An Investigation of a Multi-Objective Genetic Algorithm applied to Encrypted Traffic Identification

Bacquet, Carlos

10 August 2010

This work explores the use of a Multi-Objective Genetic Algorithm (MOGA) for both, feature selection and cluster count optimization, for an unsupervised machine learning technique, K-Means, applied to encrypted traffic identification (SSH). The performance of the proposed model is benchmarked against other unsupervised learning techniques existing in the literature: Basic K-Means, semi-supervised K-Means, DBSCAN, and EM. Results show that the proposed MOGA, not only outperforms the other models, but also provides a good trade off in terms of detection rate, false positive rate, and time to build and run the model. A hierarchical version of the proposed model is also implemented, to observe the gains, if any, obtained by increasing cluster purity by means of a second layer of clusters. Results show that with the hierarchical MOGA, significant gains are observed in terms of the classification performances of the system.

Network Traffic Identification

Encrypted Traffic

Traffic identification in IP networks

de Castro Callado, Arthur

31 January 2009

Made available in DSpace on 2014-06-12T15:49:18Z (GMT). No. of bitstreams: 1 license.txt: 1748 bytes, checksum: 8a4605be74aa9ea9d79846c1fba20a33 (MD5) Previous issue date: 2009 / Coordenação de Aperfeiçoamento de Pessoal de Nível Superior / A análise e identificação de tráfego em redes IP ainda é algo muito dependente da interação e expertise humana. A compreensão da composição e dinâmica do tráfego Internet são essenciais para o gerenciamento de redes IP, especialmente para planejamento de capacidade, engenharia de tráfego, diagnóstico de falhas, detecção de anomalias e caracterização do desempenho de serviços. A grande mudança nas aplicações predominantes nos últimos anos, de Web para compartilhamento de arquivos Peer-to-Peer e atualmente de Peer-to-Peer para streaming de vídeo requer uma atenção especial dos administradores de redes, mas não foi completamente prevista por ferramentas de gerência. Ainda hoje, na prática, operadores de rede somente detectam streaming de vídeo baseado no endereço IP de servidores de streaming de vídeo conhecidos. Mas novas aplicações, como Joost, Babelgum and TVU, estão oferecendo um tipo de serviço de streaming de vídeo peer-to-peer em que não é factível fazer a identificação por endereço IP. Algumas redes bloqueiam o acesso a aplicações baseado no endereço IP ou no número de portas bem conhecidas, dois métodos já considerados inviáveis para a identificação de aplicação. Isto é um incentivo a uma briga de gato e rato entre os desenvolvedores de tais aplicações tentando criar aplicações que trocam tráfego mesmo em redes hostis utilizando-se de técnicas de evasão e redes que consideram as algumas aplicações prejudiciais ao negócio ou objetivos e tentam bloqueá-las. Dessa forma, a identificação das aplicações que compõem o tráfego independentemente de configuração de rede é valiosa para operadores de rede. Ela permite uma predição mais efetiva das demandas de tráfego de usuário; a oferta de serviços de valor agregado baseada na demanda dos clientes por outros serviços; a cobrança baseada em aplicação; e no caso de identificação online, também permite Qualidade de Serviço (QoS) baseada na aplicação, formatação de tráfego (shaping) e filtragem de tráfego (firewall). Nos últimos anos, algumas técnicas baseadas em inferência foram propostas como alternativas de identificação de tráfego não-baseadas em portas conhecidas. Entretanto, nenhuma se mostrou adequada a alcançar alta eficiência na identificação de vários tipos de aplicação ao mesmo tempo, usando tráfego real. Portanto, a combinação de técnicas parece ser uma abordagem razoável para lidar com as deficiências de cada técnica e a periódica reconfiguração dos parâmetros de combinação pode mostrar-se uma idéia interessante paralidar com a evolução natural das aplicações e as técnicas de evasão usadas pelas aplicações que geram grande volume de tráfego indesejado. Este trabalho provê um entendimento profundo das deficiências comuns em identificação de tráfego e traz algumas contribuições práticas à área. Após um cuidadoso estudo de desempenho dos principais algoritmos de identificação de tráfego em quatro redes diferentes, esta tese lista várias recomendações para a utilização de algoritmos de identificação de tráfego. Para atingir este objetivo, alguns pré-requisitos para a criação de um ambiente adequado de identificação de tráfego são detalhados. Além disso, são propostos métodos originais para melhorar o desempenho dos algoritmos de identificação de tráfego através da combinação de resultados, sem restrições sobre o tipo de algoritmos de identificação que podem ser usados. Tais métodos são avaliados em um estudo de caso realizado com a utilização dos mesmos cenários de rede

Computer networks

traffic identification

machine learning

Pattern Mining and Recognition in 5G Network Traffic Using Time Series Clustering / Mönsterextraktion och igenkänning i 5G-nätverkstrafik med tidsseriekluster

Turner, Connor

January 2024

The adoption of 5G mobile networks is changing the way we connect our world. Now, it is not just phones that are connected to the network, it is everything - smart homes, self-driving cars, factory equipment, and anything in between. Because of this, there has been a large increase in the volume and complexity of mobile network traffic in recent years. As 5G becomes more widely adopted, this trend will continue moving forward. This presents a problem for mobile network operators. To account for this increase in traffic volume and complexity, the network must be optimized to handle it. However, the only way to do this is to better understand the traffic sent over the network. As such, the companies building and operating these networks rely on models that can define a set of traffic profiles from real-world network data. This thesis presents a novel method of identifying traffic profiles from 5G network data by analyzing the network traffic as unstructured time series data. Using two datasets containing TCP and UDP traffic data with 10 million time series apiece, clusters were defined for each using time series clustering techniques. Specifically, the ROCKET family of algorithms was adapted for clustering purposes, applying k-means clustering on top of the ROCKET feature transformations. The resulting clusters were analyzed and compared to another clustering model - one based on summary statistics from each time series. Overall, the ROCKET models appeared to produce more coherent traffic profiles compared to the baseline clustering model, and the proposed framework shows great promise - not just in network traffic clustering, but any analysis of unstructured time series data.

Time Series Clustering

ROCKET

5G Networks

Network Traffic Identification

Probability Theory and Statistics

Sannolikhetsteori och statistik

Hierarchical TCP network traffic classification with adaptive optimisation

Wang, Xiaoming

January 2010

Nowadays, with the increasing deployment of modern packet-switching networks, traffic classification is playing an important role in network administration. To identify what kinds of traffic transmitting across networks can improve network management in various ways, such as traffic shaping, differential services, enhanced security, etc. By applying different policies to different kinds of traffic, Quality of Service (QoS) can be achieved and the granularity can be as fine as flow-level. Since illegal traffic can be identified and filtered, network security can be enhanced by employing advanced traffic classification. There are various traditional techniques for traffic classification. However, some of them cannot handle traffic generated by applications using non-registered ports or forged ports, some of them cannot deal with encrypted traffic and some techniques require too much computational resources. The newly proposed technique by other researchers, which uses statistical methods, gives an alternative approach. It requires less resources, does not rely on ports and can deal with encrypted traffic. Nevertheless, the performance of the classification using statistical methods can be further improved. In this thesis, we are aiming for optimising network traffic classification based on the statistical approach. Because of the popularity of the TCP protocol, and the difficulties for classification introduced by TCP traffic controls, our work is focusing on classifying network traffic based on TCP protocol. An architecture has been proposed for improving the classification performance, in terms of accuracy and response time. Experiments have been taken and results have been evaluated for proving the improved performance of the proposed optimised classifier. In our work, network packets are reassembled into TCP flows. Then, the statistical characteristics of flows are extracted. Finally the classes of input flows can be determined by comparing them with the profiled samples. Instead of using only one algorithm for classifying all traffic flows, our proposed system employs a series of binary classifiers, which use optimised algorithms to detect different traffic classes separately. There is a decision making mechanism for dealing with controversial results from the binary classifiers. Machining learning algorithms including k-nearest neighbour, decision trees and artificial neural networks have been taken into consideration together with a kind of non-parametric statistical algorithm — Kolmogorov-Smirnov test. Besides algorithms, some parameters are also optimised locally, such as detection windows, acceptance thresholds. This hierarchical architecture gives traffic classifier more flexibility, higher accuracy and less response time.

004.6

Generic Encrypted Traffic Identification using Network Grammar : A Case Study in Passive OS Fingerprinting / Generisk Krypterad Trafikidentifiering med Nätverksgrammatik : En fallstudie i passiv osfingeravtryck

Rajala, Lukas, Scott, Kevin

January 2022

The increase in cybercrime and cyber-warfare has spurred the cat-and-mouse game of finding and attacking vulnerable devices on government or private company networks. The devices attacked are often forgotten computers that run operating systems with known exploits. Finding these devices are crucial for both an attacker and defender since they may be the only weak link on the network. Device discovery on a network using probing or active fingerprinting methods results in extra traffic on the network, which may strain fragile networks and generates suspect traffic that may get flagged as intrusive. Using passive OS fingerprinting allows an actor to listen in and classify active devices on a network. This thesis shows the features that can be exploited for OS fingerprinting and discusses the importance of TLS payload and time-based features. We also present a data collection strategy that could be utilized for simulating multiple OSs and collecting new datasets. We found that the TLS attributes such as cipher suites play an important role in distinguishing between OS versions.

Passive OS Fingerprinting

Encrypted Traffic Identification

Automated Traffic Analysis

Machine Learning

Supervised Learning

Networks

Packet Classification

Security and Privacy

Computer Sciences

Datavetenskap (datalogi)