Drakkar
Home > Publications > Conferences > Markov Chain Fingerprinting to Classify Encrypted Traffic

Maciej Korczyński and Andrzej Duda

Markov Chain Fingerprinting to Classify Encrypted Traffic

In Proceedings of IEEE INFOCOM (The 33rd Annual IEEE International Conference on Computer Communications), April 27th - May 2nd, 2014, Toronto, Canada

Sunday 27 April 2014

In this paper, we propose stochastic fingerprints for application traffic flows conveyed in Secure Socket Layer/Transport Layer Security (SSL/TLS) sessions. The fingerprints are based on first-order homogeneous Markov chains for which we identify the parameters from observed training application traces. As the fingerprint parameters of chosen applications considerably differ, the method results in a very good accuracy of application discrimination and provides a possibility of detecting abnormal SSL/TLS sessions. Our analysis of the results reveals that obtaining application discrimination mainly comes from incorrect implementation practice, the misuse of the SSL/TLS protocol, various server configurations, and the application nature.

titre documents joints:


1996-2017 Drakkar | Site Map | | Contact | RSS 2.0 | SPIP