Tunneling Activities Detection Using Machine Learning Techniques

• Autorzy: Allard F. , Dubois R. , Gompel P. , Morel M.
• Języki publikacji: EN

Abstrakty

EN

Tunnel establishment, like HTTPS tunnel or related ones, between a computer protected by a security gateway and a remote server located outside the protected network is the most effective way to bypass the network security policy. Indeed, a permitted protocol can be used to embed a forbidden one until the remote server. Therefore, if the resulting information flow is ciphered, security standard tools such as application level gateways (ALG), firewalls, intrusion detection system (IDS), do not detect this violation. In this paper, we describe a statistical analysis of ciphered flows that allows detection of the carried inner protocol. Regarding the deployed security policy, this technology could be added in security tools to detect forbidden protocols usages. In the defence domain, this technology could help preventing information leaks through side channels. At the end of this article, we present a tunnel detection tool architecture and the results obtained with our approach on a public database containing real data flows.

Słowa kluczowe

EN

cyberdefense; network security; decision tree; hidden Markov models; HTTPS tunnel; RandomForest

• Wydawca: Instytut Łączności - Państwowy Instytut Badawczy
• Czasopismo: Journal of Telecommunications and Information Technology
• Rocznik: 2011
• Tom: nr 1
• Strony: 37--42
• Opis fizyczny: Bibliogr. 13 poz., rys., tab.

Twórcy

autor

Allard F.

autor

Dubois R.

autor

Gompel P.

autor

Morel M.

• Thales Communications, 160 Boulevard de Valmy - BP 82, 92704 Colombes Cedex, France,

Bibliografia

• [1] HTTPHost [Online]. Available: http://www.htthost.com
• [2] STunnel [Online]. Available: http://www.stunnel.org
• [3] J. Erman, A. Mahanti, and M. Arlitt, “Internet traffic identification using machine learning”, in Proc. IEEE GLOBECOM’06, San Francisco, USA, 2006.
• [4] T. Karagiannis, K. Papagiannaki, and M. Faloutsos, “BLINC: Multilevel traffic classification in the dark”, in Proc. ACM SIGCOMM’05, Philadelphia, USA, 2005.
• [5] A. W. Moore and D. Zuev, “Internet traffic classification using bayesian analysis techniques”, in Proc. ACM SIGMETRICS’05, Bauff, Canada, 2005.
• [6] T. T. Nguyen and G. Armitage, “A survey of techniques for Internet traffic classification using machine learning”, IEEE Communications Surveys and Tutorials, vol. 10, no. 4, pp. 56–76, 2008 [Online]. Available: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=04738466
• [7] L. Bernaille and R. Teixeira, “Early recognition of encrypted applications”, in Proc. PAM 2007, Louvain-la-neuve, Belgium, 2007.
• [8] M. Dusi, M. Crotti, F. Gringoli, and L. Salgarelli, “Detection of encrypted tunnels across networks boundaries”, in Proc. IEEE ICC’08, Beijing, China, 2008.
• [9] A. W. Moore, D. Zuev, and M. L. Crogan, “Discriminators for use in flow-based classification”, Techn. Rep., 2008.
• [10] W. Li, M. Canini, A. W. Moore, and R. Bolla, “Efficient application identification and the temporal and spatial stability of classification schema”, Comp. Netwo., vol. 53, no. 6, 2009.
• [11] N. Williams, S. Zander, and G. Armitage, “A preliminary performance comparison of five machine learning algorithms for practical IP traffic flow classification”, in Proc. ACM SIGICOMM’06, Pisa, Italy, 2006.
• [12] Tcpdump/Libpcap [Online]. Available: http://www.tcpdump.org
• [13] MAWI Working group traffic archive [Online]. Available: http://mawi.wide.ad.jp/mawi/