skip to main content
10.1145/1179576.1179584acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
Article

Using visual motifs to classify encrypted traffic

Published: 03 November 2006 Publication History

Abstract

In an effort to make robust traffic classification more accessible to human operators, we present visualization techniques for network traffic. Our techniques are based solely on network information that remains intact after application-layer encryption, and so offer a way to visualize traffic "in the dark". Our visualizations clearly illustrate the differences between common application protocols, both in their transient (i.e., time-dependent)and steady-state behavior. We show how these visualizations can be used to assist a human operator to recognize application protocols in unidentified traffic and to verify the results of an automated classifier via visual inspection. In particular, our preliminary results show that we can visually scan almost 45,000 connections in less than one hour and correctly identify known application behaviors. Moreover, using visualizations together with an automated comparison technique based on Dynamic Time Warping of the motifs, we can rapidly develop accurate recognizers for new or previously unknown applications.

References

[1]
D. Brumleyand D. Boneh. Remote timing attacks are practical. In Proceedings of the 12th Usenix Security Symposium pages 1--14, August 2003.
[2]
J. Early, C. Brodley, and C. Rosenberg. Behavioral authentication of server flows. In Proceedings of the 19th Annual Computer Security Applications Conference pages 46--55, December 2003.
[3]
D. Faxon, R.D. King, J.T. Rigsby, S. Bernard, and E.J. Wegman. Data cleansing and preparation at the gates: A data-streaming perspective. In 2004 Proceedings of the American Statistical Association August 2004.
[4]
T. Goldring. Scatter (and other) plots for visualizing user profiling data and network traffic. In VizSEC/DMSEC '04: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security pages 119--123, New York, NY, USA, 2004. ACM Press.
[5]
T. Karagiannis, K. Papagiannaki, and M. Faloutsos. BLINC: Multilevel traffic classification in the dark. In ACM SIGCOMM August 2005.
[6]
S. Kent and R. Atkinson. RFC 2406: IP encapsulating security payload (ESP), November 1998.
[7]
K. Lakkaraju, W. Yurcik, and A.J. Lee. NVisionIP: net flow visualizations of system state for security situational awareness. In VizSEC/DMSEC '04: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security pages 65--72, 2004.
[8]
J. Lin, E. Keogh, and S. Lonard. Visualizing and discovering non-trivial patterns in large time series databases. Information Visualization Journal 4(2):61--82, April 2005.
[9]
A. McGregor, M. Hall, P. Lorier, and J. Brunskill. Flow clustering using machine learning techniques. In The 5th Anuual Passive and Active Measurement Workshop (PAM 2004) April 2004.
[10]
A. Moore and K. Papagiannaki. Towards the accurate identification of network applications. In The 6th Anuual Passive and Active Measurement Workshop (PAM 2005) March 2005.
[11]
A. Moore and D. Zuev. Internet traffic classification using Bayesian analysis techniques. In Proceedings of the ACM SIGMETRICS June 2005.
[12]
R. Pang, M. Allman, V. Paxson, and J. Lee. The Devil and Packet Trace Anonymization. In ACM Computer Communication Review, 36(1)pages 29--38, January 2006.
[13]
L. Rabiner, A. Rosenberg, and S. Levinson. Considerations in dynamic time warping algorithms for discrete word recognition. IEEE Transactions on Acoustics, Speech, and Signal Processing 26(6):575--582, December 1978.
[14]
D. Song, D. Wagner, and X. Tian. Timing analysis of keystrokes and SSH timing attacks. In Proceedings of the 10th USENIX Security Symposium August 2001.
[15]
C. Wright, F. Monrose, and G.M. Masson. HMM profiles for network traffic classification (extended abstract). In VizSEC/DMSEC '04: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security pages 9--15, October 2004.
[16]
C.V. Wright, F. Monrose, and G.M. Masson. On inferring application protocol behaviors in encrypted network traffic. Journal of Machine Learning Research Special Topic on Machine Learning for Computer Security.(to appear).
[17]
X. Yin, W. Yurcik, M. Treaster, Y. Li, and K. Lakkaraju. Visflowconnect:net flow visualizations of link relationships for security situational awareness. In VizSEC/DMSEC '04: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security pages 26--34, 2004.
[18]
K. Yoda and H. Etoh. Finding a connection chain for tracing intruders. In 6th European Symposium on Research in Computer Security (ESORICS) pages 191--205, October 2000.
[19]
Y. Zhang and V. Paxson. Detecting back doors. In Proceedings of the 9th USENIX Security Symposium pages 157--170, August 2000.
[20]
Y. Zhang and V. Paxson. Detecting stepping stones. In Proceedings of the 9th USENIX Security Symposium pages 171--184, August 2000.
[21]
D. Zuev and A. Moore. Traffic classification using a statistical approach. In Proceedings of the Passive and Active Measurement Workshop (PAM2005) March/April 2005.

Cited By

View all
  • (2023)GGFAST: Automating Generation of Flexible Network Traffic ClassifiersProceedings of the ACM SIGCOMM 2023 Conference10.1145/3603269.3604840(850-866)Online publication date: 10-Sep-2023
  • (2019)A Session-Packets-Based Encrypted Traffic Classification Using Capsule Neural Networks2019 IEEE 21st International Conference on High Performance Computing and Communications; IEEE 17th International Conference on Smart City; IEEE 5th International Conference on Data Science and Systems (HPCC/SmartCity/DSS)10.1109/HPCC/SmartCity/DSS.2019.00071(429-436)Online publication date: Aug-2019
  • (2016)A Survey on Information Visualization for Network and Service ManagementIEEE Communications Surveys & Tutorials10.1109/COMST.2015.245053818:1(285-323)Online publication date: Sep-2017
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
VizSEC '06: Proceedings of the 3rd international workshop on Visualization for computer security
November 2006
138 pages
ISBN:1595935495
DOI:10.1145/1179576
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 November 2006

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. network security
  2. network traffic visualization
  3. traffic classification

Qualifiers

  • Article

Conference

CCS06
Sponsor:

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)6
  • Downloads (Last 6 weeks)0
Reflects downloads up to 14 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)GGFAST: Automating Generation of Flexible Network Traffic ClassifiersProceedings of the ACM SIGCOMM 2023 Conference10.1145/3603269.3604840(850-866)Online publication date: 10-Sep-2023
  • (2019)A Session-Packets-Based Encrypted Traffic Classification Using Capsule Neural Networks2019 IEEE 21st International Conference on High Performance Computing and Communications; IEEE 17th International Conference on Smart City; IEEE 5th International Conference on Data Science and Systems (HPCC/SmartCity/DSS)10.1109/HPCC/SmartCity/DSS.2019.00071(429-436)Online publication date: Aug-2019
  • (2016)A Survey on Information Visualization for Network and Service ManagementIEEE Communications Surveys & Tutorials10.1109/COMST.2015.245053818:1(285-323)Online publication date: Sep-2017
  • (2015)A New Approach to Identify User Authentication Methods toward SSH Dictionary Attack DetectionIEICE Transactions on Information and Systems10.1587/transinf.2014ICP0005E98.D:4(760-768)Online publication date: 2015
  • (2015)Harnessing the unknown in advanced metering infrastructure trafficProceedings of the 30th Annual ACM Symposium on Applied Computing10.1145/2695664.2695725(2204-2211)Online publication date: 13-Apr-2015
  • (2015)A flow-based detection method for stealthy dictionary attacks against Secure ShellJournal of Information Security and Applications10.1016/j.jisa.2014.08.00321:C(31-41)Online publication date: 1-Apr-2015
  • (2014)GoHop: Personal VPN to defend from censorship16th International Conference on Advanced Communication Technology10.1109/ICACT.2014.6778916(27-33)Online publication date: Feb-2014
  • (2013)Identifying User Authentication Methods on Connections for SSH Dictionary Attack DetectionProceedings of the 2013 IEEE 37th Annual Computer Software and Applications Conference Workshops10.1109/COMPSACW.2013.80(593-598)Online publication date: 22-Jul-2013
  • (2013)Progress in Study of Encrypted Traffic ClassificationTrustworthy Computing and Services10.1007/978-3-642-35795-4_10(78-86)Online publication date: 2013
  • (2012)SSH Dictionary Attack Detection Based on Flow AnalysisProceedings of the 2012 IEEE/IPSJ 12th International Symposium on Applications and the Internet10.1109/SAINT.2012.16(51-59)Online publication date: 16-Jul-2012
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media