Signatures of Viber Security Traffic

Viber is one of the widely used mobile chat application which has over 606 million users on its platform. Since the recent release of Viber 6.0 in March/April 2016 and its further updates, Viber provides end-to-end encryption based on Open Whisper Signal security architecture. With proprietary communication protocol scattered on distributed cluster of servers in different countries and secure cryptographic primitives, Viber offers a difficult paradigm of traffic analysis. In this paper, we present a novel methodology of identification of Viber traffic over the network and established a model which can classify its services of audio and audio/video calls, message chats including text and voice chats, group messages and file/media sharing. Absolute detection of both parties of Viber voice and video calls is also demonstrated in our work. Our findings on Viber traffic signatures are applicable to most recent version of Viber 6.2.2 for android and iOS devices

Detecting exploit patterns from network packet streams

Network-based Intrusion Detection Systems (NIDS), e.g., Snort, Bro or NSM, try to detect malicious network activity such as Denial of Service (DoS) attacks and port scans by monitoring network traffic. Research from network traffic measurement has identified various patterns that exploits on today\u27s Internet typically exhibit. However, there has not been any significant attempt, so far, to design algorithms with provable guarantees for detecting exploit patterns from network traffic packets. In this work, we develop and apply data streaming algorithms to detect exploit patterns from network packet streams. In network intrusion detection, it is necessary to analyze large volumes of data in an online fashion. Our work addresses scalable analysis of data under the following situations. (1) Attack traffic can be stealthy in nature, which means detecting a few covert attackers might call for checking traffic logs of days or even months, (2) Traffic is multidimensional and correlations between multiple dimensions maybe important, and (3) Sometimes traffic from multiple sources may need to be analyzed in a combined manner. Our algorithms offer provable bounds on resource consumption and approximation error. Our theoretical results are supported by experiments over real network traces and synthetic datasets