Encryption-agnostic classifiers of traffic originators and their application to anomaly detection

https://doi.org/10.1016/j.compeleceng.2021.107621Get rights and content
Under a Creative Commons license
open access

Abstract

This paper presents an approach that leverages classical machine learning techniques to identify the tools from the packets sniffed, both for clear-text and encrypted traffic. This research aims to overcome the limitations to security monitoring systems posed by the widespread adoption of encrypted communications. By training three distinct classifiers, this paper shows that it is possible to detect, with excellent accuracy, the category of tools that generated the analyzed traffic (e.g., browsers vs. network stress tools), the actual tools (e.g., Firefox vs. Chrome vs. Edge), and the individual tool versions (e.g., Chrome 48 vs. Chrome 68). The paper provides hints that the classifiers are helpful for early detection of Distributed Denial of Service (DDoS) attacks, duplication of entire websites, and identification of sudden changes in users’ behavior, which might be the consequence of malware infection or data exfiltration.

Keywords

Network traffic anomaly
Intrusion detection
Machine learning
DoS attacks
Web crawling

Cited by (0)

Daniele Canavese received an M.Sc. degree in 2010 and a Ph.D. in Computer Engineering in 2016 from Politecnico di Torino, where he is currently a research assistant. His research interests are concerned with security management via machine learning and inferential frameworks, software protection systems, public-key cryptography, and models for network analysis.

Leonardo Regano received an M.Sc.degree in 2015 and a Ph.D. in Computer Engineering in 2019 from Politecnico di Torino, where he is currently a research assistant. His current research interests focus on software security, artificial intelligence and machine learning applications to cybersecurity, security policies analysis, and software protection techniques assessment.

Cataldo Basile received an M.Sc.in 2001 and a Ph.D. in Computer Engineering in 2005 from Politecnico di Torino, where he is currently an assistant professor. His research is concerned with software security, software attestation, policy-based security management, and general models for detection, resolution and reconciliation of security policy conflicts.

Gabriele Ciravegna is a Ph.D. student in Smart Computing at Università degli Studi di Firenze. In 2018 he received an M.Sc.in Computer Engineering from Politecnico di Torino. He is interested in machine learning and its application in critical contexts as medical diagnosis, focusing on overcoming intrinsic limits of machine learning and neural networks, especially their understandability.

Antonio Lioy is a full Professor of Cybersecurity. He received the M.Sc. in Electronic Engineering and the Ph.D. in Computer Engineering from Politecnico di Torino, where he currently leads the cybersecurity research group TORSEC. His research interests include electronic identity, PKI, trusted computing, and policy-based management of large IT systems.

This paper is for regular issues of CAEE. Reviews processed and approved for publication by the co-Editor-in-Chief Huimin Lu.

© 2022 The Authors. Published by Elsevier Ltd.