Real-Time Detection of Encrypted Traffic based on Entropy Estimation

This thesis investigates the topic of using entropy estimation for traffic classification. A real-time encrypted traffic detector (RT-ETD) which is able to classify traffic in encrypted and unencrypted traffic is proposed. The performance of the RT-ETD is evaluated on ground truth and real network traces. This thesis is opened by some introductory chapters on entropy, pattern recognition, user privacy and traffic classification. A real-time encrypted traffic detector which is targeted to operate in a privacy preserving environment is presented. The RT-ETD consists of several modules that can be used to customize the approach for specific needs. A customization for two different tasks is performed, where unencrypted traffic is dropped and only encrypted traffic is forwarded. The classification of the RT-ETD is solely based on information gathered from the first packet of a flow. Header fields as well as the payload are taken into account. The core concept of the RT-ETD is based on the estimation of the entropy of the payload, and a comparison of the retrieved value to the entropy of a uniform distributed payload. Based on ground truth traces with encrypted traffic and real network traces it is shown that the RT-ETD is able to filter out a large fraction of unencrypted traffic, whereas a large fraction of encrypted flows is forwarded. The optimal parameterisation of the RTETD depends on the trade-off between detection performance and privacy preservation.