Entropy-based traffic filtering to support real-time Skype detection

Dorfinger, Peter; Panholzer, Georg; Trammell, Brian; Pepe, Teresa

doi:10.1145/1815396.1815568

Cited by 16 publications

(6 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…where H U (l) is the entropy of a packet with uniform distribution of 1 in the payload and length l and σ is the standard deviation. Figure 9 shows M 1 and M 2 to the simple case of HTTP (unencrypted flow) and SSL (encrypted flow) traffic, and as in [14] justify the condition expressed above. This use case shows how a stateful firewall application can be easily implemented with StreaMon.…”

Section: Hw Accelerated Detection Of Non Standard Encrypted Trafficmentioning

confidence: 57%

“…This example shows how HW metrics can be integrated in StreaMon. Since one of the task performed during deep packet inspection is the collection of statistics on byte frequencies, offsets for common byte-values, packet information entropy, we illustrate an use case that is a simplified version of the approach described in [14], in which encrypted flows are detected by combining two traffic features: (i) the bit information entropy of a packet; (ii) the percentage of printable characters, i.e. ASCII characters in the range [32 .…”

Section: Hw Accelerated Detection Of Non Standard Encrypted Trafficmentioning

confidence: 99%

See 1 more Smart Citation

StreaMon: a data-plane programming abstraction for Software-defined Stream Monitoring

Bianchi¹,

Bonola²,

Picierro³

et al. 2013

Preprint

View full text Add to dashboard Cite

The fast evolving nature of modern cyber threats and network monitoring needs calls for new, "software-defined", approaches to simplify and quicken programming and deployment of online (stream-based) traffic analysis functions. StreaMon is a carefully designed data-plane abstraction devised to scalably decouple the "programming logic" of a traffic analysis application (tracked states, features, anomaly conditions, etc.) from elementary primitives (counting and metering, matching, events generation, etc), efficiently preimplemented in the probes, and used as common instruction set for supporting the desired logic. Multi-stage multi-step real-time tracking and detection algorithms are supported via the ability to deploy custom states, relevant state transitions, and associated monitoring actions and triggering conditions. Such a separation entails platform-independent, portable, online traffic analysis tasks written in a high level language, without requiring developers to access the monitoring device internals and program their custom monitoring logic via low level compiled languages (e.g., C, assembly, VHDL). We validate our design by developing a prototype and a set of simple (but functionally demanding) use-case applications and by testing them over real traffic traces.

show abstract

Section: Hw Accelerated Detection Of Non Standard Encrypted Trafficmentioning

confidence: 57%

Section: Hw Accelerated Detection Of Non Standard Encrypted Trafficmentioning

confidence: 99%

StreaMon: a data-plane programming abstraction for Software-defined Stream Monitoring

Bianchi¹,

Bonola²,

Picierro³

et al. 2013

Preprint

View full text Add to dashboard Cite

show abstract

“…Although the detection and forensic methods of encrypted data have not been fully studied, as a kind of encrypted data detection, the identification of encrypted network traffic has attracted a lot of attention, and many works in this aspect have been proposed recently. Dorfinger et al [15] propose a real-time detection method of Skype encrypted traffic based on the entropy estimation method, but the performance of this method is poor when the encrypted data traffic is small. Moreover, the detection performance of encrypted and unencrypted compressed traffic is not discussed.…”

Section: Related Workmentioning

confidence: 99%

Detection and Forensics of Encryption Behavior of Storage File and Network Transmission Data

Liu

2020

IEEE Access

View full text Add to dashboard Cite

In recent years, with the widespread application of encryption technology, criminals can hide malicious data without being discovered by security regulatory authorities, which has brought serious challenges to computer forensic investigation. Therefore, it is urgent to study the technology of detection and forensics of encrypted data. This paper proposes a method for encryption detection based on a deep convolutional neural network. The method first converts the raw data into two-dimensional matrixes as the input of the convolutional neural network. Then, the multiscale feature extraction mechanism with multiple activation functions is utilized to provide representative features as the input of subsequent layers. Next, the residual learning operation can further enhance the discrimination of features. By this mean, a network which can automatically extract and learn global contextual information of encrypted data is constructed. The experiment results show that the proposed method achieves high accuracy in the detection of storage file and network transmission data compare to the competitive methods and the detection accuracy on different types of mixed data is higher than 99%. Moreover, the proposed method can accurately detect data encrypted with different algorithms. The average detection rate of DES-encrypted data is higher than that of competitors by more than 5%.INDEX TERMS encryption detection and forensics, storage file, network transmission data, deep learning

show abstract

“…Therefore, high entropy blocks may indicate the presence of encrypted data. Similarly, the authors in [37] and [11] first computed the entropy of packet payloads and then compared it with the entropy of uniformly randomly distributed sequences of the same length. However, the entropy estimation approach is not effective when the number of samples is small [38,39].…”

Section: Related Workmentioning

confidence: 99%

HEDGE: Efficient Traffic Classification of Encrypted and Compressed Packets

Casino

Choo

Patsakis

2019

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

As the size and source of network traffic increase, so does the challenge of monitoring and analysing network traffic. Therefore, sampling algorithms are often used to alleviate these scalability issues. However, the use of high entropy data streams, through the use of either encryption or compression, further compounds the challenge as current state of the art algorithms cannot accurately and efficiently differentiate between encrypted and compressed packets. In this work, we propose a novel traffic classification method named HEDGE (High Entropy DistinGuishEr) to distinguish between compressed and encrypted traffic. HEDGE is based on the evaluation of the randomness of the data streams and can be applied to individual packets without the need to have access to the entire stream. Findings from the evaluation show that our approach outperforms current state of the art. We also make available our statistically sound dataset, based on known benchmarks, to the wider research community.

show abstract

Entropy-based traffic filtering to support real-time Skype detection

Cited by 16 publications

References 6 publications

StreaMon: a data-plane programming abstraction for Software-defined Stream Monitoring

StreaMon: a data-plane programming abstraction for Software-defined Stream Monitoring

Detection and Forensics of Encryption Behavior of Storage File and Network Transmission Data

HEDGE: Efficient Traffic Classification of Encrypted and Compressed Packets

Contact Info

Product

Resources

About