Empirically derived analytic models of wide-area TCP connections
IEEE/ACM Transactions on Networking (TON)
On the Optimality of the Simple Bayesian Classifier under Zero-One Loss
Machine Learning - Special issue on learning with probabilistic representations
Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
Uniform object generation for optimizing one-class classifiers
The Journal of Machine Learning Research
Pattern Classification (2nd Edition)
Pattern Classification (2nd Edition)
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Web tap: detecting covert web traffic
Proceedings of the 11th ACM conference on Computer and communications security
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Internet traffic classification using bayesian analysis techniques
SIGMETRICS '05 Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Pattern Recognition Letters - Special issue: ROC analysis in pattern recognition
Inferring the source of encrypted HTTP connections
Proceedings of the 13th ACM conference on Computer and communications security
Traffic classification through simple statistical fingerprinting
ACM SIGCOMM Computer Communication Review
On Inferring Application Protocol Behaviors in Encrypted Network Traffic
The Journal of Machine Learning Research
Revealing skype traffic: when randomness plays with you
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
Privacy vulnerabilities in encrypted HTTP streams
PET'05 Proceedings of the 5th international conference on Privacy Enhancing Technologies
On optimum recognition error and reject tradeoff
IEEE Transactions on Information Theory
GTVS: Boosting the Collection of Application Traffic Ground Truth
TMA '09 Proceedings of the First International Workshop on Traffic Monitoring and Analysis
GT: picking up the truth from the ground for internet traffic
ACM SIGCOMM Computer Communication Review
Experience with high-speed automated application-identification for network-management
Proceedings of the 5th ACM/IEEE Symposium on Architectures for Networking and Communications Systems
SkypeMorph: protocol obfuscation for Tor bridges
Proceedings of the 2012 ACM conference on Computer and communications security
Detection and classification of peer-to-peer traffic: A survey
ACM Computing Surveys (CSUR)
Flow-Based detection of DNS tunnels
AIMS'13 Proceedings of the 7th IFIP WG 6.6 international conference on Autonomous Infrastructure, Management, and Security: emerging management mechanisms for the future internet - Volume 7943
Hi-index | 0.00 |
Application-layer tunnels nowadays represent a significant security threat for any network protected by firewalls and Application Layer Gateways. The encapsulation of protocols subject to security policies such as peer-to-peer, e-mail, chat and others into protocols that are deemed as safe or necessary, such as HTTP, SSH or even DNS, can bypass any network-boundary security policy, even those based on stateful packet inspection. In this paper we propose a statistical classification mechanism that could represent an important step towards new techniques for securing network boundaries. The mechanism, called Tunnel Hunter, relies on the statistical characterization at the IP-layer of the traffic that is allowed by a given security policy, such as HTTP or SSH. The statistical profiles of the allowed usages of those protocols can then be dynamically checked against traffic flows crossing the network boundaries, identifying with great accuracy when a flow is being used to tunnel another protocol. Results from experiments conducted on a live network suggest that the technique can be very effective, even when the application-layer protocol used as a tunnel is encrypted, such as in the case of SSH.