Probabilistic Spying on Encrypted Tunnels

PACUMEN“packet acumen”

WHO ARE WE?

PRASAD RAO - HPLABSBRANDON NIEMCZYK – HP DVLABS

WHAT IS PACUMEN ?

A tool to identify what applications are being used over an encrypted tunnel.

ACADEMIA HAS PRODUCED PAPERS…

Where’s the code?

PREVIOUS WORK

Results only.

Focus on one application at a time.

Results are difficult to interpret.

HOW DOES PACUMEN WORK?

PACUMEN learns by example.

HOW DOES PACUMEN WORK?

Train PACUMEN

Collect Example

Data

ClassifierClassify

new data

Provide new data from

network/pcap

10 Collect Training Data20 Build Classifier30 Get unknown data40 Classify unknown data50 GOTO 30

HOW DOES PACUMEN WORK?

A B A

SIZE ASIZE B

11

2CLASSIFY

IRRELEVANT SIZE 1 2 3

10 seconds

UPDATECONFIDENCE

HOW DOES PACUMEN WORK?

- Decision Trees

Multiple types of classifiers can be created.

- Mixed Gaussian Likelihood functions

DECISION TREESIs it a dog or a house cat?

Is it heavier than fifteen pounds?

Does it bark?

Probably a cat

Probably a dog

Probably a dog

MIXED GAUSSIANS

M =

DEMO TIME!

THANK YOUAny Questions?

PACUMEN - https://github.com/bniemczyk/pacumen.git

Prasad Rao – [email protected]

Brandon Niemczyk – [email protected]

Vib Chhabra – [email protected]