Advertisement

SFMap: Inferring Services over Encrypted Web Flows Using Dynamical Domain Name Graphs

  • Tatsuya MoriEmail author
  • Takeru Inoue
  • Akihiro Shimoda
  • Kazumichi Sato
  • Keisuke Ishibashi
  • Shigeki Goto
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9053)

Abstract

Most modern Internet services are carried over the web. A significant amount of web transactions is now encrypted and the transition to encryption has made it difficult for network operators to understand traffic mix. The goal of this study is to enable network operators to infer hostnames within HTTPS traffic because hostname information is useful to understand the breakdown of encrypted web traffic. The proposed approach correlates HTTPS flows and DNS queries/responses. Although this approach may appear trivial, recent deployment and implementation of DNS ecosystems have made it a challenging research problem; i.e., canonical name tricks used by CDNs, the dynamic and diverse nature of DNS TTL settings, and incomplete measurements due to the existence of various caching mechanisms. To tackle these challenges, we introduce domain name graph (DNG), which is a formal expression that characterizes the highly dynamic and diverse nature of DNS mechanisms. Furthermore, we have developed a framework called Service-Flow map (SFMap) that works on top of the DNG. SFMap statistically estimates the hostname of an HTTPS server, given a pair of client and server IP addresses. We evaluate the performance of SFMap through extensive analysis using real packet traces collected from two locations with different scales. We demonstrate that SFMap establishes good estimation accuracies and outperforms a state-of-the-art approach.

Keywords

Cache Mechanism Likelihood Probability Incomplete Measurement Packet Trace Good Estimation Accuracy 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Public suffix list. https://publicsuffix.org/
  2. 2.
    Bermudez, I.N., Mellia, M., Munafo, M.M., Keralapura, R., Nucci, A.: DNS to the rescue: discerning content and services in a tangled web. In: Proc. of IMC, pp. 413–426 (2012)Google Scholar
  3. 3.
  4. 4.
    Callahan, T., Allman, M., Rabinovich, M.: On Modern DNS Behavior and Properties. SIGCOMM Comput. Commun. Rev. 43(3), 7–15 (2013)CrossRefGoogle Scholar
  5. 5.
    Korczynski, M., Duda, A.: Markov chain fingerprinting to classify encrypted traffic. In: Proc. of INFOCOM, pp. 781–789 (2014)Google Scholar
  6. 6.
    Mori, T., Kawahara, R., Hasegawa, H., Shimogawa, S.: Characterizing traffic flows originating from large-scale video sharing services. In: Ricciato, F., Mellia, M., Biersack, E. (eds.) TMA 2010. LNCS, vol. 6003, pp. 17–31. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  7. 7.
    Naylor, D., Finamore, A., Leontiadis, I., Grunenberger, Y., Mellia, M., Munafo, M., Papagiannaki, K., Steenkiste, P.: The cost of the “S” in HTTP. In: Proc. of CoNext (2014)Google Scholar
  8. 8.
    Plonka, D., Barford, P.: Flexible traffic and host profiling via DNS rendezvous. In: Proc. of SATIN (2011)Google Scholar
  9. 9.
    Sandvine. Global internet phenomena report: 1H 2014. http://bit.ly/1jHpsW5
  10. 10.
    Su, A.-J., Choffnes, D.R., Kuzmanovic, A., Bustamante, F.E.: Drafting behind akamai (travelocity-based detouring). In: Proc. of SIGCOMM, pp. 435–446 (2006)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2015

Authors and Affiliations

  • Tatsuya Mori
    • 1
    Email author
  • Takeru Inoue
    • 2
  • Akihiro Shimoda
    • 3
  • Kazumichi Sato
    • 3
  • Keisuke Ishibashi
    • 3
  • Shigeki Goto
    • 1
  1. 1.Department of Computer Science and Communications EngineeringWaseda UniversityTokyoJapan
  2. 2.NTT Network Innovation LaboratoriesNTT CorporationTokyoJapan
  3. 3.NTT Network Technology LaboratoriesNTT CorporationTokyoJapan

Personalised recommendations