jmlr jmlr2006 jmlr2006-97 jmlr2006-97-reference knowledge-graph by maker-knowledge-mining
Source: pdf
Author: Charles V. Wright, Fabian Monrose, Gerald M. Masson
Abstract: Several fundamental security mechanisms for restricting access to network resources rely on the ability of a reference monitor to inspect the contents of traffic as it traverses the network. However, with the increasing popularity of cryptographic protocols, the traditional means of inspecting packet contents to enforce security policies is no longer a viable approach as message contents are concealed by encryption. In this paper, we investigate the extent to which common application protocols can be identified using only the features that remain intact after encryption—namely packet size, timing, and direction. We first present what we believe to be the first exploratory look at protocol identification in encrypted tunnels which carry traffic from many TCP connections simultaneously, using only post-encryption observable features. We then explore the problem of protocol identification in individual encrypted TCP connections, using much less data than in other recent approaches. The results of our evaluation show that our classifiers achieve accuracy greater than 90% for several protocols in aggregate traffic, and, for most protocols, greater than 80% when making fine-grained classifications on single connections. Moreover, perhaps most surprisingly, we show that one can even estimate the number of live connections in certain classes of encrypted tunnels to within, on average, better than 20%. Keywords: traffic classification, hidden Markov models, network security
Leonard E Baum, Ted Petrie, George Soules, and Norman Weiss. A maximization technique occurring in the statistical analysis of probabilistic functions of Markov chains. Annals of Mathematical Statistics, 41(1):164–171, February 1970. Laurent Bernaille, Renata Teixeira, Ismael Akodkenou, Augustin Soule, and Kave Salamatian. Traffic classification on the fly. ACM SIGCOMM Computer Communication Review, 36(2):23–26, April 2006. Bram Cohen. Incentives build robustness in BitTorrent. In Workshop on Economics of Peer-to-Peer Systems, June 2003. Scott Coull, Joel Branch, Boleslaw Szymanski, and Eric Breimer. Intrusion detection: A bioinformatics approach. In Proceedings of the 19th Annual Computer Security Applications Conference, pages 24–33, December 2003. Joseph L Doob. Stochastic Processes. Wiley, 1953. 2766 O N I NFERRING A PPLICATION P ROTOCOL B EHAVIORS Holger Dreger, Anja Feldmann, Michael Mai, Vern Paxson, and Robin Sommer. Dynamic application-layer protocol analysis for network intrusion detection. In Proceedings of the 15th Usenix Security Symposium, pages 257–272, August 2006. James Early, Carla Brodley, and Catherine Rosenberg. Behavioral authentication of server flows. In Proceedings of the 19th Annual Computer Security Applications Conference, pages 46–55, December 2003. Sean Eddy. Multiple alignment using hidden Markov models. In Proceedings of the Third International Conference on Intelligent Systems for Molecular Biology, pages 114–120, July 1995. Sean Eddy, Graeme Mitchison, and Richard Durbin. Maximum discrimination hidden Markov models of sequence consensus. Journal of Computational Biology, 2:9–23, 1995. Don Faxon, R Duane King, John T Rigsby, Steve Bernard, and Edward J Wegman. Data cleansing and preparation at the gates: A data-streaming perspective. In 2004 Proceedings of the American Statistical Association, August 2004. Federal Information Processing Standards. Advanced Encryption Standard (AES) – FIPS 197, November 2001. Anja Feldmann. Characteristics of TCP connection arrivals. Park and Willinger (Ed). WileyInterscience, 2000. Edward W Felten and Michael A Schneider. Timing attacks on web privacy. In Proceedings of the 7th ACM conference on computer and communications security, pages 25–32, November 2000. Thomas Karagiannis, Konstantina Papagiannaki, and Michalis Faloutsos. BLINC: Multilevel traffic classification in the dark. In ACM SIGCOMM, to appear, August 2005. Stephen Kent and Ran Atkinson. RFC 2406: IP encapsulating security payload (ESP), November 1998. Tadayoshi Kohno, Andre Broido, and kc claffy. Remote physical device fingerprinting. In Proceedings of the 2005 IEEE Symposium on Security and Privacy, pages 211–225, May 2005. Anders Krogh, Michael Brown, I Saira Mian, Kimmen Sj¨ lander, and David Haussler. Hidden o Markov Models in computational biology: Applications to protein modeling. Journal of Molecular Biology, 235(5):1501–1531, February 1994. Solomon Kullback and Richard A Leibler. On information and sufficiency. The Annals of Mathematical Statistics, 22(1):79–86, March 1951. Wenke Lee and Dong Xiang. Information-theoretic measures for anomaly detection. In Proceedings of the 2001 IEEE Symposium on Security and Privacy, pages 130–143, May 2001. Richard P Lippmann, David J Fried, Isaac Graf, Joshua W Haines, Kristopher R Kendall, David McClung, Dan Weber, Seth E Webster, Dan Wyschogrod, Robert K Cunningham, and Marc A Zissmann. Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation. In Proceedings of the 2000 DARPA Information Survivability Conference and Exposition, January 2000. 2767 W RIGHT, M ONROSE AND M ASSON Anthony McGregor, Mark Hall, Perry Lorier, and James Brunskill. Flow clustering using machine learning techniques. In The 5th Anuual Passive and Active Measurement Workshop (PAM 2004), April 2004. John McHugh. Testing intrusion detection systems: A critique of the 1998 and 1999 darpa intrusion detection system evaluations as performed by lincoln laboratory. ACM Transactions on Information and System Security, 3(4):262–294, November 2000. Andrew Moore and Konstantina Papagiannaki. Towards the accurate identification of network applications. In The 6th Anuual Passive and Active Measurement Workshop (PAM 2005), March 2005. Andrew W Moore and Denis Zuev. Internet traffic classification using Bayesian analysis techniques. In ACM SIGMETRICS, June 2005. Vern Paxson. Emprically-derived analytic models of wide-area tcp connections. IEEE/ACM Transactions on Networking, 2(4):316–336, August 1994. Eric Rescorla. SSL and TLS: Designing and Building Secure Systems. Addison-Wesley, 2000. Alexander Schliep, Alexander Sch¨ nhuth, and Christine Steinhoff. Using hidden Markov models o to analyze gene expression time course data. Bioinformatics, 19(supplement 1):i255–i263, July 2003. Dawn Song, David Wagner, and Xuqing Tian. Timing analysis of keystrokes and SSH timing attacks. In Proceedings of the 10th USENIX Security Symposium, August 2001. Qixiang Sun, Daniel R Simon, Yi-Min Wang, Will Russell, Venkata N Padmanabhan, and Lili Qiu. Statistical identification of encrypted web browsing traffic. In Proceedings of the IEEE Symposium on Security and Privacy, pages 19–30, May 2002. Andrew J Viterbi. Error bounds for convolutional codes and an asymptotically optimum decoding algorithm. IEEE Transactions on Information Theory, IT-13:260–267, 1967. Xinyuan Wang, Douglas S Reeves, and S Felix Wu. Inter-packet delay based correlation for tracing encrypted connections through stepping stones. In 7th European Symposium on Research in Computer Security (ESORICS), pages 244–263, October 2002. David Williams. Probability with Martingales. Cambridge University Press, 1991. Charles Wright, Fabian Monrose, and Gerald M Masson. HMM profiles for network traffic classification (extended abstract). In Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, pages 9–15, October 2004. Charles Wright, Fabian Monrose, and Gerald M Masson. Using visual motifs to classify encrypted traffic. In Proceedings of the 3rd International Workshop on Visualization for Computer Security, November 2006. To appear. 2768 O N I NFERRING A PPLICATION P ROTOCOL B EHAVIORS Kuai Xu, Zhi-Li Zhang, and Supratik Bhattacharya. Profiling internet backbone traffic: Behavior models and applications. In SIGCOMM ’05: Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications, pages 169–180, August 2005. Tatu Ylonen. SSH - secure login connections over the internet. In Proceedings of the 6th USENIX Security Symposium, pages 37–42, July 1996. Kunikazu Yoda and Hiroaki Etoh. Finding a connection chain for tracing intruders. In 6th European Symposium on Research in Computer Security (ESORICS), pages 191–205, October 2000. Yin Zhang and Vern Paxson. Detecting back doors. In Proceedings of the 9th USENIX Security Symposium, pages 157–170, August 2000a. Yin Zhang and Vern Paxson. Detecting stepping stones. In Proceedings of the 9th USENIX Security Symposium, pages 171–184, August 2000b. 2769