Finding a Needle in a Haystack: The Traffic Analysis Version

Authors: Abdullah Qasem (Concordia University), Sami Zhioua (King Fahd University of Petroleum and Minerals), Karima Makhlouf (Imam Abdulrahman Bin Faisal University)

Volume: 2019
Issue: 2
Pages: 270–290
DOI: https://doi.org/10.2478/popets-2019-0030

Download PDF

Abstract: Traffic analysis is the process of extracting useful/sensitive information from observed network traffic. Typical use cases include malware detection and website fingerprinting attacks. High accuracy traffic analysis techniques use machine learning algorithms (e.g. SVM, kNN) and require to split the traffic into correctly separated blocks. Inspired by digital forensics techniques, we propose a new network traffic analysis approach based on similarity digest. The approach features several advantages compared to existing techniques, namely, fast signature generation, compact signature representation using Bloom filters, efficient similarity detection between packet traces of arbitrary sizes, and in particular dropping the traffic splitting requirement altogether. Experimental results show very promising results on VPN and malware traffic, but low results on Tor traffic due mainly to the single-size cells feature.

Keywords: Traffic Analysis, Website Fingerprinting, Malware Clustering

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs license.