Identification of networked tunnelled applications
thesisposted on 2011-06-01, 11:49 authored by Ghulam Mujtaba
In protocol tunnelling, one application protocol is encapsulated within another carrier protocol in an unusual way to circumvent firewall policy. Application-layer tunnels are a significant security and resource abuse threat for networks because those applications which are restricted by firewalls such as high data-rate games, peer-to-peer file sharing, video and audio streaming, and chat are carried through via allowed protocols like HTTP, HTTPS and the firewall security policy is thwarted. Protocols such as HTTP and HTTPS are indispensable today for any network which has to be connected to the Internet; hence these become a high value target for running restricted applications via tunnelling. The identification of the actual application running across a network is important for network management, optimization, security and abuse prevention. The existing techniques for identification of applications running across the network, for example port number based identification, and packet data analysis techniques are not always successful, especially for applications which use encrypted tunnels. This work describes a statistical approach to detect applications which are running using application layer tunnels. Previous work has shown the packet size distribution to be an effective metric for detecting most network applications, both UDP and TCP based applications. In this work it is shown how packet stream statistics including packet size distributions can be used to differentiate and identify networked tunnelled applications successfully. Tunnelled applications are identifiable using the traffic statistical parameters. Traffic trace files of the applications were captured, statistical parameters were derived from the trace files, and then these parameters were used for training machine learning algorithms. The trained machine learning algorithm is then able to classify the other packet trace data as belonging to an application. Five different machine learning algorithms have been applied, and their performance accuracy is discussed. The entropy distance based Nearest Neighbour machine learning algorithm and the Euclidean Distance based Nearest Neighbour classifier had better results than others. This method of identification of tunnelled applications can be complimentary to other network security systems such as firewalls and Intrusion Detection Systems.
- Mechanical, Electrical and Manufacturing Engineering