Skip to main content
SpringerLink
Log in

Classifying encrypted traffic using adaptive fingerprints with multi-level attributes

  • Published:
World Wide Web Aims and scope Submit manuscript

Abstract

With the rapid development of Internet, network management and monitoring face a number of challenges, one of which is traffic classification. Meanwhile, SSL/TLS protocols are extensively used to encrypt the communication payloads, which makes traditional rule-based classification methods not applicable. Without fingerprints of sufficient distinguishing power, other existing methods cannot achieve satisfactory performances on encrypted traffic classification. In this paper, we focus on SSL/TLS encrypted traffic, and propose the Adaptive Fingerprint with Multi-level Attributes (AFMA) to classify them. AFMA combines field-level and sequence-level attributes to tackle encrypted traffic classification problem. Specifically, the distribution of server-to-client ciphersuites on applications is first imported to characterize application preferences. Moreover, besides message type sequences, length block sequences are especially designed to highlight the differences in application fingerprints. In addition, AFMA can adaptively learn the distributions for constructing the fingerprint by analyzing the overall statistics of the applications. The performance of AFMA was verified on a real-world dataset of a campus network (with 956,000+ SSL/TLS traffic flows for 18 popular applications). Our experiments show that AFMA could achieve a true positive rate of up to 99.46% and a false positive rate as low as 0.03%, which outperforms the state-of-the-art methods and our previous method.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13

Similar content being viewed by others

Notes

  1. We are not able to analyze all possible fields for the following reasons: (i) not all fields are present in all flows; and (ii) not all fields and information are present in the dataset we captured. But luckily, the S2C cipher is found to be effective. It is possible that there are other fields that can be used too, and this requires further investigation.

  2. “22:-23:-23” means that the packet carries application data of two record layers.

References

  1. Aceto, G., Ciuonzo, D., Montieri, A., Pescapé, A: Toward effective mobile encrypted traffic classification through deep learning. Neurocomputing 409, 306–315 (2020)

    Article  Google Scholar 

  2. Adamic, L.A., Huberman, B.A., Barabási, A, Albert, R., Jeong, H., Bianconi, G.: Power-law distribution of the world wide web. Science 287(5461), 2115–2115 (2000)

    Article  Google Scholar 

  3. Anderson, B., McGrew, D.: Identifying encrypted malware traffic with contextual flow data. In: Proceedings of the 2016 ACM workshop on artificial intelligence and security, pp 35–46 (2016)

  4. Anderson, B., McGrew, D.: Machine learning for encrypted malware traffic classification: accounting for noisy labels and non-stationarity. In: Proceedings of the 23rd ACM SIGKDD International Conference on knowledge discovery and data mining, pp 1723–1732 (2017)

  5. Anderson, B., Paul, S., McGrew, D.: Deciphering malware’s use of tls (without decryption). Journal of Computer Virology and Hacking Techniques 14 (3), 195–211 (2018)

    Article  Google Scholar 

  6. Chenthara, S., Ahmed, K., Wang, H., Whittaker, F.: Security and privacy-preserving challenges of e-health solutions in cloud computing. IEEE access 7, 74361–74382 (2020)

    Article  Google Scholar 

  7. Cong, D., Chen, Z., Zhigang, L., Baoxu, L., Bo, J.: Cetanalytics: Comprehensive effective traffic information analytics for encrypted traffic classification. Comput. Netw., p 176 (2020)

  8. Constantinou, F., Mavrommatis, P.: Identifying known and unknown peer-to-peer traffic. In: Fifth IEEE International Symposium on Network Computing and Applications (NCA’06), IEEE, pp 93–102 (2006)

  9. Conti, M., Mancini, L.V., Spolaor, R., Verde, N.V.: Analyzing android encrypted network traffic to identify user actions. IEEE Transactions on Information Forensics and Security 11(1), 114–125 (2015)

    Article  Google Scholar 

  10. Dainotti, A., Pescape, A., Claffy, K.C.: Issues and future directions in traffic classification. IEEE network 26(1), 35–40 (2012)

    Article  Google Scholar 

  11. Dierks, T., Rescorla, E.: The transport layer security (tls) protocol version, 1.2 (2008)

  12. Dong, C., Zhang, C., Lu, Z., Liu, B., Jiang, B.: Cetanalytics: Comprehensive effective traffic information analytics for encrypted traffic classification. Comput. Netw. 107258, 176 (2020)

    Google Scholar 

  13. van Ede, T., Bortolameotti, R., Continella, A., Ren, J., Dubois, D.J., Lindorfer, M., Choffnes, D., van Steen, M., Peter, A.: Flowprint: Semi-supervised Mobile-App Fingerprinting on Encrypted Network Traffic. In: Network and Distributed System Security Symposium, NDSS 2020, Internet Society (2020)

  14. Endo, P.T., Sadok, D.F.H.: Whois based geolocation: A strategy to geolocate internet hosts. In: 2010 24th IEEE International Conference on Advanced Information Networking and Applications, IEEE, pp 408–413 (2010)

  15. Freier, A., Karlton, P., Kocher, P.: The secure sockets layer (ssl) protocol version 3.0. IETF 3, 1–67 (2011)

    Google Scholar 

  16. Fu, Y., Xiong, H., Lu, X., Yang, J., Chen, C.: Service usage classification with encrypted internet traffic in mobile messaging apps. IEEE Trans. Mob. Comput. 15(11), 2851–2864 (2016)

    Article  Google Scholar 

  17. Goo, Y.H., Shim, K.S., Lee, S.K., Kim, M.S.: Payload Signature Structure for Accurate Application Traffic Classification. In: 2016 18Th Asia-Pacific Network Operations and Management Symposium, (APNOMS). IEEE, pp 1-4 (2016)

  18. Hao, S., Hu, J., Liu, S., Song, T., Guo, J., Liu, S.: Improved Svm Method for Internet Traffic Classification Based on Feature Weight Learning. In: 2015 International Conference on Control, Automation and Information Sciences, ICCAIS. IEEE, pp 102–106 (2015)

  19. Husák, M., Čermák, M., Jirsík, T., Čeleda, P.: Https traffic analysis and client identification using passive ssl/tls fingerprinting. EURASIP J. Inf. Secur. 2016(1), 6 (2016)

    Article  Google Scholar 

  20. Korczyński, M., Duda, A.: Markov chain fingerprinting to classify encrypted traffic. In: IEEE INFOCOM 2014-IEEE Conference on Computer Communications, IEEE, pp 781–789 (2014)

  21. Liu, C., Cao, Z., Xiong, G., Gou, G., Yiu, S.M., He, L.: Mampf: Encrypted Traffic Classification Based on Multi-Attribute Markov Probability Fingerprints. In: 2018 IEEE/ACM 26Th International Symposium on Quality of Service, (IWQoS). IEEE, pp 1-10 (2018)

  22. Liu, C., He, L., Xiong, G., Cao, Z., Li, Z.: Fs-net: A flow sequence network for encrypted traffic classification. In: IEEE INFOCOM 2019 - IEEE Conference on Computer Communications, pp 1171–1179 (2019)

  23. Liu, J., Fu, Y., Ming, J., Ren, Y., Sun, L., Xiong, H.: Effective and real-time in-app activity analysis in encrypted internet traffic streams. In: Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp 335–344 (2017)

  24. Lotfollahi, M., Siavoshani, M.J., Zade, R.S.H., Saberian, M.: Deep packet: a novel approach for encrypted traffic classification using deep learning. Soft. Comput. 24(3), 1999–2012 (2020)

    Article  Google Scholar 

  25. Miller, S., Curran, K., Lunney, T.: Multilayer Perceptron Neural Network for Detection of Encrypted Vpn Network Traffic. In: 2018 International Conference on Cyber Situational Awareness, Data Analytics and Assessment, Cyber SA. IEEE, pp 1-8 (2018)

  26. Moore, A.W., Papagiannaki, K.: Toward the accurate identification of network applications. In: International Workshop on Passive and Active Network Measurement, Springer, pp 41–54 (2005)

  27. Pan, W., Cheng, G., Tang, Y.: Wenc: Https encrypted traffic classification using weighted ensemble learning and markov chain. In: 2017 IEEE Trustcom/BigDataSE/ICESS, IEEE, pp 50–57 (2017)

  28. Park, J.S., Yoon, S.H., Kim, M.S.: Performance Improvement of Payload Signature-Based Traffic Classification System Using Application Traffic Temporal Locality. In: 2013 15Th Asia-Pacific Network Operations and Management Symposium, APNOMS. IEEE, pp 1-6 (2013)

  29. Prasse, P., Machlica, L., Pevnỳ, T, Havelka, J., Scheffer, T.: Malware detection by analysing encrypted network traffic with neural networks. In: Joint European Conference on Machine Learning and Knowledge Discovery in Databases, Springer, pp 73–88 (2017)

  30. Rasool, R.U., Ahmed, K., Anwar, Z., Wang, H., Ashraf, U., Rafique, W.: Cyberpulse++: A machine learning-based security framework for detecting link flooding attacks in software defined networks. International Journal of Intelligent Systems (2021)

  31. Rezaei, S., Liu, X.: How to achieve high classification accuracy with just a few labels: A semi-supervised approach using sampled packets. arXiv preprint arXiv:181209761 (2018)

  32. Rezaei, S., Kroencke, B., Liu, X.: Large-scale mobile app identification using deep learning. IEEE Access 8, 348–362 (2020)

    Article  Google Scholar 

  33. Roughan, M., Sen, S., Spatscheck, O., Duffield, N.: Class-of-service mapping for qos: a statistical signature-based approach to ip traffic classification. In: Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, pp 135–148 (2004)

  34. Sen, S., Spatscheck, O., Wang, D.: Accurate, scalable in-network identification of p2p traffic using application signatures. In: Proceedings of the 13th international conference on World Wide Web, pp 512–521 (2004)

  35. Shafiq, M., Tian, Z., Bashir, A.K., Du, X., Guizani, M.: Corrauc: a malicious bot-iot traffic detection method in iot network using machine learning techniques. IEEE Internet of Things Journal (2020)

  36. Shafiq, M., Tian, Z., Bashir, A.K., Du, X., Guizani, M.: Iot malicious traffic identification using wrapper-based feature selection mechanisms. Computers & Security 94, 101863 (2020)

    Article  Google Scholar 

  37. Shapira, T., Shavitt, Y.: Flowpic: Encrypted Internet Traffic Classification is as Easy as Image Recognition. In: IEEE INFOCOM 2019-IEEE Conference on Computer Communications Workshops, INFOCOM WKSHPS. IEEE, pp 680–687 (2019)

  38. Shbair, W.M., Cholez, T., Goichot, A., Chrisment, I.: Efficiently Bypassing Sni-Based Https Filtering. In: 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM). IEEE, pp 990-995 (2015)

  39. Shbair, W.M., Cholez, T., François, J., Chrisment, I.: Improving Sni-Based Https Security Monitoring. In: 2016 IEEE 36Th International Conference on Distributed Computing Systems Workshops, ICDCSW. IEEE, pp 72-77 (2016)

  40. Shen, M., Wei, M., Zhu, L., Wang, M., Li, F.: Certificate-aware Encrypted Traffic Classification Using Second-Order Markov Chain. In: 2016 IEEE/ACM 24Th International Symposium on Quality of Service, IWQoS. IEEE, pp 1-10 (2016)

  41. Shen, M., Wei, M., Zhu, L., Wang, M.: Classification of encrypted traffic with second-order markov chains and application attribute bigrams. IEEE Transactions on Information Forensics and Security 12(8), 1830–1843 (2017)

    Article  Google Scholar 

  42. Tong, V., Tran, H.A., Souihi, S., Mellouk, A.: A Novel Quic Traffic Classifier Based on Convolutional Neural Networks. In: 2018 IEEE Global Communications Conference (GLOBECOM) (2019)

  43. Wang, C., Xu, T., Qin, X.: Network Traffic Classification with Improved Random Forest. In: 2015 11Th International Conference on Computational Intelligence and Security, CIS. IEEE, pp 78-81 (2015)

  44. Wang, H., Wang, Y., Taleb, T., Jiang, X.: Special issue on security and privacy in network computing. World Wide Web 23(2), 951–957 (2020)

    Article  Google Scholar 

  45. Wang, P., Ye, F., Chen, X., Qian, Y.: Datanet: Deep learning based encrypted network traffic classification in sdn home gateway. IEEE Access 6, 55380–55391 (2018)

    Article  Google Scholar 

  46. Wang, W., Zhu, M., Wang, J., Zeng, X., Yang, Z.: End-To-End Encrypted Traffic Classification with One-Dimensional Convolution Neural Networks. In: 2017 IEEE International Conference on Intelligence and Security Informatics (ISI). IEEE, pp 43-48 (2017)

  47. Yao, H., Ranjan, G., Tongaonkar, A., Liao, Y., Mao, Z.M.: Samples: Self adaptive mining of persistent lexical snippets for classifying mobile application traffic. In: Proceedings of the 21st Annual International Conference on Mobile Computing and Networking, pp 439–451 (2015)

  48. Yin, J., Tang, M., Cao, J., Wang, H.: Apply transfer learning to cybersecurity: Predicting exploitability of vulnerabilities by description. Knowl.-Based Syst. 106529, 210 (2020)

    Google Scholar 

  49. Zhang, J., Chen, C., Xiang, Y., Zhou, W., Xiang, Y.: Internet traffic classification by aggregating correlated naive bayes predictions. IEEE transactions on information forensics and security 8(1), 5–15 (2012)

    Article  Google Scholar 

  50. Zhang, Q., Ma, Y., Wang, J., Li, X.: Udp traffic classification using most distinguished port. In: The 16th Asia-Pacific Network Operations and Management Symposium, IEEE, pp 1–4 (2014)

  51. Zheng, W., Gou, C., Yan, L., Mo, S.: Learning to classify: a flow-based relation network for encrypted traffic classification. In: Proceedings of The Web Conference, 2020, pp 13-22 (2020)

Download references

Acknowledgements

This work is supported by National Key Research and Development Program of China (No. 2020YFE0200500) and The Development Program for Guangdong Province under grant No. 2019B010137003 and National Key Research and Development Program of China (No.2016QY05X1000) and the Strategic Priority Research Program of Chinese Academy of Sciences, Grant No. XDC02040400.

Author information

Authors and Affiliations

  1. Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Chang Liu, Gang Xiong, Gaopeng Gou & Zhen Li

  2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

    Chang Liu, Gang Xiong, Gaopeng Gou & Zhen Li

  3. Department of Computer Science, The University of Hong Kong, Hong Kong, China

    Siu-Ming Yiu

  4. Cyberspace Institute of Advanced Technology, Guangzhou University, Guangzhou, China

    Zhihong Tian

Authors
  1. Chang Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gang Xiong
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Gaopeng Gou
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Siu-Ming Yiu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Zhen Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Zhihong Tian
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Gaopeng Gou.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Liu, C., Xiong, G., Gou, G. et al. Classifying encrypted traffic using adaptive fingerprints with multi-level attributes. World Wide Web 24, 2071–2097 (2021). https://doi.org/10.1007/s11280-021-00940-0

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11280-021-00940-0

Keywords

Search

Navigation