Use this URL to cite or link to this record in EThOS: http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.543245
Title: Identification of networked tunnelled applications
Author: Mujtaba, Ghulam
Awarding Body: Loughborough University
Current Institution: Loughborough University
Date of Award: 2011
Availability of Full Text:
Access from EThOS:
Access from Institution:
Abstract:
In protocol tunnelling, one application protocol is encapsulated within another carrier protocol in an unusual way to circumvent firewall policy. Application-layer tunnels are a significant security and resource abuse threat for networks because those applications which are restricted by firewalls such as high data-rate games, peer-to-peer file sharing, video and audio streaming, and chat are carried through via allowed protocols like HTTP, HTTPS and the firewall security policy is thwarted. Protocols such as HTTP and HTTPS are indispensable today for any network which has to be connected to the Internet; hence these become a high value target for running restricted applications via tunnelling. The identification of the actual application running across a network is important for network management, optimization, security and abuse prevention. The existing techniques for identification of applications running across the network, for example port number based identification, and packet data analysis techniques are not always successful, especially for applications which use encrypted tunnels. This work describes a statistical approach to detect applications which are running using application layer tunnels. Previous work has shown the packet size distribution to be an effective metric for detecting most network applications, both UDP and TCP based applications. In this work it is shown how packet stream statistics including packet size distributions can be used to differentiate and identify networked tunnelled applications successfully. Tunnelled applications are identifiable using the traffic statistical parameters. Traffic trace files of the applications were captured, statistical parameters were derived from the trace files, and then these parameters were used for training machine learning algorithms. The trained machine learning algorithm is then able to classify the other packet trace data as belonging to an application. Five different machine learning algorithms have been applied, and their performance accuracy is discussed. The entropy distance based Nearest Neighbour machine learning algorithm and the Euclidean Distance based Nearest Neighbour classifier had better results than others. This method of identification of tunnelled applications can be complimentary to other network security systems such as firewalls and Intrusion Detection Systems.
Supervisor: Not available Sponsor: Not available
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral
EThOS ID: uk.bl.ethos.543245  DOI: Not available
Share: