Top

Published in:

2016 | OriginalPaper | Chapter

An Entropy Based Encrypted Traffic Classifier

Authors : Mohammad Saiful Islam Mamun, Ali A. Ghorbani, Natalia Stakhanova

Published in: Information and Communications Security

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

This paper proposes an approach of encrypted network traffic classification based on entropy calculation and machine learning technique. Apart from using ordinary Shannon’s entropy, we examine entropy after encoding and a weighted average of Shannon binary entropy called BiEntropy. The objective of this paper is to identify any application flows as part of encrypted traffic. To achieve this we (i) calculate entropy-based features from the packet payload: encoded payload or binary payload, n-length word of the payload, (ii) employ a Genetic-search feature selection algorithm on the extracted features where fitness function is calculated from True Positive Rate, False Positive Rate and number of selected features, and (iii) propose a data driven supervised machine learning model from Support Vector Machine (SVM) for automatic identification of encrypted traffic. To the best of our knowledge, this is the first attempt to tackle the problem of classifying encrypted traffic using extensive entropy-based features and machine learning techniques.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter A Secure Route Optimization Mechanism for Expressive Internet Architecture (XIA) Mobility

next chapter Modelling and Analysis of Network Security - a Probabilistic Value-passing CCS Approach

Since the repeated patterns in the uncompressed data are removed the redundancy also disappears making data look random and less predictable.

A logarithmic weighting that gives higher weight to the higher derivatives.

dependent on network latency, jitter, packet loss etc. that are less likely to remain across heterogeneous network.

where 1 indicates the features to be selected and 0 not.

To calculate the percentage of splits associated with each predictor.

Callado, A., et al.: A Survey on Internet Traffic Identification. IEEE Commun. Surveys Tutorials, 11(3), 37–52 (2009)CrossRef

Alshammari, R., Nur Zincir-Heywood, A.: Can encrypted traffic be identified without port numbers. Computer networks 55(6), 1326–1350 (2011)CrossRef

Alshammari, R., Nur Zincir-Heywood, A.: Investigating two different approaches for encrypted traffic classification. Privacy, Security and Trust (2008)

Shannon, C.E.: A mathematical theory of communication. Bell Syst. Tech. J. 27(3), 379–423 (1948)MathSciNetCrossRef

Marsaglia, G., Zaman, A.: Monkey tests for random number generators. Comput. Math. Appl. 26(9), 1–10 (1993)MathSciNetCrossRef

jNetPcap, Open-source java library. http://jnetpcap.com

Datasets: Information Security Center of eXcellence (ISCX). www.unb.ca/research/iscx/dataset/

Tstat, Skype Testbed Traces. http://tstat.tlc.polito.it/traces-skype.shtml

Wireshark sample captures. http://wiki.wireshark.org/SampleCaptures

10.

Schneider, P.: TCP/IP traffic Classification Based on port numbers. Division Of Applied Sciences, Cambridge, 2138 (1996)

11.

Karagiannis, T., Papagiannaki, K., Faloutsos, M.: BLINK: multilevel traffic classification in the dark. In: SIGCOMM , Philadelphia, 21–26 August 2005

12.

Moore, A.W., Zuev, D.: Internet traffic classification using bayesian analysis techniques. In: SIGMETRIC, Banff, 6–10 June 2005

13.

Sen, S., Spatscheck, O., Wang, D.: Accurate, scalable in-network identification of P2P traffic using application signatures. In: WWW2005, USA (2004)

14.

Zander, S., Nguyen, T., Armitage, G.: Automated traffic classification and application identification using machine learning. In: LCN, Australia (2005)

15.

Gomes, J.V., et al.: Analysis of peer-to-peer traffic using a behavioural method based on entropy. In: Performance, Computing and Communications Conference (2008)

16.

Bonfiglio, D., et al.: Revealing skype traffic: when randomness plays with you. In: Proceedings of the ACM SIGCOMM, pp. 37–48. ACM Press, USA (2007)CrossRef

17.

Smith, R., et al.: Deflating the big bang: fast and scalable deep packet inspection. In: ACM SIGCOMM , pp. 207–218. ACM Press, USA (2008)

18.

Zhang, H., Papadopoulos, C., Massey, D.: Detecting encrypted botnet traffic. In: Computer Communications Workshops (INFOCOM Workshop). IEEE (2013)

19.

Dorfinger, P., et al.: Entropy-based traffic filtering to support real-time Skype detection. In: Proceedings of the 6th International Wireless Communications and Mobile Computing Conference. ACM (2010)

20.

Korczynski, M., Duda, A.: Markov chain fingerprinting to classify encrypted traffic. In: INFOCOM, Proceedings IEEE. IEEE (2014)

21.

Sun, Q., et al.: Statistical identification of encrypted web browsing traffic. In: IEEE Symposium on Security and Privacy, Proceedings. IEEE (2002)

22.

Weber, M., et al.: A toolkit for detecting and analyzing malicious software. In: 18th Annual Proceedings of Computer Security Applications Conference. IEEE (2002)

23.

Lyda, R., Hamrock, J.: Using entropy analysis to find encrypted and packed malware. IEEE Secur. Privacy 2, 40–45 (2007)CrossRef

24.

Olivain, J., Goubault-Larrecq, J.: Detecting subverted cryptographic protocols by entropy checking. Laboratoire Specification et Verification, ENS Cachan, France, Research Report LSV-06-13 (2006)

25.

Wagner, A., Plattner, B.: Entropy based worm and anomaly detection in fast IP networks. In: WETICE 2005 Proceedings of the 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise, pp. 172–177. IEEE Computer Society, Washington, DC (2005)

26.

Quinlan, J.R.: C4.5: Programs for Machine Learning. Morgan Kaufmann Publishers, San Francisco (1993). ISBN=1-55860-238-0

27.

Hall, M., et al.: The WEKA data mining software: an update. ACM SIGKDD Explorations Newsletter 11(1), 10–18 (2009)MathSciNetCrossRef

28.

RStudio, an integrated development environment (IDE)for R. http://www.rstudio.com

29.

Sicker, D.C., Ohm, P., Grunwald, D.: Legal issues surrounding monitoring during network research, In: Proceeding 7th ACM SIGCOMM conference on Internet measurement, ser. IMC 2007, pp. 141–148. ACM, New York (2007)

30.

Chung, J.Y., Park, B., Won, Y.J., Strassner, J., Hong, J.W.: Traffic classification based on flow similarity. In: Nunzi, G., Scoglio, C., Li, X. (eds.) IPOM 2009. LNCS, vol. 5843, pp. 65–77. Springer, Heidelberg (2009)CrossRef

31.

Keralapura, R., Nucci, A., Chuah, C.-N.: Self-learning peer-to-peer traffic classifier. In: Proceedings of 18th Internatonal Conference on Computer Communications and Networks, ICCCN. IEEE (2009)

32.

TCPDUMP packet analizer. http://www.tcpdump.org

33.

Croll, G.J.: BiEntropy-The Approximate Entropy of a Finite Binary String (2013). arXiv preprint arXiv:1305.0954

34.

Zhao, M., et al.: Feature selection and parameter optimization for support vector machines: a new approach based on genetic algorithm with feature chromosomes. Expert Syst. Appl. 38(5), 5197–5204 (2011)CrossRef

35.

LS-SVMlab toolbox. http://www.esat.kuleuven.ac.be/sista/lssvmlab

36.

Erman, J., Arlitt, M., Mahanti, A.: Traffic classification using clustering algorithms. In: Proceedings of the SIGCOMM workshop on Mining network data. ACM (2006)

37.

Jain, A.K., Dubes, R.C.: Algorithms for Clustering Data. Prentice Hall, Englewood Cliffs (1988)MATH

Title: An Entropy Based Encrypted Traffic Classifier
Authors: Mohammad Saiful Islam Mamun
Ali A. Ghorbani
Natalia Stakhanova
Publisher: Springer International Publishing
Book: Information and Communications Security
Print ISBN: 978-3-319-29813-9

Electronic ISBN: 978-3-319-29814-6

Copyright Year: 2016
DOI: https://doi.org/10.1007/978-3-319-29814-6_23

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner