Background

Application activity in networks is often monitored for network management and security purposes. While the increasing use of network traffic encryption, e.g. using TLS, is a benefit for confidentiality, it complicates classification of application traffic in the network. In theory, a good encryption algorithm should produce ciphertexts that look random and hence make all applications look similar on the network layer. Yet, some researchers claim that randomness of widespread ciphers is not as good as expected (1,2). They identified differences due to the use of different cipher algorithms (e.g., AES-GCM, AES-CBC, CHA20, ARC4, 3DES), key lengths and library versions. Since applications used different cipher configurations, this makes them detectable even in encrypted traffic, the researchers claim.

Goal of the project

The goal of this thesis is to confirm or refute the claim of suboptimal randomness in encrypted network traffic. Statistical tests used by NIST to scrutinize random number generators (3) should be used to analyze the randomness of various ciphers and quantum random sources (4). In a test setup, traffic from real applications should be captured and analyzed. Differences in lab setups versus real network conditions should be explored: How do platform environments (e.g., encryption services on Android) and modern protocols such as HTTP/3 influence results? What is the impact of the application protocol that is encrypted (e.g., video streaming versus small infrequent messages)? Could this be used to detect different VPN solutions?

Tasks

  • Literature review on state-of-the art in encrypted traffic analysis.
  • Read up on statistical randomness testing.
  • Measure randomness of widely used ciphers.
  • Perform experiments with real network traffic to see if results hold in practice. A traffic analyzing pipeline developed in previous theses can be used as a starting point.
  • Review the randomness claims made in literature.

Requirements

  • Knowledge of networks and internet protocols (HTTPS, TLS, TCP)
  • Strong interest in network security and monitoring
  • Experience with network traffic analysis is a plus
  • Experience with efficient processing of big data is a plus
  • Mindset to learn the additional skills

Supervision

  • Martin Burkhart
  • Bernhard Tellenbach

References

  1. Exploiting Diversity in Android TLS Implementations for Mobile App Traffic Classification
  2. ET-BERT: A Contextualized Datagram Representation with Pre-training Transformers for Encrypted Traffic Classification
  3. NIST Randomness Tests
  4. ANU QRNG – Quantum random numbers