Description

Classify to what ‘traffic class’ a certain network flow belongs based on metadata, when running over a VPN. A traffic class should be understood as a flow of a specific protocol, like SSH, SMTP, HTTPS, etc, running on top of a VPN when the user is connected to one. More colloquially, create ‘Shazam’-like classifier for protocol detection over encrypted network flows. Specifically, a complete system, in terms of a proof-of-concept, should be designed and evaluated.

When such a system is working, an extension can be made to classify what flows belong to the visit of a certain website over HTTPS (not running on top of a VPN). However, this is a bonus.

Phases

The project will consist of three phases:

  1. In the first phase, a review of existing approaches for encrypted traffic classification will be made. (~1 month)
  2. In the second phase, a potential system will be designed and implemented. This system should classify what protocol is running on top of a VPN. (~3 months)
  3. If phase 2 was successful and time permits, the system will be extended to include a HTTPS traffic classifier for webpages.

In today’s pentest and red teaming engagements, AV and EDR solutions are one of the most common and annoying obstacles to gaining an initial foothold in the target systems.

Nevertheless, these solutions can usually be bypassed using sophisticated or customized malware/hacking tools. But this approach often takes a lot of time.

Requirements

  • Good understanding of networks and Linux.
  • Good understanding systems or motivation to learn.
  • Low level software development skills is a plus.
  • Experience in CUDA is a plus.
  • Mindset to learn the additional skills.