Accurate, scalable in-network identification of p2p traffic using application signatures
Proceedings of the 13th international conference on World Wide Web
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Internet traffic classification using bayesian analysis techniques
SIGMETRICS '05 Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
BLINC: multilevel traffic classification in the dark
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
ACAS: automated construction of application signatures
Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data
Understanding the network-level behavior of spammers
Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
Traffic classification through simple statistical fingerprinting
ACM SIGCOMM Computer Communication Review
Dynamic application-layer protocol analysis for network intrusion detection
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Network monitoring using traffic dispersion graphs (tdgs)
Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
Early application identification
CoNEXT '06 Proceedings of the 2006 ACM CoNEXT conference
Inferring Spammers in the Network Core
PAM '09 Proceedings of the 10th International Conference on Passive and Active Network Measurement
Internet traffic classification demystified: myths, caveats, and the best practices
CoNEXT '08 Proceedings of the 2008 ACM CoNEXT Conference
PAM'07 Proceedings of the 8th international conference on Passive and active network measurement
The new web: characterizing AJAX traffic
PAM'08 Proceedings of the 9th international conference on Passive and active network measurement
Detecting spammers with SNARE: spatio-temporal network-level automatic reputation engine
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Toward the accurate identification of network applications
PAM'05 Proceedings of the 6th international conference on Passive and Active Network Measurement
Bayesian Neural Networks for Internet Traffic Classification
IEEE Transactions on Neural Networks
Real-time creation of bitmap indexes on streaming network data
The VLDB Journal — The International Journal on Very Large Data Bases
Review: A survey of network flow applications
Journal of Network and Computer Applications
A supervised machine learning approach to classify host roles on line using sFlow
Proceedings of the first edition workshop on High performance and programmable networking
Hi-index | 0.00 |
Recently, webmail interfaces, e.g., Horde, Outlook Web Access, and webmail platforms such as GMail, Yahoo!, and Hotmail have seen a tremendous boost in popularity. Given the importance of e-mail for personal and business use alike, and its exposure to imminent threats, there exists the need for a comprehensive view of the Internet mail system, including webmail traffic. We, in this paper, propose a novel, passive approach to identify webmail traffic solely based on network-level data in order to obtain a comprehensive view of the mail system. Key to our approach is that we leverage correlations across protocols and time to introduce three novel features for HTTPS webmail classification. Our first feature is based on the finding that webmail servers tend to reside close to legacy mail servers, e.g. IMAP and POP, which can be easily identified. Our second feature leverages that the usage of webmail services results in distinct patterns on sessions' duration and on the diurnal/weekly traffic usage profile. In addition, our third feature exploits the observation that traffic flows to webmail platforms exhibit inherent periodicities due to the fact that AJAX-based clients periodically check for new messages. We use these three features to build a simple classifier and detect webmail traffic on real-world NetFlow traces from a medium-sized backbone network. We believe that the major contribution of this paper -- exploring a set of new features that could classify applications that run over HTTPS ports solely based on NetFlow data -- will stimulate more general advance in the field of traffic classification.