Can encrypted traffic be identified without port numbers, IP addresses and payload inspection?

  • Alshammari R
  • Zincir-Heywood A
  • 61


    Mendeley users who have this article in their library.
  • 46


    Citations of this article.


Identifying encrypted application traffic represents an important issue for many network tasks including quality of service, firewall enforcement and security. Solutions should ideally be both simple - therefore efficient to deploy - and accurate. This paper presents a machine learning based approach employing simple packet header feature sets and statistical flow feature sets without using the IP addresses, source/destination ports and payload information to unveil encrypted application tunnels in network traffic. We demonstrate the effectiveness of our approach as a forensic analysis tool on two encrypted applications, Secure SHell (SSH) and Skype, using traces captured from entirely different networks. Results indicate that it is possible to identify encrypted traffic tunnels with high accuracy without inspecting payload, IP addresses and port numbers. Moreover, it is also possible to identify which services run in encrypted tunnels. © 2010 Elsevier B.V. All rights reserved.

Author-supplied keywords

  • Efficiency
  • Encrypted traffic identification
  • Flow
  • Packet
  • Performance measures
  • Security
  • Supervised learning

Get free article suggestions today

Mendeley saves you time finding and organizing research

Sign up here
Already have an account ?Sign in

Find this document


  • Riyad Alshammari

  • A. Nur Zincir-Heywood

Cite this document

Choose a citation style from the tabs below

Save time finding and organizing research with Mendeley

Sign up for free