Skip to Main content Skip to Navigation
Theses

Classification de flux applicatifs et détection d'intrusion dans le trafic Internet

Abstract : The subject of traffic classification is of great importance for effective networkplanning, policy-based traffic management, application prioritization, and securitycontrol. Although it has received substantial attention in the research communitythere are still many unresolved issues, for example how to classify encrypted trafficflows. This thesis is composed of four parts. The first part presents some theoreticalaspects related to traffic classification and intrusion detection, while in the followingthree parts we tackle specific classification problems and propose accurate solutions.In the second part, we propose an accurate sampling scheme for detecting SYNflooding attacks as well as TCP portscan activity. The scheme examines TCPsegments to find at least one of multiple ACK segments coming from the server.The method is simple and scalable, because it achieves a good detection with aFalse Positive Rate close to zero even for very low sampling rates. Our trace-basedsimulations show that the effectiveness of the proposed scheme only relies on thesampling rate regardless of the sampling method.In the third part, we consider the problem of detecting Skype traffic and classi-fying Skype service flows such as voice calls, skypeOut, video conferences, chat, fileupload and download. We propose a classification method for Skype encrypted traf-fic based on the Statistical Protocol IDentification (SPID) that analyzes statisticalvalues of some traffic attributes. We have evaluated our method on a representativedataset to show excellent performance in terms of Precision and Recall.The last part defines a framework based on two complementary methods for clas-sifying application flows encrypted with TLS/SSL. The first one models TLS/SSLsession states as a first-order homogeneous Markov chain. The parameters of theMarkov models for each considered application differ a lot, which is the basis foraccurate discrimination between applications. The second classifier considers thedeviation between the timestamp in the TLS/SSL Server Hello message and thepacket arrival time. It improves the accuracy of application classification and al-lows efficient identification of Skype flows. We combine the methods using a NaiveBayes Classifier (NBC).We validate the framework with experiments on three recentdatasets—we apply our methods to the classification of seven popular applicationsthat use TLS/SSL for security. The results show a very good performance.
Document type :
Theses
Complete list of metadatas

Cited literature [99 references]  Display  Hide  Download

https://tel.archives-ouvertes.fr/tel-00858571
Contributor : Abes Star :  Contact
Submitted on : Thursday, September 5, 2013 - 3:41:23 PM
Last modification on : Thursday, November 19, 2020 - 12:59:57 PM
Long-term archiving on: : Friday, December 6, 2013 - 4:25:00 AM

File

Thesis-embedded_na_delosie.pdf
Version validated by the jury (STAR)

Identifiers

  • HAL Id : tel-00858571, version 1

Collections

STAR | CNRS | LIG | UGA

Citation

Maciej Korczynski. Classification de flux applicatifs et détection d'intrusion dans le trafic Internet. Autre [cs.OH]. Université de Grenoble, 2012. Français. ⟨NNT : 2012GRENM087⟩. ⟨tel-00858571⟩

Share

Metrics

Record views

1221

Files downloads

1685