Entropy Estimation for Real-Time Encrypted Traffic Identification
Paper i proceeding, 2011
This paper describes a novel approach to classify network traffic into encrypted and unencrypted traffic. The classifier is able to operate in real-time as only the first packet of each flow is processed. The main metric used for classification is an estimation of the entropy of the first packet payload. The approach is evaluated based on encrypted ground truth traces and on real network traces. Encrypted traffic such as Skype, or encrypted eDonkey traffic are detected as encrypted with probability higher than 94%. Unencrypted protocols such as SMTP, HTTP, POP3 or FTP are detected as unencrypted with probability higher than 99.9%. The presented approach, named real-time encrypted traffic detector (RT-ETD), is well suited to operate as pre-filter for advanced classification approaches to enable their applicability on increased bandwidth.
entropy estimation
real-time detection
traffic filtering
Författare
Peter Dorfinger
Salzburg Research Forschungsgesellschaft mbH
Georg Panholzer
Salzburg Research Forschungsgesellschaft mbH
Wolfgang John
Chalmers, Data- och informationsteknik, Nätverk och system
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
03029743 (ISSN) 16113349 (eISSN)
Vol. 6613 164-171978-3-642-20304-6 (ISBN)
Ämneskategorier
Datorteknik
Telekommunikation
Styrkeområden
Informations- och kommunikationsteknik
DOI
10.1007/978-3-642-20305-3_14
ISBN
978-3-642-20304-6