MaMPF: Encrypted Traffic Classification Based on Multi-Attribute Markov Probability Fingerprints

With the explosion of network applications, network anomaly detection and security management face a big challenge, of which the first and a fundamental step is traffic classification. However, for the sake of user privacy, encrypted communication protocols, e.g. the SSL/TLS protocol, are extensively used, which results in the ineffectiveness of traditional rule-based classification methods. Existing methods cannot have a satisfactory accuracy of encrypted traffic classification because of insufficient distinguishable characteristics. In this paper, we propose the Multi-attribute Markov Probability Fingerprints (MaMPF), for encrypted traffic classification. The key idea behind MaMPF is to consider multi-attributes, which includes a critical feature, namely “length block sequence” that captures the time-series packet lengths effectively using power-law distributions and relative occurrence probabilities of all considered applications. Based on the message type and length block sequences, Markov models are trained and the probabilities of all the applications are concatenated as the fingerprints for classification. MaMPF achieves 96.4% TPR and 0.2% FPR performance on a real-world dataset from campus network (including 950,000+ encrypted traffic flows and covering 18 applications), and outperforms the state-of-the-art methods.