Classifying Service Flows in the Encrypted Traffic

Maciej Korczynski´ and Andrzej Duda Grenoble Institute of Technology, CNRS Grenoble Informatics Laboratory UMR 5217 Grenoble, France. : [maciej.korczynski, andrzej.duda]@imag.fr

Abstract—In this paper, we consider the problem of detecting have evaluated our classification method on a representative Skype traffic and classifying Skype service flows such as voice dataset to show excellent performance in terms of Precision calls, skypeOut, video conferencing, chat, file upload and down- and Recall. load. We propose a classification method for Skype encrypted traffic based on the Statistical Protocol IDentification (SPID) To the best of our knowledge, this is the first work that that analyzes statistical values of some traffic attributes. We proposes an accurate method for classifying encrypted Skype have evaluated our method on a representative dataset to show service TCP flows tunneled over the TLS protocol. excellent performance in terms of Precision and Recall. II.ISSUESINTHE ANALYSIS OF SKYPE TRAFFIC I.INTRODUCTION Accurate traffic identification and classification are essential Skype traffic presents a major challenge for detection and for proper network configuration and security monitoring. classification, because of proprietary software, several internal Application-layer encryption can however bypass restrictions obfuscation mechanisms, and a complex connection protocol set by network configuration and security checks. In this paper, designed for bypassing firewalls and establishing communica- we focus on Skype as an interesting example of encrypted tion regardless of network policies. traffic and provide a method for identifying different Skype Skype differs from other VoIP applications, because it relies flows inside encrypted TCP traffic—we want to discriminate on a Peer-to-Peer (P2P) infrastructure while other applications between voice calls, video conferencing, skypeOut calls, chat, use the traditional client-server model. Skype nodes include and file sharing. Previous papers on Skype concentrated on clients (ordinary nodes), supernodes, and servers for updates its architecture and the authentication phase [1], [2], [3], and authentication. An ordinary node with a public IP ad- on the mechanisms for firewall and NAT traversal [4] as dress, sufficient computing resources and network bandwidth well as on characterizing traffic streams generated by VoIP may become a supernode. Supernodes maintain an overlay calls and Skype signaling [5], [6]. Bonfiglio et al. proposed network, while ordinary nodes establish connections with a identification methods for encrypted UDP Skype traffic [7], small number of supernodes. Authentication servers store the but no work has considered encrypted TCP Skype flows. user account information. A Skype client communicates with Skype exemplifies the problem of identifying encrypted other nodes directly or in an indirect way via other peers that flows, because it multiplexes several services using the same relay packets. Skype can multiplex different service flows on ports: VoIP calls, video conferencing, instant messaging, or file an established connection: voice calls to another Skype node, transfer. A network administrator may assign a higher priority skypeOut calls to phones, video conferencing, chat, file upload to VoIP calls, but other flows may also benefit in an illegitimate and download. Our goal is to detect and classify the service way from a higher priority if we cannot distinguish them from flows in Skype traffic. We cannot use traditional port-based VoIP calls. flow identification methods, because Skype randomly selects We propose a classification method for Skype encrypted ports and switches to port 80 (HTTP) or 443 (TLS 1.0) if it traffic based on the Statistical Protocol IDentification (SPID) fails to establish a connection on chosen ports. [8] that analyzes statistical values of flow and application layer Another feature of the Skype design is the possibility of data. We consider a very special case of Skype traffic that is, using both TCP and UDP as a transport protocol. Skype in addition to proprietary encryption, tunneled over Transport uses TCP to establish an initial connection and then it can Layer Security (TLS) protocol version 1.0. We propose an interchangeably use TCP or UDP depending on network appropriate set of attribute meters to detect encrypted Skype restrictions. TCP traffic and identify Skype service flows. Our method Skype encrypts its traffic with the strong 256-bit Advanced involves three phases with progressive identification. To select Encryption Standard (AES) algorithm to protect from poten- the right attribute meters for each phase, we applied a method tial eavesdropping. However, some information in the UDP called forward selection [9] that evaluates how a given attribute payload is not encrypted so that a part of the Skype messages meter improves classification performance and promotes it encapsulated in UDP can be obtained and used for identifi- to the traffic model if its influence is significant. Forward cation [7]. We propose an accurate method for classification selection uses the Analysis of Variance (ANOVA) [10]. We of service flows inside encrypted TCP Skype traffic tunneled

Table I DEFINITION OF ATTRIBUTE METERS USED IN CLASSIFICATION

Attribute meter Definition

mk 8 100 byte-frequency M1 : {(k,pk)}, k =0, 1, ..., 255; pk = , mk = δ i P mk i=1 j=1 xj P P m i i i i i hi action-reaction of first 3 bytes M2 : {(h ,phi ), ∀i∈(1,3)}, h :(y3∆,z3∆) → h(y3∆,z3∆), phi = m , mhi = δh(yi ,zi ) P hi 3∆ 3∆

i i mh 4 32 byte value offset hash M3 : {(h,ph)}, h :(j, x ) → h(j, x ), ph = , mh = δ i j j P mh i=1 j=1 h(j,xj ) P P

i i mh 4 32 first 4 packets byte reoccurring dis- M4 : {(h,ph)}, ∀d<=16 : h :(x ,d) → h(x ,d), ph = , mh = δ i ) j j P mh i=1 j=1 h(xj ,d) tance with byte P P

i i i i mh 4 16 first 4 packets first 16 byte pairs M5 : {(h,ph)}, h :(x ,x ) → h(x ,x ), ph = , mh = δ i i j j+1 j j+1 P mh i=1 j=1 h(xj ,xj+1) P P

i i i i mf first 4 ordered direction packet size M6 : {(f,pf )}, f :(i,s(x ),dir(x )) → f(i,s(x ),dir(x )), pf = , P mf 4 mf = i=1 δf(i,s(xi),dir(xi)) P 1 1 1 1 mf f,p 1 1 1 f nib x ,j,dir x f nib x ,j,dir x p first packet per direction first N M7 : {( f )}, ∀x ∈{z ,y } : :( ( j ) ( )) → ( ( j ) ( )), f = P m , byte nibbles f 8 mf = δ 1 1 j=1 f(nib(xj ),j,dir(x )) P i i i i mf direction packet size distribution M8 : {(f,pf )}, f :(s(x ),dir(x )) → f(s(x ),dir(x )), pf = , P mf s(x) mf = i=1 δf(s(xi),dir(xi)) P i i i+1 i i i+1 mf byte pairs reoccurring count M9 : {(f,pf )}, ∀ i i+1 : f :(xj ,dir(xj ),dir(xj )) → f(xj ,dir(xj ),dir(xj )), pf = m , xj =xj P f s(x) 32 mf = i=1 j=1 δ i i i+1 f(xj ,dir(xj ),dir(xj )) P P

∈ Table II We consider a set of n attribute meters x1,...,xn X NOTATION and a set of m Skype services. We begin with a model that includes the most significant attribute in the initial analysis. M : {(k,pk)} – attribute meter m – attribute meter counter More precisely, we compute - defined as: k F Measure pk,k =0, 1, 2,... – probability distribution of an attribute meter (corresponds to Q(x) in traffic model generation and P (x) in traffic classification) TP TP X xi Precision = , Recall = , 1 if = j δ – indicator function; δ : X →{0, 1},δxi = i TP + FP TP + FN j  0 if X 6= xj h – hash function, h =0, 1, 2,... 2 ∗ Precision ∗ Recall f – compressing function, f =0, 1, 2,... F -Measure = , (2) i Precision + Recall xj – byte j in packet i i xj(m) – bit m in byte j in packet i for a particular Skype service and for each individual attribute i i x ↔ x – all packets in a TCP session meter. The True Positive (TP) term refers to all Skype flows Pyi – packet i, zi – packet sent in a different direction than yi i that are correctly identified, False Positives (FPs) refer to all x∆j – first j bytes in packet i d xi xi d,