This paper presents an approach that leverages classical machine learning techniques to identify the tools from the packets sniffed, both for clear-text and encrypted traffic. This research aims to overcome the limitations to security monitoring systems posed by the widespread adoption of encrypted communications. By training three distinct classifiers, this paper shows that it is possible to detect, with excellent accuracy, the category of tools that generated the analyzed traffic (e.g., browsers vs. network stress tools), the actual tools (e.g., Firefox vs. Chrome vs. Edge), and the individual tool versions (e.g., Chrome 48 vs. Chrome 68). The paper provides hints that the classifiers are helpful for early detection of Distributed Denial of Service (DDoS) attacks, duplication of entire websites, and identification of sudden changes in users’ behavior, which might be the consequence of malware infection or data exfiltration.

Encryption-agnostic classifiers of traffic originators and their application to anomaly detection / Canavese, Daniele; Regano, Leonardo; Basile, Cataldo; Ciravegna, Gabriele; Lioy, Antonio. - In: COMPUTERS & ELECTRICAL ENGINEERING. - ISSN 0045-7906. - STAMPA. - 97:(2022). [10.1016/j.compeleceng.2021.107621]

Encryption-agnostic classifiers of traffic originators and their application to anomaly detection

Canavese, Daniele;Regano, Leonardo;Basile, Cataldo;Ciravegna, Gabriele;Lioy, Antonio
2022

Abstract

This paper presents an approach that leverages classical machine learning techniques to identify the tools from the packets sniffed, both for clear-text and encrypted traffic. This research aims to overcome the limitations to security monitoring systems posed by the widespread adoption of encrypted communications. By training three distinct classifiers, this paper shows that it is possible to detect, with excellent accuracy, the category of tools that generated the analyzed traffic (e.g., browsers vs. network stress tools), the actual tools (e.g., Firefox vs. Chrome vs. Edge), and the individual tool versions (e.g., Chrome 48 vs. Chrome 68). The paper provides hints that the classifiers are helpful for early detection of Distributed Denial of Service (DDoS) attacks, duplication of entire websites, and identification of sudden changes in users’ behavior, which might be the consequence of malware infection or data exfiltration.
File in questo prodotto:
File Dimensione Formato  
1-s2.0-S0045790621005528-main.pdf

accesso aperto

Descrizione: PDF of the editor version (open-access)
Tipologia: 2a Post-print versione editoriale / Version of Record
Licenza: Creative commons
Dimensione 612.41 kB
Formato Adobe PDF
612.41 kB Adobe PDF Visualizza/Apri
Pubblicazioni consigliate

Caricamento pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11583/2953156