedings of the 3rd International Conference on Traffic Monitoring and Analysis (2011)
Freund, Y., Schapire, R.E.: A decision-theoretic generalization of on-line learning and an application to boosting. J. Comput. Syst. Sci. 55(1), 119–139 (1997)
Gu, G., Yegneswaran, V., Porras, P., Stoll, J., Lee, W.: Active botnet probing to identify obscure command and control channels. In: Annual Computer Security Applications Conference (2009)
Haddadi, F., Le Cong, D., Porter, L., Zincir-Heywood, A.: On the effectiveness of different botnet detection approaches. In: Proceedings of the 11th International Conference on Information Security Practice and Experience (2015)
Hearst, M., Dumais, S., Osman, E., Platt, J., Scholkopf, B.: Support vector machines. IEEE Intell. Syst. Appl. 13(4), 18–28 (1998)
Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats (2008)
Lyda, R., Hamrock, J.: Using entropy analysis to find encrypted and packed malware. IEEE Secur. Privacy 5(2), 40–45 (2007)
Ramachandran, A., Seetharaman, S., Feamster, N., Vazirani, V.: Fast monitoring of traffic subpopulations. In: Proceedings of the 8th ACM SIGCOMM Conference on Internet Measurement (2008)
Stover, S., Dittrich, D., Hernandez, J., Dietrich, S.: Analysis of the storm, nugache trojans: P2P is here. ;login: 32(6) (2007)
Thuraisingham, B.: Data mining for security applications: Mining concept-drifting data streams to detect peer to peer botnet traffic. In: International Conference on Intelligence and Security Informatics (2008)
Walker, J.: ENT: a pseudorandom number sequence test program (2008). http://www.fourmilab.ch/random/
Wang, R., Shoshitaishvili, Y., Kruegel, C., Vigna, G.: Steal this movie - automatically bypassing DRM protection in streaming media services. In: Proceedings of the 22nd USENIX Conference on Security (2013)
White, A.M., Krishnan, S., Bailey, M., Monrose, F., Porras, P.: Clear and present data: opaque traffic and its security implications for the future. In: Proceedings of the Network and Distributed Systems Security Symposium. The Internet Society (2013)
Zhang, H., Papadopoulos, C., Massey, D.: Detecting encrypted botnet traffic. In: Conference on Computer Communications Workshops (2013)
Zhang, Y., Paxson, V.: Detecting backdoors. In: Proceedings of the 9th Conference on USENIX Security Symposium (2000)
Acknowledgements
This research was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIP) (No. B0717-16-0116, Development of information leakage prevention and ID management for secure drone services).
This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (No. 2014R1A1A1003707).
This research was supported by the MSIP(Ministry of Science, ICT and Future Planning), Korea, under the ITRC (Information Technology Research Center) support program (IITP-2016-R0992-16-1006) supervised by the IITP (Institute for Information & communications Technology Promotion).
This work was supported by Institute for Information & communications Technology Promotion(IITP) grant funded by the Korea government(MSIP) (No.R-20160222-002755, Cloud based Security Intelligence Technology Development for the Customized Security Service Provisioning).
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Cha, S., Kim, H. (2017). Detecting Encrypted Traffic: A Machine Learning Approach. In: Choi, D., Guilley, S. (eds) Information Security Applications. WISA 2016. Lecture Notes in Computer Science(), vol 10144. Springer, Cham. https://doi.org/10.1007/978-3-319-56549-1_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-56549-1_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-56548-4
Online ISBN: 978-3-319-56549-1
eBook Packages: Computer ScienceComputer Science (R0)