Traffic Classification for the Detection of Anonymous Web Proxy Routing Shane Miller School of Computing, Engineering & Intelligent Systems Faculty of Computing & Engineering Ulster University, Magee A thesis submitted in partial fulfilment of the requirements for the degree of Doctor of Philosophy I confirm that the word count of this thesis is less than 100,000 2 Contents CONTENTS ........................................................................................................................................ 2 ACKNOWLEDGEMENTS .................................................................................................................... 5 ABSTRACT ........................................................................................................................................ 6 ABBREVIATIONS ............................................................................................................................... 7 LIST OF FIGURES ............................................................................................................................... 9 LIST OF TABLES ............................................................................................................................... 10 1. INTRODUCTION ......................................................................................................................... 11 1.1 DETECTING AND BLOCKING ANONYMOUS COMMUNICATIONS .................................................................. 13 1.2 PROBLEM STATEMENT .................................................................................................................... 16 1.3 RESEARCH GOALS .......................................................................................................................... 16 1.4 THESIS CONTRIBUTIONS .................................................................................................................. 18 1.5 THESIS OUTLINE ............................................................................................................................ 18 2. LITERATURE REVIEW ................................................................................................................. 21 2.1 PROXIES ....................................................................................................................................... 21 2.1.1 Content Filters ................................................................................................................... 24 2.1.2 Document access controllers ............................................................................................ 25 2.1.3 Security Firewalls .............................................................................................................. 26 2.1.4 Web Caches ....................................................................................................................... 27 2.1.5 Reverse Proxy .................................................................................................................... 28 2.1.6 Content Router .................................................................................................................. 29 2.1.7 Transcoder ........................................................................................................................ 30 2.1.8 Anonymous Proxies ........................................................................................................... 30 2.1.9 Conclusion .......................................................................................................................... 32 2.2 VIRTUAL PRIVATE NETWORKS (VPNS) ............................................................................................... 33 2.2.1 Introduction ...................................................................................................................... 33 2.2.2 PPTP .................................................................................................................................. 34 2.2.3 L2TP................................................................................................................................... 35 2.2.4 IPsec .................................................................................................................................. 35 2.2.5 IKE ..................................................................................................................................... 36 2.2.6 Secure Socket Layer (SSL)-based VPNs .............................................................................. 37 2.2.7 OpenVPN ........................................................................................................................... 38 2.2.8 Conclusion .......................................................................................................................... 39 2.3 Intrusion Detection .............................................................................................................. 39 3 2.3.1 Machine Learning in Intrusion Detection Systems ............................................................ 40 2.4 MACHINE LEARNING AND NEURAL NETWORKS .................................................................................... 42 2.4.1 Machine Learning Methods .............................................................................................. 42 2.4.2 Neural Networks ............................................................................................................... 43 2.5 Conclusion ............................................................................................................................. 46 3. DETECTION OF ANONYMISING PROXIES .................................................................................... 47 3.1 INTRODUCTION .............................................................................................................................. 47 3.2 DATASET ...................................................................................................................................... 48 3.2.1 Packet capture .................................................................................................................. 51 3.2.2 Non-proxy data capture .................................................................................................... 57 3.3 EXPERIMENTS ................................................................................................................................ 58 3.3.1 Methodology ..................................................................................................................... 60 3.3.2 Two-Class Neural Network ................................................................................................ 61 3.3.3 Dataset upload and preparation....................................................................................... 64 3.3.4 Training and Testing ......................................................................................................... 66 3.3.5 Results ............................................................................................................................... 68 3.4 SUMMARY .................................................................................................................................... 69 4. VPN CLASSIFICATION ................................................................................................................. 71 4.1 INTRODUCTION .............................................................................................................................. 71 4.2 DATASET ...................................................................................................................................... 72 4.2.1 Capture Method ................................................................................................................ 72 4.2.2 NetMate ............................................................................................................................ 76 4.3 VPN SETUP: STREISAND ON AWS .................................................................................................... 78 4.4 WEKA EXPERIMENT ........................................................................................................................ 79 4.4.1 Feature Selection .............................................................................................................. 81 4.4.2 Resampling the dataset into training, testing & validation sets ........................................ 82 4.4.3 Neural Network Setup ....................................................................................................... 83 4.4.4 Results ............................................................................................................................... 85 4.5 OPENVPN USING STUNNEL ............................................................................................................. 88 4.5.1 Dataset.............................................................................................................................. 88 4.5.2 Feature Selection .............................................................................................................. 89 4.5.3 Neural Network setup ....................................................................................................... 90 4.5.4 Results ............................................................................................................................... 91 4.6 VALIDATION TESTING