ACM Transactions on Information and System Security (TISSEC)
Statistical Identification of Encrypted Web Browsing Traffic
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
VisFlowConnect: netflow visualizations of link relationships for security situational awareness
Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security
NVisionIP: netflow visualizations of system state for security situational awareness
Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security
Scatter (and other) plots for visualizing user profiling data and network traffic
Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security
BLINC: multilevel traffic classification in the dark
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Visualizing and discovering non-trivial patterns in large time series databases
Information Visualization
Using visual motifs to classify encrypted traffic
Proceedings of the 3rd international workshop on Visualization for computer security
Inferring the source of encrypted HTTP connections
Proceedings of the 13th ACM conference on Computer and communications security
On Inferring Application Protocol Behaviors in Encrypted Network Traffic
The Journal of Machine Learning Research
Timing analysis of keystrokes and timing attacks on SSH
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Language identification of encrypted VoIP traffic: Alejandra y Roberto or Alice and Bob?
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Spot Me if You Can: Uncovering Spoken Phrases in Encrypted VoIP Conversations
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Existence Plots: A Low-Resolution Time Series for Port Behavior Analysis
VizSec '08 Proceedings of the 5th international workshop on Visualization for Computer Security
Real Time Identification of SSH Encrypted Application Flows by Using Cluster Analysis Techniques
NETWORKING '09 Proceedings of the 8th International IFIP-TC 6 Networking Conference
| Hi-index | 0.00 |
In this paper, we explore the effectiveness of using graphical methods for isolating the differences between common application protocols---both in their transient and steady-state behavior. Specifically, we take advantage of the observation that many Internet application protocols proscribe a very specific series of client/server interactions that are clearly visible in the sizes and timing of packets produced at the network layer and below. We show how so-called "visual motifs" built on these features can be used to assist a human operator to recognize application protocols in unidentified traffic. From a practical point of view, visual traffic classification can be used, for example, for anomaly detection to verify that all traffic to a web server on TCP port 80 does indeed exhibit the characteristic behavior patterns of HTTP, or for misuse detection to find unauthorized servers or to identify traffic generated by prohibited applications. We present our technique for building a classifier based on the notion of visual motifs and report on our experience using this technique to automatically classify on-the-wire behavioral patterns from network flow data collected from a campus network. Specifically, we analyze over 1 billion flows corresponding to over 5 million sessions on nearly 200 distinct ports and show that our approach achieves high recall and precision.