This paper presents an approach that leverages classical machine learning techniques to identify the tools from the packets sniffed, both for clear-text and encrypted traffic. This research aims to overcome the limitations to security monitoring systems posed by the widespread adoption of encrypted communications. By training three distinct classifiers, this paper shows that it is possible to detect, with excellent accuracy, the category of tools that generated the analyzed traffic (e.g., browsers vs. network stress tools), the actual tools (e.g., Firefox vs. Chrome vs. Edge), and the individual tool versions (e.g., Chrome 48 vs. Chrome 68). The paper provides hints that the classifiers are helpful for early detection of Distributed Denial of Service (DDoS) attacks, duplication of entire websites, and identification of sudden changes in users’ behavior, which might be the consequence of malware infection or data exfiltration.
Encryption-agnostic classifiers of traffic originators and their application to anomaly detection / Canavese, Daniele; Regano, Leonardo; Basile, Cataldo; Ciravegna, Gabriele; Lioy, Antonio. - In: COMPUTERS & ELECTRICAL ENGINEERING. - ISSN 0045-7906. - STAMPA. - 97:(2022). [10.1016/j.compeleceng.2021.107621]
Encryption-agnostic classifiers of traffic originators and their application to anomaly detection
Canavese, Daniele;Regano, Leonardo;Basile, Cataldo;Ciravegna, Gabriele;Lioy, Antonio
2022
Abstract
This paper presents an approach that leverages classical machine learning techniques to identify the tools from the packets sniffed, both for clear-text and encrypted traffic. This research aims to overcome the limitations to security monitoring systems posed by the widespread adoption of encrypted communications. By training three distinct classifiers, this paper shows that it is possible to detect, with excellent accuracy, the category of tools that generated the analyzed traffic (e.g., browsers vs. network stress tools), the actual tools (e.g., Firefox vs. Chrome vs. Edge), and the individual tool versions (e.g., Chrome 48 vs. Chrome 68). The paper provides hints that the classifiers are helpful for early detection of Distributed Denial of Service (DDoS) attacks, duplication of entire websites, and identification of sudden changes in users’ behavior, which might be the consequence of malware infection or data exfiltration.File | Dimensione | Formato | |
---|---|---|---|
1-s2.0-S0045790621005528-main.pdf
accesso aperto
Descrizione: PDF of the editor version (open-access)
Tipologia:
2a Post-print versione editoriale / Version of Record
Licenza:
Creative commons
Dimensione
612.41 kB
Formato
Adobe PDF
|
612.41 kB | Adobe PDF | Visualizza/Apri |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/11583/2953156