AI Chat Paper
Note: Please note that the following content is generated by AMiner AI. SciOpen does not take any responsibility related to this content.
{{lang === 'zh_CN' ? '文章概述' : 'Summary'}}
{{lang === 'en_US' ? '中' : 'Eng'}}
Chat more with AI
Powered by AMiner. Clicking this button will take you away from SciOpen.
Home Tsinghua Science and Technology Article
PDF (5.5 MB)
Cite
EndNote(RIS) BibTeX
Collect
Submit Manuscript AI Chat Paper
Show Outline
Outline
Show full outline
Hide outline
Outline
Show full outline
Hide outline
Open Access

DTA-HOC: Online HTTPS Traffic Service Identification Using DNS in Large-Scale Networks

Xuemei ZengXingshu Chen( )Guolin ShaoTao HeLina Wang
Cybersecurity Research Institute, Sichuan University, Chengdu 610065, China.
College of Cybersecurity, Sichuan University, Chengdu 610065, China.
College of Computer Science, Sichuan University, Chengdu 610065, China.
Show Author Information

Abstract

An increasing number of websites are making use of HTTPS encryption to enhance security and privacy for their users. However, HTTPS encryption makes it very difficult to identify the service over HTTPS flows, which poses challenges to network security management. In this paper we present DTA-HOC, a novel DNS-based two-level association HTTPS traffic online service identification method for large-scale networks, which correlates HTTPS flows with DNS flows using big data stream processing and association technologies to label the service in an HTTPS flow with a specific associated domain name. DTA-HOC has been specifically designed to address three practical challenges in the service identification process: domain name ambiguity, domain name query invisibility, and data association time window size contradictions. Several experiments on datasets collected from a 10-Gbps campus network are conducted alongside offline and online testing. Results show that DTA-HOC can achieve an average online association rate on HTTPS traffic of 83% and a generic accuracy of 86.16%. Its processing time for one minute of data is less than 20 seconds. These results indicate that DTA-HOC is an efficient method for online identification of services in HTTPS flows for large-scale networks. Moreover, our proposed method can contribute to the identification of other applications which make a Domain Name System (DNS) communication before establishing a connection.

Keywords

HTTPSDomain Name System (DNS)service identificationbig dataflow association

References

[1]
W. B. Pan, G. Cheng, X. J. Guo, and S. X. Huang, Review and perspective on encrypted traffic identification research, (in Chinese), J. Commun., vol. 37, no. 9, pp. 154167, 2016.
Google Scholar
[2]
G. Gebhart, We’re halfway to encrypting the entire web, https://www.eff.org/deeplinks/2017/02/were-halfway-encrypting-entire-web, 2017.
[3]
Google, HTTPS encryption on the web, https://transparencyreport.google.com/https/overview, 2018.
[4]
P. Velan, M. Čermák, P. Čeleda, and M. Drašar, A survey of methods for encrypted traffic classification and analysis, Int. J. Netw. Manage., vol. 25, no. 5, pp. 355374, 2015.
Crossref Google Scholar
[5]
Z. G. Cao, G. Xiong, Y. Zhao, Z. Z. Li, and L. Guo, A survey on encrypted traffic classification, in Proc. 5th Int. Conf. Applications and Techniques in Information Security, Melbourne, Australia, 2014, pp. 7381.
Crossref
[6]
D. Plonka and P. Barford, Flexible traffic and host profiling via DNS rendezvous, in Proc. Workshop on Securing and Trusting Internet Names, Cambridge, UK, 2011, pp. 18.
[7]
M. Trevisan, I. Drago, M. Mellia, and M. M. Munafò, Towards web service classification using addresses and DNS, in Proc. 12th Int. Wireless Communications and Mobile Computing Conf., Paphos, Cyprus, 2016, pp. 3843.
Crossref
[8]
Sphirewall, http://www.sphirewall.net/, 2018.
[9]
IPFire, http://www.ipfire.org/, 2018.
[10]
W. M. Shbair, T. Cholez, A. Goichot, and I. Chrisment, Efficiently bypassing SNI-based HTTPS filtering, in Proc. 2015 IFIP/IEEE Int. Symp. Integrated Network Management, Ottawa, Canada, 2015, pp. 990995.
Crossref
[11]
N. Kang, Research on fingerprint extrantion and identification of HTTPS web traffic, (in Chinese), Master dissertation, Harbin Institute of Technology, Harbin, China, 2017.
[12]
W. M. Shbair, T. Cholez, J. François, and I. Chrisment, Improving SNI-based HTTPS security monitoring, in Proc. 36th Int. Conf. Distributed Computing Systems, Nara, Japan, 2016, pp. 7277.
Crossref
[13]
I. N. Bermudez, M. Mellia, M. M. Munafò, R. Keralapura, and A. Nucci, DNS to the rescue: Discerning content and services in a tangled web, in Proc. 2012 Internet Measurement Conf., Boston, MA, USA, 2012, pp. 413426.
Crossref
[14]
P. Foremski, C. Callegari, and M. Pagano, DNS-Class: Immediate classification of IP flows using DNS, Int. J. Netw. Manage., vol. 24, no. 4, pp. 272288, 2014.
Crossref Google Scholar
[15]
T. Mori, T. Inoue, A. Shimoda, K. Sato, K. Ishibashi, and S. Goto, SFMap: Inferring services over encrypted web flows using dynamical domain name graphs, in Proc. 7th Int. Workshop on Traffic Monitoring and Analysis, Barcelona, Spain, 2015, pp. 126139.
Crossref
[16]
V. Gehlen, A. Finamore, M. Mellia, and M. M. Munafò, Uncovering the big players of the web, in Proc. 4th Int. Workshop on Traffic Monitoring and Analysis, Vienna, Austria, 2012, pp. 1528.
Crossref
[17]
T. Callahan, M. Allman, and M. Rabinovich, On modern DNS behavior and properties, ACM SIGCOMM Comput. Commun. Rev., vol. 43, no. 3, pp. 715, 2013.
Crossref Google Scholar
[18]
IEBlog, Internet explorer and connection limits, https://blogs.msdn.microsoft.com/ie/2005/04/11/internet-explorer-and-connection-limits/, 2005.
Tsinghua Science and Technology
Volume 25 Issue 2,
April 2020
Pages 239-254
DOI: 10.26599/TST.2019.9010008
Cite this article:
Zeng X, Chen X, Shao G, et al. DTA-HOC: Online HTTPS Traffic Service Identification Using DNS in Large-Scale Networks. Tsinghua Science and Technology, 2020, 25(2): 239-254. https://doi.org/10.26599/TST.2019.9010008

677

Views

21

Downloads

0

Crossref

N/A

Web of Science

2

Scopus

1

CSCD

Altmetrics
Received: 07 October 2018
Revised: 28 January 2019
Accepted: 04 March 2019
Published: 02 September 2019
© The author(s) 2020

The articles published in this open access journal are distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/).
Return