early online classification of encrypted traffic streams
play

Early online classification of encrypted traffic streams using - PowerPoint PPT Presentation

Dec 06, 2023 •227 likes •629 views

Early online classification of encrypted traffic streams using multi-fractal features Erik Arestrm, Linkping University Niklas Carlsson, Linkping University Motivation and problem Early flow classification is important for network

  1. Early online classification of encrypted traffic streams using multi-fractal features Erik Areström, Linköping University Niklas Carlsson, Linköping University

  2. Motivation and problem • Early flow classification is important for network Problem: Individual content provider that wants to minimize its operators in order to operate network at high delivery costs under the assumptions that utilization while still providing good quality of • the storage and bandwidth resources it requires are elastic , experience for the users • the content provider only pays for the resources that it consumes , and • costs are proportional to the resource usage. 2

  3. Motivation and problem • Early flow classification is important for network Problem: Individual content provider that wants to minimize its operators in order to operate network at high delivery costs under the assumptions that utilization while still providing good quality of • the storage and bandwidth resources it requires are elastic , experience for the users • the content provider only pays for the resources that it consumes , and • End-to-end encryption render traditional deep • costs are proportional to the resource usage. packet inspection techniques useless 3

  4. Motivation and problem • Early flow classification is important for network Problem: Individual content provider that wants to minimize its operators in order to operate network at high delivery costs under the assumptions that utilization while still providing good quality of • the storage and bandwidth resources it requires are elastic , experience for the users • the content provider only pays for the resources that it consumes , and • End-to-end encryption render traditional deep • costs are proportional to the resource usage. packet inspection techniques useless • Most flow classification approaches are unable to properly capture the non-linear characteristics of network flows 4

  5. Motivation and problem • Early flow classification is important for network Problem: Individual content provider that wants to minimize its operators in order to operate network at high delivery costs under the assumptions that utilization while still providing good quality of • the storage and bandwidth resources it requires are elastic , experience for the users • the content provider only pays for the resources that it consumes , and • End-to-end encryption render traditional deep • costs are proportional to the resource usage. packet inspection techniques useless • Most flow classification approaches are unable to properly capture the non-linear characteristics of network flows • Problem: Current classification methods are too slow or inaccurate to benefit network operators 5

  6. Contributions • A man-in-the-middle based evaluation framework, utilizing the multi-fractal features of encrypted traffic flows to diffrentiate application types

  7. Contributions • A man-in-the-middle based evaluation framework, utilizing the multi-fractal features of encrypted traffic flows to diffrentiate application types • Early traffic categorization via tuning of said framwork achieving F1-scores of 0.814 after only 5 seconds, using only multi-fractal features

  8. Contributions • A man-in-the-middle based evaluation framework, utilizing the multi-fractal features of encrypted traffic flows to diffrentiate application types • Early traffic categorization via tuning of said framwork achieving F1-scores of 0.814 after only 5 seconds, using only multi-fractal features • In-class categorization of live video versus video on demand delivered from the same services, using only multi-fractal features

  9. High-level categorization Application categories Example service Video streaming Youtube Web browsing Reddit Social media Facebook Audio communication Skype Text communication Messenger Bulk download Google Play

  10. System model Network Traffic Flow

  11. System model Feature Extractor Network Packet Traffic Arrival Flow Times

  12. System model Feature Extractor Network Model Packet Traffic Multi-fractal Arrival Flow features Times

  13. System model Feature Extractor Network Model Packet Traffic Multi-fractal Arrival Flow features Times Network Flow Classification Result Utilization Optimizer

  14. System model Our Focus Feature Extractor Network Model Packet Traffic Multi-fractal Arrival Flow features Times Network Flow Classification Result Utilization Optimizer

  15. System model Trusted Proxy Network Traffic Network Traffic

  16. System model Trusted Proxy Automatic Instrumentation Commands Network Traffic Network Traffic Packet Arrival The samples Times

  17. Feature ext xtraction

  18. Feature ext xtraction • Given a time series repesenting the arrival of a packet in a timeslot, calculate the wavelet coefficients for different scales of the signal using the Discrete Wavelet Transform

  19. Feature ext xtraction • Given a time series repesenting the arrival of a packet in a timeslot, calculate the wavelet coefficients for different scales of the signal using the Discrete Wavelet Transform • Extract the time- or space localized suprema of the coefficents, the so called wavelet leaders

  20. Feature ext xtraction • Given a time series repesenting the arrival of a packet in a timeslot, calculate the wavelet coefficients for different scales of the signal using the Discrete Wavelet Transform • Extract the time- or space localized suprema of the coefficents, the so called wavelet leaders • Form a multi-resolution structure function to estimate the scaling exponents by regression

  21. Feature ext xtraction • Given a time series repesenting the arrival of a packet in a timeslot, calculate the wavelet coefficients for different scales of the signal using the Discrete Wavelet Transform • Extract the time- or space localized suprema of the coefficents, the so called wavelet leaders • Form a multi-resolution structure function to estimate the scaling exponents by regression • Derive the Hausdorff dimensions and corresponding Holder Exponents for the signal

  22. Feature ext xtraction • Given a time series repesenting the arrival of a packet in a timeslot, calculate the wavelet coefficients for different scales of the signal using the Discrete Wavelet Transform • Extract the time- or space localized suprema of the coefficents, the so called wavelet leaders • Form a multi-resolution structure function to estimate the scaling exponents by regression • Derive the Hausdorff dimensions and corresponding Holder Exponents for the signal The multi-fractal features, representing how the observed self-similiarty of the signal changes over time

  23. Building the model • The collection of samples were randomly split into two parts, half the samples were used to build the model Model Multi-fractal features

  24. Building the model • The collection of samples were randomly split into two parts, half the samples were used to build the model • Multiple Binary Support Vector Machine classifiers were used, fitting the maximun margin separating hyperplane between each class of data SVM with radial basis kernel function Model Multi-fractal features

  25. Evaluation (t (t = 20 s) F1- Class score Audio 0.98 Communication Bulk Download 0.99 Text 0.96 Communication

  26. Evaluation (t (t = 20 s) F1- Class score Audio 0.98 Communication Bulk Download 0.99 Text 0.96 Communication Social Media 0.90 Video 0.96 Web 0.96

  27. Evaluation (t (t = 20 s) F1- Class score Audio 0.98 Communication Bulk Download 0.99 Text 0.96 Communication Social Media 0.90 Video 0.96 Web 0.96

  28. T-SNE visualization

  29. Early classification Duration F1-score Precision Recall 20 seconds 0.958 0.958 0.958

  30. Early classification Duration F1-score Precision Recall 20 seconds 0.958 0.958 0.958 15 seconds 0.892 0.891 0.894 10 seconds 0.844 0.838 0.851

  31. Early classification Duration F1-score Precision Recall 20 seconds 0.958 0.958 0.958 15 seconds 0.892 0.891 0.894 10 seconds 0.844 0.838 0.851 5 seconds 0.814 0.823 0.805

  32. Early classification Duration F1-score Precision Recall 20 seconds 0.958 0.958 0.958 15 seconds 0.892 0.891 0.894 10 seconds 0.844 0.838 0.851 5 seconds 0.814 0.823 0.805 2.5 seconds 0.631 0.594 0.673

  33. Early classification Duration F1-score Precision Recall 20 seconds 0.958 0.958 0.958 15 seconds 0.892 0.891 0.894 10 seconds 0.844 0.838 0.851 5 seconds 0.814 0.823 0.805 2.5 seconds 0.631 0.594 0.673 2 seconds 0.409 0.404 0.415 1 second 0.214 0.202 0.228 Randomly picking one category: 1/6 ≈ 0.167

  34. Im Impact of f added variance in the dataset. • All packet arrival instances in the evaulation set were perturbed according to a normal distribution: Ɲ (0, 𝜏) σ 10 25 50 100 250 500 1000 F1- 0.952 0.942 0.925 0.927 0.891 0.834 0.695 score

  35. Im Impact of f added variance in the dataset. • All packet arrival instances in the evaulation set were perturbed according to a normal distribution: Ɲ (0, 𝜏) σ 10 25 50 100 250 500 1000 F1- 0.952 0.942 0.925 0.927 0.891 0.834 0.695 score 31.8% of the packets arrivals move by more than ± 0.5 seconds

Recommend

Effective and Real-time In-App Activity Analysis in Encrypted Internet Traffic Streams Junming

Effective and Real-time In-App Activity Analysis in Encrypted Internet Traffic Streams Junming

Effective and Real-time In-App Activity Analysis in Encrypted Internet Traffic Streams Junming Liu Yanjie Fu, Jingci Ming, Yong Ren Leilei Sun, Hui Xiong Rutgers University, USA Futurewei Technology. Inc,. USA Background 2/27 Explosive

297 views • 26 slides
A Technique for Classification of VoIP Flows in UDP Media Streams using VoIP Signalling Traffic

A Technique for Classification of VoIP Flows in UDP Media Streams using VoIP Signalling Traffic

A Technique for Classification of VoIP Flows in UDP Media Streams using VoIP Signalling Traffic Tejmani Sinam, Irengbam Tilokchan Singh, Sukumar Nandi Pradeep Lamabam, Ngasham Nandarani Devi Department of Computer Science and Engineering,

231 views • 6 slides
Traffic Classification in the Fog Scott E. Coull February 23, 2006 Overview What is traffic

Traffic Classification in the Fog Scott E. Coull February 23, 2006 Overview What is traffic

Traffic Classification in the Fog Scott E. Coull February 23, 2006 Overview What is traffic classification? Communities of Interest for classification BLINC Profiling Internet Backbone Traffic What is missing here? Traffic

965 views • 81 slides
Need for Classification Classification required To isolate traffic of interest

Need for Classification Classification required To isolate traffic of interest

Need for Classification Classification required To isolate traffic of interest Classification of Internet Traffic To treat special types of traffic in a different manner Some types of classification already seen in Alok

371 views • 9 slides
Controlling False Alarm/Discovery Rates in Online Internet Traffic Flow Classification Daniel

Controlling False Alarm/Discovery Rates in Online Internet Traffic Flow Classification Daniel

Controlling False Alarm/Discovery Rates in Online Internet Traffic Flow Classification Daniel Nechay, Yvan Pointurier and Mark Coates McGill University Department of Electrical and Computer Engineering Montreal, Quebec, Canada April 22, 2009

515 views • 24 slides
Encrypted DNS Privacy? A Traffic Analysis Perspective Sandra Siby, Marc Juarez, Claudia

Encrypted DNS Privacy? A Traffic Analysis Perspective Sandra Siby, Marc Juarez, Claudia

Encrypted DNS Privacy? A Traffic Analysis Perspective Sandra Siby, Marc Juarez, Claudia Diaz, Narseo Vallina-Rodriguez, Carmela Troncoso NDSS, 25 February 2020 Encrypted DNS > Privacy? Can encrypting DNS protect users from tra ffi

533 views • 40 slides
Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification,

Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification,

Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification, Measurement, and Analysis and Analysis ISC/CAIDA Data Collaboration Workshop October 22, 2012 David Plonka & Paul Barford

1.33k views • 26 slides
Machine Learning Classification over Encrypted Data Raphal Bost Raluca Ada Popa,

Machine Learning Classification over Encrypted Data Raphal Bost Raluca Ada Popa,

Machine Learning Classification over Encrypted Data Raphal Bost Raluca Ada Popa, Universit Rennes 1 ETH Zrich MIT MIT Stephen Tu Shafi Goldwasser MIT MIT Classification (Machine Learning) Supervised learning (training)

1.3k views • 29 slides
FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic Thijs van Ede ,

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic Thijs van Ede ,

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic Thijs van Ede , Riccardo Bortolameotti, Andrea Continella, Jingjing Ren, Daniel J. Dubois, Martina Lindorfer, David Choffnes, Maarten van Steen and Andreas Peter

771 views • 51 slides
Machine Learning Classification over Encrypted Data Raphael Bost, Raluca Ada Popa, Stephen Tu,

Machine Learning Classification over Encrypted Data Raphael Bost, Raluca Ada Popa, Stephen Tu,

Machine Learning Classification over Encrypted Data Raphael Bost, Raluca Ada Popa, Stephen Tu, Shafi Goldwasser Classification (Machine Learning) Supervised learning (training) Classification data classification training model

1.29k views • 54 slides
Traffic Classifier Real Time Classification and Analysis of T1/E1 Traffic 818 West Diamond Avenue

Traffic Classifier Real Time Classification and Analysis of T1/E1 Traffic 818 West Diamond Avenue

Traffic Classifier Real Time Classification and Analysis of T1/E1 Traffic 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: info@gl.com Website: http://www.gl.com 1 1 Traffic

228 views • 11 slides
Poster: Feasibility of Malware Traffic Analysis through TLS-Encrypted Flow Visualization IEEE

Poster: Feasibility of Malware Traffic Analysis through TLS-Encrypted Flow Visualization IEEE

Poster: Feasibility of Malware Traffic Analysis through TLS-Encrypted Flow Visualization IEEE International Conference on Network Protocols 2020 October 13-16, 2020 Dongeon Kim, Jihun Han , Jinwoo Lee, Heejun Roh Korea University Sejong Campus,

896 views • 11 slides
Data Streams Many large sources of data are generated as streams of updates: IP Network

Data Streams Many large sources of data are generated as streams of updates: IP Network

Summarizing and Mining Skewed Data Streams Graham Cormode cormode@bell-labs.com Flip Korn, S. Muthukrishnan, Divesh Srivastava Data Streams Many large sources of data are generated as streams of updates: IP Network traffic data Text:

485 views • 44 slides
Pattern Matching on Encrypted Streams Nicolas Desmoulins Pierre-Alain Fouque Cristina Onete

Pattern Matching on Encrypted Streams Nicolas Desmoulins Pierre-Alain Fouque Cristina Onete

Pattern Matching on Encrypted Streams Nicolas Desmoulins Pierre-Alain Fouque Cristina Onete Orange Labs Universit e de Rennes Universit e de Limoges Olivier Sanders Orange Labs Asiacrypt 2018, December 03, 2018 Agenda Context

794 views • 31 slides
Data Streams Many large sources of data are generated as streams of updates: IP Network

Data Streams Many large sources of data are generated as streams of updates: IP Network

Summarizing and Mining Skewed Data Streams Graham Cormode cormode@bell-labs.com S. Muthukrishnan muthu@cs.rutgers.edu Data Streams Many large sources of data are generated as streams of updates: IP Network traffic data Text: email/

535 views • 20 slides
Traffic Classification Rotsos Charalampos , Jurgen Van Gael, Andrew W. Moore, Zoubin Ghahramani

Traffic Classification Rotsos Charalampos , Jurgen Van Gael, Andrew W. Moore, Zoubin Ghahramani

Probabilistic Graphical Models for Semi-Supervised Traffic Classification Rotsos Charalampos , Jurgen Van Gael, Andrew W. Moore, Zoubin Ghahramani Computer Laboratory and Engineering Department, University of Cambridge Traffic classification

257 views • 21 slides
EFFICIENT DISTRIBUTION-DERIVED FEATURES FOR HIGH-SPEED ENCRYPTED FLOW CLASSIFICATION JOHAN

EFFICIENT DISTRIBUTION-DERIVED FEATURES FOR HIGH-SPEED ENCRYPTED FLOW CLASSIFICATION JOHAN

EFFICIENT DISTRIBUTION-DERIVED FEATURES FOR HIGH-SPEED ENCRYPTED FLOW CLASSIFICATION JOHAN GARCIA TOPI KORHONEN DEPARTMENT OF COMPUTER SCIENCE KARLSTAD UNIVERSITY, SWEDEN 1 180824 NETAI 2018 JOHAN GARCIA PRESENTATION OUTLINE Problem

591 views • 25 slides
BlindBox: Deep Packet Inspection Over Encrypted Traffic Justine Sherry, Chang Lan, Raluca Ada

BlindBox: Deep Packet Inspection Over Encrypted Traffic Justine Sherry, Chang Lan, Raluca Ada

BlindBox: Deep Packet Inspection Over Encrypted Traffic Justine Sherry, Chang Lan, Raluca Ada Popa, Sylvia Ratnasamy UC Berkeley (Work under submission). Intrusion Prevention Deep Packet Inspection Parental Filtering (DPI) In-network

851 views • 42 slides
(with Online Real-time Data) Lszl Z. Varga 1 Road Traffic: Routing Problem 2 Road Traffic:

(with Online Real-time Data) Lszl Z. Varga 1 Road Traffic: Routing Problem 2 Road Traffic:

Online Routing Games (with Online Real-time Data) Lszl Z. Varga 1 Road Traffic: Routing Problem 2 Road Traffic: Routing Game 2 1 3 Road Traffic: Autonomous A centralized system would be able to create an optimal plan for the trips

444 views • 16 slides
Towards Reliable Traffic Classification Using Visual Motifs Wilson Lian 1 John McHugh 1 , 2 Fabian

Towards Reliable Traffic Classification Using Visual Motifs Wilson Lian 1 John McHugh 1 , 2 Fabian

Background Visual Motifs Traffic Classification Evaluation Towards Reliable Traffic Classification Using Visual Motifs Wilson Lian 1 John McHugh 1 , 2 Fabian Monrose 1 1 University of North Carolina at Chapel Hill 2 RedJack, LLC FloCon 2010

652 views • 47 slides
TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1

TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1

TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1 DISCLAIMER: THIS IS NOT FULLY-BAKED We just fleshed out this idea yesterday, so its hand-wavy. Insufficient analysis has been done. IETF 94 TLS 1.3

886 views • 11 slides
How is SUNET really used? Results of traffic classification on backbone data Wolfgang John and

How is SUNET really used? Results of traffic classification on backbone data Wolfgang John and

MonNet a project for network and traffic monitoring How is SUNET really used? Results of traffic classification on backbone data Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University of Technology

760 views • 21 slides
1 THE ANALYSIS OF TRAFFIC SAFETY THE ANALYSIS OF TRAFFIC SAFETY 3. Classification of stop

1 THE ANALYSIS OF TRAFFIC SAFETY THE ANALYSIS OF TRAFFIC SAFETY 3. Classification of stop

AGENDA AGENDA 1. The role and significance of public transport and tram transport in urban areas 2. Goal and stages of the study 1 THE ANALYSIS OF TRAFFIC SAFETY THE ANALYSIS OF TRAFFIC SAFETY 3. Classification of stop stations at tram stops

169 views • 4 slides
Combining Machine and Automata Learning for Network Traffic Classification Zeynab Sabahi, Fatemeh

Combining Machine and Automata Learning for Network Traffic Classification Zeynab Sabahi, Fatemeh

Combining Machine and Automata Learning for Network Traffic Classification Zeynab Sabahi, Fatemeh Ghassemi, and Zahra Alimadadi TTCS 2020,Tehran, Iran 1 Network Traffic Classification, What & Why?

655 views • 44 slides

More recommend