Entropy Estimation for Real-Time Encrypted Traffic Identification (Short Paper)

Dorfinger, Peter; Panholzer, Georg; John, Wolfgang

doi:10.1007/978-3-642-20305-3_14

Cited by 36 publications

(31 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Although encrypted traffic hides all content from a potential eavesdropper, the first steps (initial handshake, connection parameter negotiation, protocol version) are performed in plaintext and therefore have distinguishable features. Exploiting the latter, machine learning and other classification methods can infer the underlying application protocols from encrypted traffic [3,10,56,36], for example in SSH and web browsing traffic analysis [26,46]. Specifically, classification algorithms used to detect encrypted web traffic rely on static object lengths and the previous creation feature-based libraries (i.e.…”

Section: Related Workmentioning

confidence: 99%

HEDGE: Efficient Traffic Classification of Encrypted and Compressed Packets

Casino

Choo

Patsakis

2019

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

As the size and source of network traffic increase, so does the challenge of monitoring and analysing network traffic. Therefore, sampling algorithms are often used to alleviate these scalability issues. However, the use of high entropy data streams, through the use of either encryption or compression, further compounds the challenge as current state of the art algorithms cannot accurately and efficiently differentiate between encrypted and compressed packets. In this work, we propose a novel traffic classification method named HEDGE (High Entropy DistinGuishEr) to distinguish between compressed and encrypted traffic. HEDGE is based on the evaluation of the randomness of the data streams and can be applied to individual packets without the need to have access to the entire stream. Findings from the evaluation show that our approach outperforms current state of the art. We also make available our statistically sound dataset, based on known benchmarks, to the wider research community.

show abstract

Section: Related Workmentioning

confidence: 99%

HEDGE: Efficient Traffic Classification of Encrypted and Compressed Packets

Casino

Choo

Patsakis

2019

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

show abstract

“…Alternatively, flows can be fingerprinted based on some property of the content being carried. For example, a censor that does not allow encrypted content can block flows where content has high entropy [29].…”

Section: Fingerprintingmentioning

confidence: 99%

SoK: Making Sense of Censorship Resistance Systems

Khattak

Elahi

Simon

et al. 2016

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

An increasing number of countries implement Internet censorship at different scales and for a variety of reasons. In particular, the link between the censored client and entry point to the uncensored network is a frequent target of censorship due to the ease with which a nation-state censor can control it. A number of censorship resistance systems have been developed thus far to help circumvent blocking on this link, which we refer to as link circumvention systems (LCs). The variety and profusion of attack vectors available to a censor has led to an arms race, leading to a dramatic speed of evolution of LCs. Despite their inherent complexity and the breadth of work in this area, there is no systematic way to evaluate link circumvention systems and compare them against each other. In this paper, we (i) sketch an attack model to comprehensively explore a censor's capabilities, (ii) present an abstract model of a LC, a system that helps a censored client communicate with a server over the Internet while resisting censorship, (iii) describe an evaluation stack that underscores a layered approach to evaluate LCs, and (iv) systemize and evaluate existing censorship resistance systems that provide link circumvention. We highlight open challenges in the evaluation and development of LCs and discuss possible mitigations.

show abstract

“…Note that b is the base of the logarithm, so b=2 in bits and b=26 in lower-case letters. In addition, entropy has been used in several ways to identify encrypted packet or detect the anomaly and worm [8,9]. Since the purpose of cryptographic algorithm is to protect the original data from prediction, the encrypted bit stream would have high entropy which indicates uniformly distributed random variables.…”

Section: Entropymentioning

confidence: 99%

Honey chatting: A novel instant messaging system robust to eavesdropping over communication

Kim

Yoon

2016

2016 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP)

View full text Add to dashboard Cite

There have been many efforts to strengthen security of Instant Messaging (IM) system. One of the typical technologies is the conventional message encryption using a secret or private key. However, the key is fundamentally vulnerable to a bruteforce attack, causing to acquire the original message. In this respect, a countermeasure was suggested as the way to generating plausible-looking but fake plaintexts, which is called Honey Encryption (HE). In this paper, we present a HE-based statistical scheme and design a Honey Chatting application, which is robust to eavesdropping. Besides, we verify the effectiveness of the Honey Chatting by comparing the entropy of decrypted messages through experiments.

show abstract

Entropy Estimation for Real-Time Encrypted Traffic Identification (Short Paper)

Cited by 36 publications

References 8 publications

HEDGE: Efficient Traffic Classification of Encrypted and Compressed Packets

HEDGE: Efficient Traffic Classification of Encrypted and Compressed Packets

SoK: Making Sense of Censorship Resistance Systems

Honey chatting: A novel instant messaging system robust to eavesdropping over communication

Contact Info

Product

Resources

About