A Hybrid Method based on Statistical Features and Packet Content Analysis to Identify Major Network Tunneling Protocols

Abstract

Network traffic identification is an essential component for effective network analysis and management. Signature-based and machine learning techniques are the two most important methods in network traffic analysis. Due to the strengths and weaknesses of these two approaches, their combination can strengthen them and remove the weaknesses of each in detection process. In this article, a hybrid method is introduced, to identify major network tunneling protocols. This method can detect the well-known tunneling protocols by combining signature-based methods and statistical analysis techniques through a clustering algorithm. In this proposed method, the clustering process is refined by the feedback of signature-base method. Since, in semi-supervised clustering, it is important to gain most informative data to improve the clustering performance, in the proposed clustering method, a new active learning approach is introduced for selecting informative constraints. In this hybrid method, four tunneling protocols (L2TP, PPTP, IPsec and OpenVPN) are applied. The obtained results indicate that this proposed hybrid method significantly increases accuracy and cluster purity, and these protocols are identified with high accuracy and low processing cost.