Wu, Meng-DaWolthusen, Stephen D.Göbel, OliverFrings, SandraGünther, DetlefNedon, JensSchadt, Dirk2019-06-042019-06-042008978-3-88579-234-5https://dl.gi.de/handle/20.500.12116/23590Machine learning tools have long been used in network traffic analysis, but their application to the network forensics domain and ist specific issues has been limited thus far. We investigate the applicability of several common machine learning techniques to identify and classify partial encrypted traffic as may be encountered by forensic investigators confronted only with partial post-hoc traces. Is is highly desirable to identify the types of applications and endpoints using such tunnels to faciliate further forensic investigation. In this paper, we therefore examine several clustering algorithms, namely DBSCAN (Density-Based Spatial Clustering of Application with Noise), K-means, and EM (Expectation-Maximization) with regard to their ability to classify encrypted partial traffic using inter-arrival time and TCP lenght information chosen for its predictive significance. Our experiments demonstrate promising classifiction results.enText/Conference Paper1617-5468