3,788 research outputs found
Signatures of Viber Security Traffic
Viber is one of the widely used mobile chat application which has over 606 million users on its platform. Since the recent release of Viber 6.0 in March/April 2016 and its further updates, Viber provides end-to-end encryption based on Open Whisper Signal security architecture. With proprietary communication protocol scattered on distributed cluster of servers in different countries and secure cryptographic primitives, Viber offers a difficult paradigm of traffic analysis. In this paper, we present a novel methodology of identification of Viber traffic over the network and established a model which can classify its services of audio and audio/video calls, message chats including text and voice chats, group messages and file/media sharing. Absolute detection of both parties of Viber voice and video calls is also demonstrated in our work. Our findings on Viber traffic signatures are applicable to most recent version of Viber 6.2.2 for android and iOS devices
A Wearable Machine Learning Solution for Internet Traffic Classification in Satellite Communications
International audienceIn this paper, we present an architectural framework to perform Internet traffic classification in Satellite Communications for QoS management. Such a framework is based on Machine Learning techniques. We propose the elements that the framework should include, as well as an implementation proposal. We define and validate some of its elements by evaluating an Internet dataset generated on an emulated Satellite Architecture. We also outline some discussions and future works that should be addressed to have an accurate Internet classification system
No NAT'd User left Behind: Fingerprinting Users behind NAT from NetFlow Records alone
It is generally recognized that the traffic generated by an individual
connected to a network acts as his biometric signature. Several tools exploit
this fact to fingerprint and monitor users. Often, though, these tools assume
to access the entire traffic, including IP addresses and payloads. This is not
feasible on the grounds that both performance and privacy would be negatively
affected. In reality, most ISPs convert user traffic into NetFlow records for a
concise representation that does not include, for instance, any payloads. More
importantly, large and distributed networks are usually NAT'd, thus a few IP
addresses may be associated to thousands of users. We devised a new
fingerprinting framework that overcomes these hurdles. Our system is able to
analyze a huge amount of network traffic represented as NetFlows, with the
intent to track people. It does so by accurately inferring when users are
connected to the network and which IP addresses they are using, even though
thousands of users are hidden behind NAT. Our prototype implementation was
deployed and tested within an existing large metropolitan WiFi network serving
about 200,000 users, with an average load of more than 1,000 users
simultaneously connected behind 2 NAT'd IP addresses only. Our solution turned
out to be very effective, with an accuracy greater than 90%. We also devised
new tools and refined existing ones that may be applied to other contexts
related to NetFlow analysis
Detection of encrypted cryptomining malware connections with machine and deep learning
Nowadays, malware has become an epidemic problem. Among the attacks exploiting the computer resources of victims, one that has become usual is related to the massive amounts of computational resources needed for digital currency cryptomining. Cybercriminals steal computer resources from victims, associating these resources to the crypto-currency mining pools they benefit from. This research work focuses on offering a solution for detecting such abusive cryptomining activity, just by means of passive network monitoring. To this end, we identify a new set of highly relevant network flow features to be used jointly with a rich set of machine and deep-learning models for real-time cryptomining flow detection. We deployed a complex and realistic cryptomining scenario for training and testing machine and deep learning models, in which clients interact with real servers across the Internet and use encrypted connections. A complete set of experiments were carried out to demonstrate that, using a combination of these highly informative features with complex machine learning models, cryptomining attacks can be detected on the wire with telco-grade precision and accuracy, even if the traffic is encrypted
Big Data for Traffic Monitoring and Management
The last two decades witnessed tremendous advances in the Information and Com-
munications Technologies. Beside improvements in computational power and storage
capacity, communication networks carry nowadays an amount of data which was not
envisaged only few years ago. Together with their pervasiveness, network complexity
increased at the same pace, leaving operators and researchers with few instruments to
understand what happens in the networks, and, on the global scale, on the Internet.
Fortunately, recent advances in data science and machine learning come to the res-
cue of network analysts, and allow analyses with a level of complexity and spatial/tem-
poral scope not possible only 10 years ago. In my thesis, I take the perspective of an In-
ternet Service Provider (ISP), and illustrate challenges and possibilities of analyzing the
traffic coming from modern operational networks. I make use of big data and machine
learning algorithms, and apply them to datasets coming from passive measurements of
ISP and University Campus networks. The marriage between data science and network
measurements is complicated by the complexity of machine learning algorithms, and
by the intrinsic multi-dimensionality and variability of this kind of data. As such, my
work proposes and evaluates novel techniques, inspired from popular machine learning
approaches, but carefully tailored to operate with network traffic.
In this thesis, I first provide a thorough characterization of the Internet traffic from
2013 to 2018. I show the most important trends in the composition of traffic and users’
habits across the last 5 years, and describe how the network infrastructure of Internet
big players changed in order to support faster and larger traffic. Then, I show the chal-
lenges in classifying network traffic, with particular attention to encryption and to the
convergence of Internet around few big players. To overcome the limitations of classical
approaches, I propose novel algorithms for traffic classification and management lever-
aging machine learning techniques, and, in particular, big data approaches. Exploiting
temporal correlation among network events, and benefiting from large datasets of op-
erational traffic, my algorithms learn common traffic patterns of web services, and use
them for (i) traffic classification and (ii) fine-grained traffic management. My proposals
are always validated in experimental environments, and, then, deployed in real opera-
tional networks, from which I report the most interesting findings I obtain. I also focus
on the Quality of Experience (QoE) of web users, as their satisfaction represents the
final objective of computer networks. Again, I show that using big data approaches, the
network can achieve visibility on the quality of web browsing of users. In general, the
algorithms I propose help ISPs have a detailed view of traffic that flows in their network,
allowing fine-grained traffic classification and management, and real-time monitoring
of users QoE
Analytics over Encrypted Traffic and Defenses
Encrypted traffic flows have been known to leak information about their underlying content through statistical properties such as packet lengths and timing. While traffic fingerprinting attacks exploit such information leaks and threaten user privacy by disclosing website visits, videos streamed, and user activity on messaging platforms, they can also be helpful in network management and intelligence services.
Most recent and best-performing such attacks are based on deep learning models. In this thesis, we identify multiple limitations in the currently available attacks and defenses against them. First, these deep learning models do not provide any insights into their decision-making process. Second, most attacks that have achieved very high accuracies are still limited by unrealistic assumptions that affect their practicality. For example, most attacks assume a closed world setting and focus on traffic classification after event completion. Finally, current state-of-the-art defenses still incur high overheads to provide reasonable privacy, which limits their applicability in real-world applications.
In order to address these limitations, we first propose an inline traffic fingerprinting attack based on variable-length sequence modeling to facilitate real-time analytics. Next, we attempt to understand the inner workings of deep learning-based attacks with the dual goals of further improving attacks and designing efficient defenses against such attacks. Then, based on the observations from this analysis, we propose two novel defenses against traffic fingerprinting attacks that provide privacy under more realistic constraints and at lower bandwidth overheads. Finally, we propose a robust framework for open set classification that targets network traffic with this added advantage of being more suitable for deployment in resource-constrained in-network devices
Radio frequency traffic classification over WLAN
Network traffic classification is the process of analyzing traffic flows and associating them to different categories
of network applications. Network traffic classification represents an essential task in the whole chain of network security. Some
of the most important and widely spread applications of traffic classification are the ability to classify encrypted traffic, the identification of malicious traffic flows, and the enforcement of security policies on the use of different applications. Passively monitoring a network utilizing low-cost and low-complexity
wireless local area network (WLAN) devices is desirable. Mobile devices can be used or existing office desktops can be temporarily
utilized when their computational load is low. This reduces the burden on existing network hardware. The aim of this paper is to investigate traffic classification techniques for wireless communications. To aid with intrusion detection, the key goal
is to passively monitor and classify different traffic types over WLAN to ensure that network security policies are adhered to. The classification of encrypted WLAN data poses some unique challenges not normally encountered in wired traffic. WLAN
traffic is analyzed for features that are then used as an input to six different machine learning (ML) algorithms for traffic
classification. One of these algorithms (a Gaussian mixture model incorporating a universal background model) has not been
applied to wired or wireless network classification before. The authors also propose a ML algorithm that makes use of the
well-known vector quantization algorithm in conjunction with a decision tree—referred to as a TRee Adaptive Parallel Vector Quantiser. This algorithm has a number of advantages over the other ML algorithms tested and is suited to wireless traffic
classification. An average F-score (harmonic mean of precision and recall) > 0.84 was achieved when training and testing on the same day across six distinct traffic types
- …