Early Recognition of Encrypted Applications

Similar documents
3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Chapter 32 Internet Security

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Chapter 7 Transport-Level Security

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Computer Networks. Secure Systems

Virtual Private Networks

12/8/2015. Review. Final Exam. Network Basics. Network Basics. Network Basics. Network Basics. 12/10/2015 Thursday 5:30~6:30pm Science S-3-028

Solution of Exercise Sheet 5

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

How To Understand And Understand The Security Of A Key Infrastructure

A Survey of Methods for Encrypted Traffic Classification and Analysis

Network Security Part II: Standards

Network Security Essentials Chapter 5

Chapter 17. Transport-Level Security

IP Security. IPSec, PPTP, OpenVPN. Pawel Cieplinski, AkademiaWIFI.pl. MUM Wroclaw

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Measurement of the Usage of Several Secure Internet Protocols from Internet Traces

A Preliminary Performance Comparison of Two Feature Sets for Encrypted Traffic Classification

Computer and Network Security Exercise no. 4

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols ETSF10 Internet Protocols 2011

Part III-b. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

An apparatus for P2P classification in Netflow traces

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Overview SSL/TLS HTTPS SSH. TLS Protocol Architecture TLS Handshake Protocol TLS Record Protocol. SSH Protocol Architecture SSH Transport Protocol

Topics in Network Security

Trends and Differences in Connection-behavior within Classes of Internet Backbone Traffic

Web Security Considerations

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

CSC Network Security

CSC 474 Information Systems Security

Chapter 10. Network Security

TLS and SRTP for Skype Connect. Technical Datasheet

Michal Ludvig, SUSE Labs, 01/30/2004, Secure networking, 1

Packet Monitor in SonicOS 5.8

Bypassing PISA AGM Theme Seminar Presented by Ricky Lou Zecure Lab Limited

Flow Analysis Versus Packet Analysis. What Should You Choose?

Automated Vulnerability Scan Results

Cornerstones of Security

ETSF10 Part 3 Lect 2

Network Management Card Security Implementation

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

Secure Use of the New NHS Network (N3): Good Practice Guidelines

VPN Lesson 2: VPN Implementation. Summary

The Secure Sockets Layer (SSL)

SSL DOES NOT MEAN SOL What if you don t have the server keys?

Advanced Network Security Testing. Michael Jack

Firewall Firewall August, 2003

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Introduction to Computer Security

Transport Level Security

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

1. The Web: HTTP; file transfer: FTP; remote login: Telnet; Network News: NNTP; SMTP.

Application Detection

How is SUNET really used?

CS 4803 Computer and Network Security

Encrypted Internet Traffic Classification Method based on Host Behavior

State of the Art in Peer-to-Peer Performance Testing. European Advanced Networking Test Center

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Introduction of Intrusion Detection Systems

SDN 交 換 機 核 心 技 術 - 流 量 分 類 以 及 應 用 辨 識 技 術. 黃 能 富 教 授 國 立 清 華 大 學 特 聘 教 授, 資 工 系 教 授 nfhuang@cs.nthu.edu.tw

Quality of Service Analysis of site to site for IPSec VPNs for realtime multimedia traffic.

WXOS 5.5 SSL Optimization Implementation Guide for Configuration and Basic Troubleshooting

Outline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts

Virtual Server and DDNS. Virtual Server and DDNS. For BIPAC 741/743GE

Internet Privacy Options

Figure 41-1 IP Filter Rules

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Certes Networks Layer 4 Encryption. Network Services Impact Test Results

Introduction to Computer Security

Computer security Lecture 9

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Security vulnerabilities in the Internet and possible solutions

Communication Systems SSL

CTS2134 Introduction to Networking. Module Network Security

SSL/TLS. What Layer? History. SSL vs. IPsec. SSL Architecture. SSL Architecture. IT443 Network Security Administration Instructor: Bo Sheng

SSL Handshake Analysis

Transport Layer Security Protocols

Network Security. Lecture 3

WEB Security & SET. Outline. Web Security Considerations. Web Security Considerations. Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Network Access Security. Lesson 10

CSCI 454/554 Computer and Network Security. Final Exam Review

Spirent Abacus. SIP over TLS Test 编 号 版 本 修 改 时 间 说 明

CLASSIFYING NETWORK TRAFFIC IN THE BIG DATA ERA

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

Lecture 10: Communications Security

Chapter 1 Network Security

Secure Socket Layer (SSL) and Trnasport Layer Security (TLS)

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Network Security Fundamentals

tcpcrypt Andrea Bittau, Dan Boneh, Mike Hamburg, Mark Handley, David Mazières, Quinn Slack Stanford, UCL

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Protocol Security Where?

Managing and Securing Computer Networks. Guy Leduc. Chapter 4: Securing TCP. connections. connections. Chapter goals: security in practice:

Quick Note 038. Upgrade Software options and/or VPN Licenses on a Digi Transport router.

Security Protocols/Standards

Transcription:

Early Recognition of Encrypted Applications Laurent Bernaille with Renata Teixeira Laboratoire LIP6 CNRS Université Pierre et Marie Curie Paris 6

Can we find the application inside an SSL connection? Network administrator Alice Internet SSL Connection Bob Network administrator: profiling, QoS, policies Alice and Bob: privacy issue 1

Possible identification methods for unencrypted traffic Port-based classification Map standard IANA ports to applications (Ex: 443/HTTPS) Unfortunately, this method is inaccurate Content-based approaches Search for signatures that identify the application Unfortunately, not possible with encrypted traffic Behavior-based methods Model applications with connection statistics Promising for encrypted traffic (not using port or content) 2

Early Application Identification Identify applications using the sizes of the first application packets in a TCP connection Offline Training Training traces Behavior identification Application Models Online Classifier Sizes of the first packets Labeling application Can this work with encrypted connections? 3

Can we find the sizes of the first application packets in SSL? SSL mechanisms SSL connections begin with a handshake After handshake SSL payload = encrypted application packet Challenges for Early Application Identification Can we identify application packets? Can we infer the unencrypted sizes of these packets? 4

SSLv2 handshake SSLv2 negotiation 4 or 6 packets Identification through inspection of SSL headers 5

SSLv3 handshake First application packet in P6 trace SSLv3 Negotiation Variable number of packets (implementation) Identification through inspection of SSL headers 6

7 Influence of ciphers on packet size

Applicability of Early Application Identification to SSL traffic We can identify the first application packet Trough the analysis of SSL headers Need to start inspection at the third packet We can infer unencrypted sizes Proposed method 1. Identify SSL using the sizes of first 3 packets 2. For SSL traffic, find the packet with application data 3. Identify the application in SSL using the inferred sizes of the first application packets 8

Sizes of first 3 packets in the connection Classification mechanism Early Application identification Application SSL? No Application Early Application identification Inferred sizes of Packets N, N+1, N+2 Yes Detection of packet with encrypted payload: N Encrypted Application Packets 4, 5, N 9

Sizes of first 3 packets in the connection Detecting SSL connections Early Application identification Application SSL? No Application Early Application identification Inferred sizes of Packets N, N+1, N+2 Yes Detection of packet with encrypted payload: N Encrypted Application Packets 4, 5, N 10

Detecting SSL connections: Evaluation methodology Data sets: packet traces UMass campus, Paris 6 network Ground truth Non-SSL traffic: content-based classification SSL traffic: identification based on analysis of SSL headers Parameters for Early Application Identification Using the payload size of the first 3 packets Training set: 5500 connections from 11 applications 11

Accuracy of SSL detection Test set 50k connections from Paris 6 network more than 2000 connections for each application Results SSL traffic: > 85% labeled SSL Other applications: accuracy >95% 12

Identification of encrypted Sizes of first 3 packets applications in the connection Early Application identification Application SSL? No Application Early Application identification Inferred sizes of Packets N, N+1, N+2 Yes Detection of packet with encrypted payload: N Encrypted Application Packets 4, 5, N 13

Method to find ground truth for encrypted traffic From packet traces collected at Paris 6 Filtered traffic to well-known HTTPS and POP3S servers (IP addresses and ports) Manual encryption of traffic Replay connections over an SSL tunnel Applications: bittorent, edonkey, FTP 14

Accuracy of identification of applications in SSL connections Paris 6 traces HTTP POP3 Accuracy 99.9% 98.5% Manually Encrypted Traffic Accuracy FTP 92.5% Bittorent 86.5% Edonkey 96.5% 15

Conclusion and Perspectives We can identify the application encrypted with SSL Using only the sizes of the first packets With a high accuracy Future work: IPsec and SSH Challenge: Finding the start of TCP connections Implementation Available at http://rp.lip6.fr/~bernaill/earlyclassif.html 16

Description of SSL Traffic Trace Connections SSL SSLv2 SSLv3.0 TLS P6 2004 500k 4.6% 0.6% 81% 18.4% P6 2006 1000k 8.6% 0.2% 53.2% 46.6% UMass 1700k 1.2% 0.0% 48% 52% Trace P6 2004 P6 2006 UMass SSL port not SSL 1.9% 1.1% 5.0% SSL on non-ssl port 1.1% 4.2% 1.5% 17

Ciphers Cipher RC4_xx_MD5 AES RC4_128_SHA Other Proportion (2004) 81.7% 6.9% 9.7% <2% Proportion (2006) 68.1% 24.0% 7.0% <1% 18

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information