Detecting Encrypted Traffic: A Machine Learning Approach

  title={Detecting Encrypted Traffic: A Machine Learning Approach},
  author={Seunghun Cha and Hyoungshick Kim},
Detecting encrypted traffic is increasingly important for deep packet inspection (DPI) to improve the performance of intrusion detection systems. [] Key Method To demonstrate how effective the proposed approach is, the performance of four classification methods (Naive Bayesian, Support Vector Machine, CART and AdaBoost) are explored. Our recommendation is to use CART which is not only capable of achieving an accuracy of 99.9% but also up to about 2.9 times more efficient than the second best candidate (Naive…
The effects of feature selection on the classification of encrypted botnet
This study proposes an encrypted Botnet detection technique based on packet header analysis that does not require deep packet inspection and intense traffic analysis, however, the proposed technique requires the analysis of the features taken from the packet header, which are essential for detection.
Classification of VPN Network Traffic Flow Using Time Related Features on Apache Spark
This study has shown that an approach using the CIC-Darknet2020 for packet-level encrypted traffic classification cannot incorporate packet header information, as it allows to directly map a packet to a specific application with high accuracy.
A Framework for Detecting Botnet Command and Control Communication over an Encrypted Channel
This research aims to detect Botnet over an encrypted channel with high accuracy, fast detection time, and provides autonomous management to the network manager.
A Semi-supervised Classification Algorithm for Encrypted Discrete Sequential Protocol Data Based on GAN
A two-stage semi-supervised classification method based on Generative Adversarial Networks (GAN) for sparsely labeled encrypted Discrete Sequence Protocol Data is proposed and results show that the accuracy and F1 of the proposed method are improved by more than 10 percentage points on average.
Classification of Discrete Sequential Protocol Messages Based on LSTM Network and Transfer Learning
The results show that the data length can be processed is shorten to 10 bytes by processing DSM as one-dimensional time series while the traditional methods often require much more bytes.
An Encrypted Field Locating Algorithm for Private Protocol Data Based on Data Reconstruction and Moment Eigenvector
An algorithm based on data reconstruction and moment eigenvector is proposed, which can not only estimate the encryption result but also locate the encrypted field in each data sample, and exhibited salient advantages.
Cleartext Data Transmissions in Consumer IoT Medical Devices
A method to capture network traffic from medical IoT devices and automatically detect cleartext information that may reveal sensitive medical conditions and behaviors is introduced and a traffic capture and analysis system is presented that seamlessly integrates with a home network and offers a user-friendly interface.


Entropy Estimation for Real-Time Encrypted Traffic Identification (Short Paper)
The presented approach, named real-time encrypted traffic detector (RT-ETD), is well suited to operate as pre-filter for advanced classification approaches to enable their applicability on increased bandwidth.
Investigating Two Different Approaches for Encrypted Traffic Classification
This work compares the utility of an expert driven system and a data driven system for classifying encrypted network traffic, specifically SSH traffic from traffic log files, and shows that the datadriven system approach outperforms the expert drivenSystem in terms of high detection and low false positive rates.
Generalization of signatures for SSH encrypted traffic identification
This work identified 13 signatures and 14 flow attributes for SSH traffic classification where IP addresses, source/destination ports and payload information are not employed and are able to identify encrypted traffic with high detection rate and low false positive rate.
Data mining for security applications: Mining concept-drifting data streams to detect peer to peer botnet traffic
The presentation first provides an overview for data mining for security applications and then discusses the research to the botnet problem which follows from an important observation that network traffic is a continuous flow of data stream.
On the Effectiveness of Different Botnet Detection Approaches
This work investigates four different botnet detection approaches based on the technique used and type of data employed, two of them are public rule based systems (BotHunter and Snort) and the other two are data mining based techniques with different feature extraction methods (packet payload based and traffic flow based).
Detecting Backdoors
A general algorithm for detecting interactive traffic based on packet size and timing characteristics, and a set of protocol-specific algorithms that look for signatures distinctive to particular protocols are developed.
Clear and Present Data: Opaque Traffic and its Security Implications for the Future
Evaluation on traffic from two campuses reveals that new techniques for accurate real-time winnowing, or filtering, of opaque traffic are able to identify opaque data with 95% accuracy, on average, while examining less than 16 bytes of payload data.
Using Entropy Analysis to Find Encrypted and Packed Malware
Entropy analysis examines the statistical variation in malware executables, enabling analysts to quickly and efficiently identify packed and encrypted samples.
Fast monitoring of traffic subpopulations
FlexSample, a traffic monitoring engine that dynamically extracts traffic from subpopulations that operators define using conditions on packet header fields, is presented, finding that it is able to capture significantly more packets from these sub Populations than conventional approaches.