https traffic classification
play

HTTPS Traffic Classification Wazen M. Shbair, Thibault Cholez, J er - PowerPoint PPT Presentation

Oct 02, 2023 •12 likes •292 views

HTTPS Traffic Classification Wazen M. Shbair, Thibault Cholez, J er ome Fran cois, Isabelle Chrisment J er ome Fran cois Inria Nancy Grand Est, France jerome.francois@inria.fr NMLRG - IETF95 April 7th, 2016 1 / 26 The HTTPS

  1. HTTPS Traffic Classification Wazen M. Shbair, Thibault Cholez, J´ erˆ ome Fran¸ cois, Isabelle Chrisment J´ erˆ ome Fran¸ cois Inria Nancy Grand Est, France jerome.francois@inria.fr NMLRG - IETF95 April 7th, 2016 1 / 26

  2. The HTTPS Dilemma SNI-Based Filtering A Multi-Level Framework to Identify HTTPS Services Evaluation Conclusion Outline 1 The HTTPS Dilemma 2 SNI-Based Filtering 3 A Multi-Level Framework to Identify HTTPS Services 4 Evaluation 5 Conclusion 2 / 26

  3. The HTTPS Dilemma SNI-Based Filtering A Multi-Level Framework to Identify HTTPS Services Evaluation Conclusion The HTTPS Dilemma Security vs. Privacy HTTPS or HTTP-over-TLS is a protocol for secure communication over a computer network. Content providers (Google, Facebook, ...) need securing contents over the web by moving to HTTPS. Despite SSL/TLS good intentions, it may be used for illegitimate purposes. The main research question Can we rely on the monitoring techniques that don’t decrypt HTTPS traffic? 3 / 26

  4. The HTTPS Dilemma SNI-Based Filtering A Multi-Level Framework to Identify HTTPS Services Evaluation Conclusion Overview of SNI What is SNI ? SNI is an extension inside Client Hello Message, proposed to support virtual hosting for websites use HTTPS. Figure : TLS handshake 4 / 26

  5. The HTTPS Dilemma SNI-Based Filtering A Multi-Level Framework to Identify HTTPS Services Evaluation Conclusion SNI-based Filtering Evaluation SNI-based filtering SNI-Filtering has two weaknesses, regarding the backward compatibility and multiple services using a single certificate. The ”Escape” plug-in is our proof of concept exploiting SNI weaknesses. Successfully tested against 3 firewalls and top 20 visited websites such as Google Search, Facebook, Youtube, Twitter. Publication W.Shbair, T.Cholez, A.Goichot, I.Chrisment: ”Efficiently Bypassing SNI-based HTTPS Filtering”, IFIP/IEEE IM2015. 5 / 26

  6. The HTTPS Dilemma SNI-Based Filtering A Multi-Level Framework to Identify HTTPS Services Evaluation Conclusion Identifying HTTPS Services Flow-Based Statistical improvements One way is to combined it with algorithms from different fields like Machine Learning (ML) [1]. It has been used widely in the identification of encrypted traffic problem. Mainly used to identifying the type of applications, such as (HTTPS, Mail, P2P, VoIP, SSH, Skype, etc.). 6 / 26

  7. The HTTPS Dilemma SNI-Based Filtering A Multi-Level Framework to Identify HTTPS Services Evaluation Conclusion Identifying HTTPS Services Flow-Based Statistical improvements One way is to combined it with algorithms from different fields like Machine Learning (ML) [1]. It has been used widely in the identification of encrypted traffic problem. Mainly used to identifying the type of applications, such as (HTTPS, Mail, P2P, VoIP, SSH, Skype, etc.). New Challenges Considering all HTTPS as a single class is not enough for security monitoring because it regroups very different services. 6 / 26

  8. The HTTPS Dilemma SNI-Based Filtering A Multi-Level Framework to Identify HTTPS Services Evaluation Conclusion Identifying HTTPS Services Website Fingerprinting (WF) Defined as the process of identifying the URL of web pages that are accessed. Identifying accessed HTTPS encrypted web pages base on static object size parsed from unencrypted traffic [2]. 7 / 26

  9. The HTTPS Dilemma SNI-Based Filtering A Multi-Level Framework to Identify HTTPS Services Evaluation Conclusion Identifying HTTPS Services Website Fingerprinting (WF) Defined as the process of identifying the URL of web pages that are accessed. Identifying accessed HTTPS encrypted web pages base on static object size parsed from unencrypted traffic [2]. WF Issue It fails with dynamic web pages that use HTTPS Content Delivery Network (CDN) such as Akamai. (Too fine-grained) 7 / 26

  10. The HTTPS Dilemma SNI-Based Filtering A Multi-Level Framework to Identify HTTPS Services Evaluation Conclusion A Multi-Level Framework to Identify HTTPS Services The motivation An intermediate identification method monitors at service-level. Identify the HTTPS services without relying on header fields. Do not decrypt the HTTPS traffic. The core techniques 1 Machine Learning techniques. 2 Novel multi-level classification approach. 3 Well tuned set of features 8 / 26

  11. The HTTPS Dilemma SNI-Based Filtering A Multi-Level Framework to Identify HTTPS Services Evaluation Conclusion Machine Learning Techniques Figure : Flat classification view The Legacy method The existing methods follow the ”FLAT” view. Identifying the websites and applications directly. Drawbacks: low scalability, low accuracy and high error rate. 9 / 26

  12. The HTTPS Dilemma SNI-Based Filtering A Multi-Level Framework to Identify HTTPS Services Evaluation Conclusion A Novel Multi-Level Classification Approach Figure : Multi-level presentation Multi-level method Reform the training dataset into a tree-like fashion. The top level is refereed as Class-level (Root domain) The lower Level contains individual Folds-level (Sub-domain) 10 / 26

  13. The HTTPS Dilemma SNI-Based Filtering A Multi-Level Framework to Identify HTTPS Services Evaluation Conclusion A Multi-Level Framework to Identify HTTPS Services Figure : The work-flow of the HTTPS traffic identification framework 11 / 26

  14. The HTTPS Dilemma SNI-Based Filtering A Multi-Level Framework to Identify HTTPS Services Evaluation Conclusion Multi-Level Classification Approach The novel evaluation method A novel method more suitable for multi-level approach: If service provider and the service name are predicted → Perfect identification . If service provider is predicted but not the service name → Partial identification . If neither service provider nor the service name are predicted → Invalid identification 12 / 26

  15. The HTTPS Dilemma SNI-Based Filtering A Multi-Level Framework to Identify HTTPS Services Evaluation Conclusion Methodology Overview The evaluation of the proposed solution contains 3 parts: Evaluation of the collected dataset. Evaluation of the proposed features set. Evaluation of the multi-level classification approach. Evaluation of the collected dataset Contains more than 288,901 HTTPS connections. Pre-processed to be suitable for multi-level approach. Processed to determine a reasonable threshold for the minimum number of labelled connections per service. 13 / 26

  16. The HTTPS Dilemma SNI-Based Filtering A Multi-Level Framework to Identify HTTPS Services Evaluation Conclusion Features selection Evaluation of the proposed features set Classical 30 features from previous work [3, 4] New 12 features are proposed over the encrypted payload The 42 features are optimized by Features Selection technique The key benefits is reducing over-fitting by removing irrelevant and redundant features [5] Feature Selection result 18 features are highly relevant: 10 out of 12 from our proposed set and 8 out of 30 from the classical ones. This validates the rationale of the proposed features for identifying HTTPS services. 14 / 26

  17. The HTTPS Dilemma SNI-Based Filtering A Multi-Level Framework to Identify HTTPS Services Evaluation Conclusion The 18 selected features Client ↔ Server Inter Arrival Time (75th percentile) Client → Server Packet size (75th percentile, Maximum), Inter Arrival Time (75th percentile), Encrypted Payload( Mean, 25th, 50th percentile, Variance, maximum) Server → Client Packet size (50th percentile, Maximum), Inter Arrival Time (25th, 75th percentile), Encrypted payload(25th, 50th, 75th percentile, variance, maximum) 15 / 26

  18. The HTTPS Dilemma SNI-Based Filtering A Multi-Level Framework to Identify HTTPS Services Evaluation Conclusion Experiments and Evaluation Results Evaluation of the proposed features set By using WEKA 1 tool the features set are evaluated by C4.5 and RandomForest algorithm: Classical 30-features : C4.5 achieves 83.4% ± 1.0 Precision, RandomForest achieves 85.7% ± 0.4 Precision. Selected 18-features : C4.5 achieves 85.87% ± 0.64 Precision, RandomForest achieves 87.60% ± 0.10 Precision. Full 42-features : C4.5 achieves 86.65% ± 0.7 Precision, RandomForest achieves 87.82% ± 0.68 Precision. 1 www.cs.waikato.ac.nz 16 / 26

  19. The HTTPS Dilemma SNI-Based Filtering A Multi-Level Framework to Identify HTTPS Services Evaluation Conclusion Minimal number of connections 17 / 26

  20. The HTTPS Dilemma SNI-Based Filtering A Multi-Level Framework to Identify HTTPS Services Evaluation Conclusion Muti-level classification HTTPS Identification Framework Evaluation The framework has been evaluated in two steps: Evaluate each level separately, to measure the performance of each classification model. Evaluate the whole framework as one black box. Evaluation conditions: Full features set (42 features). RandomForest as ML algorithm. At least 100 connections number per service. K-Fold cross validation with k=10. 18 / 26

  21. The HTTPS Dilemma SNI-Based Filtering A Multi-Level Framework to Identify HTTPS Services Evaluation Conclusion Evaluation Results Top Level Evaluation Experiments show that we can identifying the service provider of HTTPS traffic with 93.6% overall accuracy. Figure : Top Level of the framework 19 / 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Traffic Classification in the Fog Scott E. Coull February 23, 2006 Overview What is traffic

Traffic Classification in the Fog Scott E. Coull February 23, 2006 Overview What is traffic

Traffic Classification in the Fog Scott E. Coull February 23, 2006 Overview What is traffic classification? Communities of Interest for classification BLINC Profiling Internet Backbone Traffic What is missing here? Traffic

965 views • 81 slides
Need for Classification Classification required To isolate traffic of interest

Need for Classification Classification required To isolate traffic of interest

Need for Classification Classification required To isolate traffic of interest Classification of Internet Traffic To treat special types of traffic in a different manner Some types of classification already seen in Alok

371 views • 9 slides
Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification,

Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification,

Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification, Measurement, and Analysis and Analysis ISC/CAIDA Data Collaboration Workshop October 22, 2012 David Plonka & Paul Barford

1.33k views • 26 slides
Traffic Classifier Real Time Classification and Analysis of T1/E1 Traffic 818 West Diamond Avenue

Traffic Classifier Real Time Classification and Analysis of T1/E1 Traffic 818 West Diamond Avenue

Traffic Classifier Real Time Classification and Analysis of T1/E1 Traffic 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: info@gl.com Website: http://www.gl.com 1 1 Traffic

228 views • 11 slides
Traffic Classification Rotsos Charalampos , Jurgen Van Gael, Andrew W. Moore, Zoubin Ghahramani

Traffic Classification Rotsos Charalampos , Jurgen Van Gael, Andrew W. Moore, Zoubin Ghahramani

Probabilistic Graphical Models for Semi-Supervised Traffic Classification Rotsos Charalampos , Jurgen Van Gael, Andrew W. Moore, Zoubin Ghahramani Computer Laboratory and Engineering Department, University of Cambridge Traffic classification

257 views • 21 slides
Towards Reliable Traffic Classification Using Visual Motifs Wilson Lian 1 John McHugh 1 , 2 Fabian

Towards Reliable Traffic Classification Using Visual Motifs Wilson Lian 1 John McHugh 1 , 2 Fabian

Background Visual Motifs Traffic Classification Evaluation Towards Reliable Traffic Classification Using Visual Motifs Wilson Lian 1 John McHugh 1 , 2 Fabian Monrose 1 1 University of North Carolina at Chapel Hill 2 RedJack, LLC FloCon 2010

652 views • 47 slides
How is SUNET really used? Results of traffic classification on backbone data Wolfgang John and

How is SUNET really used? Results of traffic classification on backbone data Wolfgang John and

MonNet a project for network and traffic monitoring How is SUNET really used? Results of traffic classification on backbone data Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University of Technology

760 views • 21 slides
1 THE ANALYSIS OF TRAFFIC SAFETY THE ANALYSIS OF TRAFFIC SAFETY 3. Classification of stop

1 THE ANALYSIS OF TRAFFIC SAFETY THE ANALYSIS OF TRAFFIC SAFETY 3. Classification of stop

AGENDA AGENDA 1. The role and significance of public transport and tram transport in urban areas 2. Goal and stages of the study 1 THE ANALYSIS OF TRAFFIC SAFETY THE ANALYSIS OF TRAFFIC SAFETY 3. Classification of stop stations at tram stops

169 views • 4 slides
Combining Machine and Automata Learning for Network Traffic Classification Zeynab Sabahi, Fatemeh

Combining Machine and Automata Learning for Network Traffic Classification Zeynab Sabahi, Fatemeh

Combining Machine and Automata Learning for Network Traffic Classification Zeynab Sabahi, Fatemeh Ghassemi, and Zahra Alimadadi TTCS 2020,Tehran, Iran 1 Network Traffic Classification, What & Why?

655 views • 44 slides
Classification & Filtering Traffic Management October 2016 Chelsio T5/T6 Packet

Classification & Filtering Traffic Management October 2016 Chelsio T5/T6 Packet

Classification & Filtering Traffic Management October 2016 Chelsio T5/T6 Packet Classification and Filtering Features 1. Supported Match Fields with Optional Masks Up to 500K exact-match and 2K wildcard rules, 20M/sec lookup rate, 200K

92 views • 6 slides
Towards Explicable and Adaptive DDoS Traffic Classification Yebo Feng, Jun Li University of

Towards Explicable and Adaptive DDoS Traffic Classification Yebo Feng, Jun Li University of

The 21st Passive and Active Measurement Conference (PAM 2020) Towards Explicable and Adaptive DDoS Traffic Classification Yebo Feng, Jun Li University of Oregon {yebof, lijun}@cs.uoregon.edu Towards Explicable and Adaptive DDoS Traffic

339 views • 10 slides
Primer to Traffic Conflicts Failure-cause sed Traffic Conflicts s (Near-crash Events)

Primer to Traffic Conflicts Failure-cause sed Traffic Conflicts s (Near-crash Events)

Primer to Traffic Conflicts Failure-cause sed Traffic Conflicts s (Near-crash Events) Theory, Applications s and Validation https://www.youtube.com/watch?v=wo_u5Ncv-Ko (right angle) https://www.youtube.com/watch?v=HIRKH6MtY2Y (side

611 views • 7 slides
Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and

Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and

Introduction Statement problem Mathematical background Algorithm Experiments Conclusions Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and OC-SVM with Mahalanobis Kernel Jayro Santiago-Paz, Deni

583 views • 23 slides
Traffic analysis and modelling 1 Service classification Services may be classified according

Traffic analysis and modelling 1 Service classification Services may be classified according

Traffic analysis and modelling 1 Service classification Services may be classified according to many criteria. For example, loosely classify according to nature of transmitted information: voice services computer communications, and

407 views • 21 slides
BLINC: Multilevel Traffic Classification in the Dark Thomas Karagiannis, UC Riverside

BLINC: Multilevel Traffic Classification in the Dark Thomas Karagiannis, UC Riverside

BLINC: Multilevel Traffic Classification in the Dark Thomas Karagiannis, UC Riverside Konstantina Papagiannaki, Intel Research Cambridge Michalis Faloutsos, UC Riverside The problem of workload characterization The goal: Classify Internet

649 views • 29 slides
Early online classification of encrypted traffic streams using multi-fractal features Erik

Early online classification of encrypted traffic streams using multi-fractal features Erik

Early online classification of encrypted traffic streams using multi-fractal features Erik Arestrm, Linkping University Niklas Carlsson, Linkping University Motivation and problem Early flow classification is important for network

629 views • 40 slides
Off-Policy Evaluation via Off- Policy Classification Alex Irpan, Kanishka Rao, Konstantinos

Off-Policy Evaluation via Off- Policy Classification Alex Irpan, Kanishka Rao, Konstantinos

Off-Policy Evaluation via Off- Policy Classification Alex Irpan, Kanishka Rao, Konstantinos Bousmalis, Chris Harris, Julian Ibarz, Sergey Levine Topic: Imitation - Inverse RL Presenter:Ning (Angela) Ye Overview Motivation Contributions

758 views • 26 slides
Weakly Supervised Classification Weakly Supervised Classification and Robust Learning and Robust

Weakly Supervised Classification Weakly Supervised Classification and Robust Learning and Robust

IIT-H and RIKEN-AIP Joint Workshop on March 15, 2019 Machine Learning and Applications, Hyderabad, India Weakly Supervised Classification Weakly Supervised Classification and Robust Learning and Robust Learning --- Overview of Our Recent

1.06k views • 25 slides
Machine Learning (CSE 446): Multi-Class Classification; Kernel Methods Sham M Kakade 2018 c

Machine Learning (CSE 446): Multi-Class Classification; Kernel Methods Sham M Kakade 2018 c

Machine Learning (CSE 446): Multi-Class Classification; Kernel Methods Sham M Kakade 2018 c University of Washington cse446-staff@cs.washington.edu 1 / 12 Announcements HW3 due date as posted. make sure to update the HW pdf file

421 views • 18 slides
MACHINE LEARNING Overview 1 1 APPLIED MACHINE LEARNING 2011-2012 APPLIED MACHINE LEARNING

MACHINE LEARNING Overview 1 1 APPLIED MACHINE LEARNING 2011-2012 APPLIED MACHINE LEARNING

APPLIED MACHINE LEARNING 2011-2012 APPLIED MACHINE LEARNING MACHINE LEARNING Overview 1 1 APPLIED MACHINE LEARNING 2011-2012 APPLIED MACHINE LEARNING Exam Format The exam lasts a total of 3 hours: - Upon entering the room, you must

373 views • 21 slides
An unsupervised classification process for large datasets based on web reasoning Rafael PEIXOTO,

An unsupervised classification process for large datasets based on web reasoning Rafael PEIXOTO,

An unsupervised classification process for large datasets based on web reasoning Rafael PEIXOTO, Thomas HASSAN, Christophe CRUZ, Aurelie BERTAUX, Nuno SILVA thomas.hassan@u-bourgogne.fr Laboratoire LE2I UMR CNRS 6306 Universit de

289 views • 28 slides
Multi-dimensional Packet Classification Yadi Ma, Suman Banerjee University of Wisconsin-Madison

Multi-dimensional Packet Classification Yadi Ma, Suman Banerjee University of Wisconsin-Madison

A Smart Pre-Classifier to Reduce Power Consumption of TCAMs for Multi-dimensional Packet Classification Yadi Ma, Suman Banerjee University of Wisconsin-Madison Packet classification S1 L1 D S2 R Internet L2 Subnet A Subnet B

921 views • 65 slides
Ri Risk bo bounds unds for r some me classificati tion n and nd re regre ression models

Ri Risk bo bounds unds for r some me classificati tion n and nd re regre ression models

Ri Risk bo bounds unds for r some me classificati tion n and nd re regre ression models that interpolate Daniel Hsu Columbia University Joint work with: Misha Belkin (The Ohio State University) Partha Mitra (Cold Spring Harbor

419 views • 26 slides
Distributed Data Classification Chih-Jen Lin Department of Computer Science National Taiwan

Distributed Data Classification Chih-Jen Lin Department of Computer Science National Taiwan

Distributed Data Classification Chih-Jen Lin Department of Computer Science National Taiwan University Talk at ICML workshop on New Learning Frameworks and Models for Big Data, June 25, 2014 Chih-Jen Lin (National Taiwan Univ.) 1 / 37

853 views • 37 slides

More recommend