A survey of methods for encrypted traffic classification and analysis

TLDR

Network traffic encryption has become ubiquitous, creating challenges for traffic measurement, analysis, and anomaly detection that depend on traffic type. This paper surveys existing approaches for classifying and analyzing encrypted traffic. The survey reviews common Internet encryption protocols, payload and feature‑based classification techniques, and compares them using a taxonomy of strengths and weaknesses. The authors find that connection initiation and protocol structure reveal substantial information, enabling classification, and that some methods can identify both the encryption and application protocols. © 2015 John Wiley & Sons, Ltd.

Abstract

Summary With the widespread use of encrypted data transport, network traffic encryption is becoming a standard nowadays. This presents a challenge for traffic measurement, especially for analysis and anomaly detection methods, which are dependent on the type of network traffic. In this paper, we survey existing approaches for classification and analysis of encrypted traffic. First, we describe the most widespread encryption protocols used throughout the Internet. We show that the initiation of an encrypted connection and the protocol structure give away much information for encrypted traffic classification and analysis. Then, we survey payload and feature‐based classification methods for encrypted traffic and categorize them using an established taxonomy. The advantage of some of described classification methods is the ability to recognize the encrypted application protocol in addition to the encryption protocol. Finally, we make a comprehensive comparison of the surveyed feature‐based classification methods and present their weaknesses and strengths. Copyright © 2015 John Wiley & Sons, Ltd.

References

Page 1

	Year	Citations

Page 1