The Journal of Korean Institute of Communications and Information Sciences (한국통신학회논문지)

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지
DOI QR코드

DOI QR Code

Service Identification Method for Encrypted Traffic Based on SSL/TLS

SSL/TLS 기반 암호화 트래픽의 서비스 식별 방법

  • Kim, Sung-Min (Dept. of Computer and Information Science, Korea University) ;
  • Park, Jun-Sang (Dept. of Computer and Information Science, Korea University) ;
  • Yoon, Sung-Ho (Dept. of Computer and Information Science, Korea University) ;
  • Kim, Jong-Hyun (Network Security Research Section, Cyber Security Research Laboratory, ETRI) ;
  • Choi, Sun-Oh (Network Security Research Section, Cyber Security Research Laboratory, ETRI) ;
  • Kim, Myung-Sup (Dept. of Computer and Information Science, Korea University)
  • Received : 2015.03.05
  • Accepted : 2015.11.04
  • Published : 2015.11.30
Download PDF
⟨ Previous Next ⟩

Abstract

The SSL/TLS, one of the most popular encryption protocol, was developed as a solution of various network security problem while the network traffic has become complex and diverse. But the SSL/TLS traffic has been identified as its protocol name, not its used services, which is required for the effective network traffic management. This paper proposes a new method to generate service signatures automatically from SSL/TLS payload data and to classify network traffic in accordance with their application services. We utilize the certificate publication information field in the certificate exchanging record of SSL/TLS traffic for the service signatures, which occurs when SSL/TLS performs Handshaking before encrypt transmission. We proved the performance and feasibility of the proposed method by experimental result that classify about 95% SSL/TLS traffic with 95% accuracy for every SSL/TLS services.

네트워크 트래픽이 복잡, 다양해짐에 따라 발생하는 네트워크 보안문제 해결을 위해 다양한 암호화 프로토콜 중 하나인 SSL/TLS가 널리 사용되고 있다. 하지만 현재의 트래픽 분석 시스템은 암호화 트래픽을 프로토콜 레벨에 한정적으로 분석하고 있는 실정이다. 효과적인 네트워크 자원 관리를 위해서는 암호화 트래픽에 대한 서비스 단위 분석이 요구된다. 본 논문에서는 SSL/TLS 암호화 응용 트래픽의 페이로드 시그니쳐를 자동으로 추출하고, 이를 바탕으로 네트워크 트래픽 상에서 SSL/TLS 응용 서비스를 식별하는 방법을 제안한다. 이는 암호화 세션이 맺어질 때 초기에 발생하는 SSL/TLS Handshake 중 인증서 교환 레코드의 인증서 발행 대상정보를 시그니쳐로 이용하여 서비스를 식별을 하는 것이다. 본 논문에서 제안하는 방법은 95%에 가까운 SSL/TLS 트래픽을 분석 하였으며, 이 때 추출한 시그니쳐를 별도의 트래픽 트레이스에 적용시켜 각 서비스 별로 최대 95%의 정확도를 내어 그 성능과 가능성을 증명하였다.

Keywords

References

  1. RFC 5246, The Transport Layer Security (TLS) Protocol Version 1.2, Retrieved 16, Feb. 2015, https://tools.ietf.org/html/rfc5246
  2. K.-L. Kim, M.-S. Kim, and H. Kim, "SSH traffic identification using EM clustering," J. KICS, vol. 37, no. 12, pp. 1160-1167, 2012.
  3. J.-S. Park, S.-H. Yoon, Y. Won, and M.-S. Kim, "A lightweight software model for signature-based application-level traffic classification system," IEICE Trans. Inf. Syst., vol. 97, no. 10, pp. 2697-2705, 2014.
  4. S.-H. Yoon, J.-S. Park, and M.-S. Kim, "Header signature maintenance for internet traffic identification," KNOM Rev., vol. 16, no. 1, Jul. 2013.
  5. J.-S. Park, S.-H. Yoon, and M.-S. Kim, "Performance improvement of the payload signature based traffic classification system using application traffic locality," J. KICS, vol. 38, no. 7, pp. 519-525, 2013.
  6. H.-M. An, J.-H. Ham, and M.-S. Kim, "Performance improvement of the statistical information based traffic identification system," KIPS Trans. Computer and Commun. Syst.(KTCCS), vol. 2, no. 8, pp. 335-342, Aug. 2013. https://doi.org/10.3745/KTCCS.2013.2.8.335
  7. C. McCarthy and A. N. Zincir-Heywood, "An investigation on identifying SSL traffic," 2011 IEEE Symp. CISDA, pp. 115-122, Paris, France, Apr. 2011.
  8. S.-H. Kong and J.-Y. Lee, "Effective contents delivery system using service adaptive network architecture(SaNA)," J. KICS, vol. 39, no. 6, pp. 406-413, 2014.

Cited by

  1. SSLmTCP 핸드쉐이크 : SSL 핸드쉐이크를 포함하는 TCP 3-단계 핸드쉐이크 vol.42, pp.3, 2015, https://doi.org/10.7840/kics.2017.42.3.595
  2. HTTPS 웹 사이트 차단의 익명성 제공 방안 연구 vol.15, pp.1, 2015, https://doi.org/10.17662/ksdim.2019.15.1.053