Drakkar

Maciej Korczyński and Andrzej Duda

Markov Chain Fingerprinting to Classify Encrypted Traffic

In Proceedings of IEEE INFOCOM (The 33rd Annual IEEE International Conference on Computer Communications), April 27th - May 2nd, 2014, Toronto, Canada

Sunday 27 April 2014

In this paper, we propose stochastic fingerprints for application traffic flows conveyed in Secure Socket Layer/Transport Layer Security (SSL/TLS) sessions. The fingerprints are based on first-order homogeneous Markov chains for which we identify the parameters from observed training application traces. As the fingerprint parameters of chosen applications considerably differ, the method results in a very good accuracy of application discrimination and provides a possibility of detecting abnormal SSL/TLS sessions. Our analysis of the results reveals that obtaining application discrimination mainly comes from incorrect implementation practice, the misuse of the SSL/TLS protocol, various server configurations, and the application nature.

titre documents joints:


1996-2024 Drakkar | | SPIP