TY - GEN
T1 - SFMap
T2 - 7th International Workshop on Traffic Monitoring and Analysis, TMA 2015
AU - Mori, Tatsuya
AU - Inoue, Takeru
AU - Shimoda, Akihiro
AU - Sato, Kazumichi
AU - Ishibashi, Keisuke
AU - Goto, Shigeki
N1 - Publisher Copyright:
© IFIP International Federation for Information Processing 2015.
PY - 2015
Y1 - 2015
N2 - Most modern Internet services are carried over the web. A significant amount of web transactions is now encrypted and the transition to encryption hasmade it difficult for network operators to understand traffic mix.Thegoal of this study is to enable network operators to inferhostnames within HTTPS traffic because hostname information is useful to understand the breakdown of encrypted web traffic. The proposed approach correlates HTTPS flows and DNS queries/responses. Although this approach may appear trivial, recent deployment and implementation ofDNS ecosystems have made it a challenging research problem; i.e., canonical name tricks used by CDNs, the dynamic and diverse nature of DNS TTL settings, and incompletemeasurements due to the existence of various caching mechanisms. To tackle these challenges, we introduce domain name graph (DNG), which is a formal expression that characterizes the highly dynamic and diverse nature of DNS mechanisms. Furthermore, we have developed a framework called Service-Flow map (SFMap) that works on top of the DNG. SFMap statistically estimates the hostname of an HTTPS server, given a pair of client and server IP addresses.We evaluate the performance ofSFMapthrough extensive analysis using real packet traces collected from two locations with different scales.Wedemonstrate thatSFMapestablishes good estimation accuracies and outperforms a state-of-the-art approach.
AB - Most modern Internet services are carried over the web. A significant amount of web transactions is now encrypted and the transition to encryption hasmade it difficult for network operators to understand traffic mix.Thegoal of this study is to enable network operators to inferhostnames within HTTPS traffic because hostname information is useful to understand the breakdown of encrypted web traffic. The proposed approach correlates HTTPS flows and DNS queries/responses. Although this approach may appear trivial, recent deployment and implementation ofDNS ecosystems have made it a challenging research problem; i.e., canonical name tricks used by CDNs, the dynamic and diverse nature of DNS TTL settings, and incompletemeasurements due to the existence of various caching mechanisms. To tackle these challenges, we introduce domain name graph (DNG), which is a formal expression that characterizes the highly dynamic and diverse nature of DNS mechanisms. Furthermore, we have developed a framework called Service-Flow map (SFMap) that works on top of the DNG. SFMap statistically estimates the hostname of an HTTPS server, given a pair of client and server IP addresses.We evaluate the performance ofSFMapthrough extensive analysis using real packet traces collected from two locations with different scales.Wedemonstrate thatSFMapestablishes good estimation accuracies and outperforms a state-of-the-art approach.
UR - http://www.scopus.com/inward/record.url?scp=84929625424&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84929625424&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-17172-2_9
DO - 10.1007/978-3-319-17172-2_9
M3 - Conference contribution
AN - SCOPUS:84929625424
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 126
EP - 139
BT - Traffic Monitoring and Analysis - 7th International Workshop, TMA 2015, Proceedings
A2 - Barlet-Ros, Pere
A2 - Bonaventure, Olivier
A2 - Steiner, Moritz
PB - Springer Verlag
Y2 - 21 April 2015 through 24 April 2015
ER -