Corpus ID: 14288789

A statistical framework for identification of tunnelled applications using machine learning

  title={A statistical framework for identification of tunnelled applications using machine learning},
  author={Ghulam Mujtaba and David J. Parish},
  journal={Int. Arab J. Inf. Technol.},
This work describes a statistical approach to detect applications which are running inside application layer tunnels. Application layer tunnels are a significant threat for network abuse and violation of acceptable internet usage policy of an organisation. In tunnelling, the prohibited application packets are encapsulated as payload of an allowed protocol packet. It is much difficult to identify tunnelling using conventional methods in the case of encrypted HTTPS tunnels, for example. Hence… Expand
Application Behavior Identification in DNS Tunnels Based on Spatial-Temporal Information
This study investigates the spatial-temporal information from the raw packets to identify the internal application behaviors in DNS tunnels using a machine-learning algorithm to achieve higher identification accuracy with a much lower packet consuming rate when compared with the state-of-the-art internal protocol identification scheme. Expand


Detection of applications within encrypted tunnels using packet size distributions
  • G. Mujtaba, D. Parish
  • Computer Science
  • 2009 International Conference for Internet Technology and Secured Transactions, (ICITST)
  • 2009
This work describes a statistical approach to detect applications which are running using encrypted tunnels and shows that tunneled applications can be detected using packet size distribution in encrypted tunnels. Expand
Tunnel Hunter: Detecting application-layer tunnels with statistical fingerprinting
A statistical classification mechanism that could represent an important step towards new techniques for securing network boundaries is proposed, called Tunnel Hunter, which relies on the statistical characterization at the IP-layer of the traffic that is allowed by a given security policy. Expand
Using packet size distributions to identify real-time networked applications
The paper considers an alternative approach to the detection of real-time applications by searching for a statistical fingerprint derivable from the observable traffic streams generated by such applications, and finding the packet size distribution of the application is found. Expand
Detection of Encrypted Tunnels Across Network Boundaries
This paper proposes an effective solution to the problem of firewalling based on a statistical traffic classification technique that relies on the creation of a statistical fingerprint of legitimate usage of a given protocol, such as regular remote interactive logins or secure copying activities, which can be used to detect non-legitimate sessions. Expand
Performance of OpenDPI in Identifying Sampled Network Traffic
This paper addresses the sensitivity of OpenDPI, one of the most powerful freely available DPI systems, with sampled network traffic, and some conclusions are drawn to show how far DPI methods could be optimised through traffic sampling. Expand
A preliminary performance comparison of five machine learning algorithms for practical IP traffic flow classification
The performance impact of feature set reduction, using Consistency-based and Correlation-based feature selection, is demonstrated on Na naïve Bayes, C4.5, Bayesian Network and Naïve Bayes Tree algorithms. Expand
P2P Streaming Traffic Detection in Encrypted Tunnel
The proposed solution finds the heartbeat signature by using the plain-text P2P streaming traffic and detects the traffic in the encrypted tunnel based on the heartbeat signatures of the traffic. Expand
Detecting HTTP Tunneling Activities
A novel intrusion detection system which makes use of behavior proflles to identify HyperText Transfer Protocol (HTTP) tunneling activities and shows the efiectiveness of the system and the validity of using packet features for anomaly detection. Expand
Web tap: detecting covert web traffic
The design of Web Tap is presented, results from its evaluation, as well as potential limits to Web Tap's capabilities are presented. Expand
Discriminators for use in flow-based classification
This document describes sets of data intended to aid in the assessment of classification work; each data set consists a number of objects, and each object is described by a group of features (also referred to as discriminators). Expand