Konferenzbeitrag
Network forensic of partial SSL/TLS encrypted traffic classification using clustering-algorithms
Lade...
Volltext URI
Dokumententyp
Text/Conference Paper
Zusatzinformation
Datum
2008
Autor:innen
Zeitschriftentitel
ISSN der Zeitschrift
Bandtitel
Verlag
Gesellschaft für Informatik e.V.
Zusammenfassung
Machine learning tools have long been used in network traffic analysis, but their application to the network forensics domain and ist specific issues has been limited thus far. We investigate the applicability of several common machine learning techniques to identify and classify partial encrypted traffic as may be encountered by forensic investigators confronted only with partial post-hoc traces. Is is highly desirable to identify the types of applications and endpoints using such tunnels to faciliate further forensic investigation. In this paper, we therefore examine several clustering algorithms, namely DBSCAN (Density-Based Spatial Clustering of Application with Noise), K-means, and EM (Expectation-Maximization) with regard to their ability to classify encrypted partial traffic using inter-arrival time and TCP lenght information chosen for its predictive significance. Our experiments demonstrate promising classifiction results.