Skip to Main content Skip to Navigation

Classification de flux applicatifs et détection d'intrusion dans le trafic Internet

Abstract : The subject of traffic classification is of great importance for effective networkplanning, policy-based traffic management, application prioritization, and securitycontrol. Although it has received substantial attention in the research communitythere are still many unresolved issues, for example how to classify encrypted trafficflows. This thesis is composed of four parts. The first part presents some theoreticalaspects related to traffic classification and intrusion detection, while in the followingthree parts we tackle specific classification problems and propose accurate solutions.In the second part, we propose an accurate sampling scheme for detecting SYNflooding attacks as well as TCP portscan activity. The scheme examines TCPsegments to find at least one of multiple ACK segments coming from the server.The method is simple and scalable, because it achieves a good detection with aFalse Positive Rate close to zero even for very low sampling rates. Our trace-basedsimulations show that the effectiveness of the proposed scheme only relies on thesampling rate regardless of the sampling method.In the third part, we consider the problem of detecting Skype traffic and classi-fying Skype service flows such as voice calls, skypeOut, video conferences, chat, fileupload and download. We propose a classification method for Skype encrypted traf-fic based on the Statistical Protocol IDentification (SPID) that analyzes statisticalvalues of some traffic attributes. We have evaluated our method on a representativedataset to show excellent performance in terms of Precision and Recall.The last part defines a framework based on two complementary methods for clas-sifying application flows encrypted with TLS/SSL. The first one models TLS/SSLsession states as a first-order homogeneous Markov chain. The parameters of theMarkov models for each considered application differ a lot, which is the basis foraccurate discrimination between applications. The second classifier considers thedeviation between the timestamp in the TLS/SSL Server Hello message and thepacket arrival time. It improves the accuracy of application classification and al-lows efficient identification of Skype flows. We combine the methods using a NaiveBayes Classifier (NBC).We validate the framework with experiments on three recentdatasets—we apply our methods to the classification of seven popular applicationsthat use TLS/SSL for security. The results show a very good performance.
Document type :
Complete list of metadata

Cited literature [99 references]  Display  Hide  Download
Contributor : ABES STAR :  Contact
Submitted on : Thursday, September 5, 2013 - 3:41:23 PM
Last modification on : Wednesday, July 6, 2022 - 4:21:04 AM
Long-term archiving on: : Friday, December 6, 2013 - 4:25:00 AM


Version validated by the jury (STAR)


  • HAL Id : tel-00858571, version 1



Maciej Korczynski. Classification de flux applicatifs et détection d'intrusion dans le trafic Internet. Autre [cs.OH]. Université de Grenoble, 2012. Français. ⟨NNT : 2012GRENM087⟩. ⟨tel-00858571⟩



Record views


Files downloads