Young-Hoon Goo

A method for service identification of SSL/TLS encrypted traffic with the relation of session ID and Server IP

The SSL/TLS, one of the most popular encryption protocol, was developed as a solution of various network security problem while the network traffic has become complex and diverse. But the SSL/TLS traffic has been identified as its protocol name, not its used services, which is required for the effective network traffic management. This paper proposes a new method to generate service signatures automatically from SSL/TLS payload data and to classify network traffic in accordance with their application services. We utilize the certificate publication information field in the certificate exchanging record of SSL/TLS traffic for the service signatures, which occurs when SSL/TLS performs Handshaking before encrypt transmission. We proved the performance and feasibility of the proposed method by experimental result that classify about 95% SSL/TLS traffic with about 90% accuracy for every SSL/TLS services.

Payload signature structure for accurate application traffic classification

Emergence of high-speed Internet and various smart devices has led to a rapid increase of applications on the Internet. In order to provide reliable services and efficient management of network resources, accurate traffic classification of various applications is essential. Through various methods of extraction when payload signatures are extracted, most of these payload signature formats are just strings or hex values which appear frequently within payloads. Thus, it is difficult to extract unique signatures for a specific application, because redundant signatures extraction is in most cases unavoidable. In this paper, we propose a more elaborative payload signature structure for accurate classification of each specific application. The formats of this signature structure is composed of three level signatures. These are Content signature which is single contiguous substring in payloads, Packet signature which is the sequence of Content signatures that appear in the same packet, and the Flow signature which is a sequence of Packet signatures that appear in the same flow. By applying and comparing the existing signature format and proposed signature format to the actual application traffic classification, we demonstrate the effectiveness of the proposed signature structure.

A Survey of Automatic Protocol Reverse Engineering Approaches, Methods, and Tools on the Inputs and Outputs View

A network protocol defines rules that control communications between two or more machines on the Internet, whereas Automatic Protocol Reverse Engineering (APRE) defines the way of extracting the structure of a network protocol without accessing its specifications. Enough knowledge on undocumented protocols is essential for security purposes, network policy implementation, and management of network resources. This paper reviews and analyzes a total of 39 approaches, methods, and tools towards Protocol Reverse Engineering (PRE) and classifies them into four divisions, approaches that reverse engineer protocol finite state machines, protocol formats, and both protocol finite state machines and protocol formats to approaches that focus directly on neither reverse engineering protocol formats nor protocol finite state machines. The efficiency of all approaches’ outputs based on their selected inputs is analyzed in general along with appropriate reverse engineering inputs format. Additionally, we present discussion and extended classification in terms of automated to manual approaches, known and novel categories of reverse engineered protocols, and a literature of reverse engineered protocols in relation to the seven layers’ OSI (Open Systems Interconnection) model.

Whitelist representation for FTP service in SCADA system by using structured ACL model

Due to recent integration of SCADA systems with business systems, SCADA systems became open(unprotected), leading to not only security vulnerabilities increase but also sophisticated and intelligent cyber-attacks specifically targeting SCADA systems. A whitelist based security control technique that has attracted a lot of attention, is an emerging systems control, currently can be applied to solve security problems of the SCADA system. Most of the current security techniques for systems control based on whitelist, use static ACL model. But the static ACL model has limitations in use of ANY-ANY rule which is the only way to express communications using dynamic server port and express ranges of communication features in a control device. In this paper, we propose an structured ACL model to represent an FTP service to overcome the problem of dynamice server port in passive FTP. We demonstrate the feasibility of the proposed model in this paper by applying the FTP features extraction algorithm to FTP traffic.

SigManager: Automatic payload signature management system for the classification of dynamically changing internet applications

Todays network environment is becoming very complicated. Accordingly, traffic classification for network management becomes difficult. For the study of traffic classification, the development of automatic payload signature generation system was carried out very actively. However, the existing automatic payload signature generation system has problems such as semi-automatic system, disposable signature generation, false-positive signature generation and not up-to-date signature. Therefore, we propose the SigManager. SigManager performs all process such as traffic collection, signature generation, signature management and signature verification. The traffic collection stage automatically collects ground-truth traffic through TMA and TMS. The signature management stage removes unnecessary signatures and the signature generation stage generates the new signatures. Finally, the signature verification stage removes the false-positive signatures. We solved the problem of existing automatic signature generation system through this system. As a result of applying this system to campus network, we could maintain high completeness and low false-positive rate for 4 applications.

Sky-Scope : Skype application traffic identification system

Today, as the network environment increases, various types of traffic patterns generated for each application and service are generated, and traffic analysis methods that can classify traffic applications and services are being studied. In particular, Skype is a VoIP service that is serviced by Microsoft and is currently the most widely used internationally. For this reason, the importance of Skype traffic detection is growing in terms of network management. In order to overcome the limitations of signature and machine learning based detection methods and to more accurately analyze and detect the current Skype traffic pattern, this paper presents a comprehensive Skype traffic detection system that combines pattern, list and signature based application detection methods. The proposed system is applied to various Skype traffic collected through campus network to verify accuracy and detection rate.

A traffic grouping method using the correlation model of network flow

Emergence of high-speed Internet and ubiquitous environment has led to a rapid increase of applications on the Internet and network traffic complexity. In order to provide reliable services and efficient management of network resources, it is essential to classify traffic with specific units. While various traffic classification methods are being studied, there is no single method to classify traffic completely yet. In this paper, we define the correlation model of network flow and propose a traffic grouping method based on it. The proposed correlation model of network flow for traffic grouping consists of the Similarity model and the Connectivity model. We define the Similarity model guideline and the Connectivity model guideline for the purpose of applying the proposed method effectively. By applying the proposed method to the actual application traffic classification, we demonstrate that the method has high accuracy and completeness.

Survey on network protocol reverse engineering approaches, methods and tools

A network protocol defines rules that control communications between two or more hosts on the Internet, whereas Protocol Reverse Engineering (PRE) defines the process of extracting the structure, attributes and data from a network protocol. Enough knowledge on protocol specifications is essential for security purposes, network policy implementation and management of network resources. Protocol Reverse Engineering is a complex process intended to uncover specifications of unknown protocols. The complexity of PRE, in terms of time consumption, tediousness and error-prone, has led to short and diverse outcomes of Protocols Reverse Engineering approaches. This paper, surveys outputs of 9 PRE approaches in three divisions with methodology analysis and its possible applications. Moreover, in the introductory part we provide a general PRE literature in great depth.

Finding the highly efficient application signature through payload signature quality evaluation

Internet traffic identification is an essential preliminary step for stable service provision and efficient network management. The payload signature-based-classification is considered as a reliable method for Internet traffic identification. But its performance is highly dependent on the number and the structure of signatures. If the numbers and structural complexity of signatures are not proper, the performance of payload signature-based-classification easily deteriorates. Therefore, in order to improve the performance of the identification system, it is necessary to regulate the numbers of the signature. In this paper, we propose a novel signature quality evaluation method to decide which signature is highly efficient for Internet traffic identification. We newly define the signature quality evaluation criteria and find the highly efficient signature through the method. Quality evaluation is performed in three different perspectives and the weight of each signature is computed through those perspectives values. And we construct the signature map(S-MAP) to find the highly efficient signature. The proposed method achieved an approximately fourfold increased efficiency in application traffic identification.