Disambiguating HTTP: Classifying web Applications

One of the key challenges facing network administrators in securing an enterprise network is the anonymity of the traffic on the network. Although current research has taken steps forward addressing the issue of identifying the application layer protocols (e.g., SSH, HTTP, or FTP) a more fine-grained identification is required for a variety of applications that run over these established application layer protocols. We are specifically interested in disambiguating traffic that is carried by the HTTP application layer protocol. In this paper, we investigate representatives of classes of applications, namely social networking (Facebook), web-mail (Gmail), and streaming video applications (YouTube), all of which communicate via the HTTP protocol. We use specific features derived from network traffic (i.e., the TCP/IP packet headers) that can be used to classify the flows as belonging to each application. An important aspect of our work is to classify the applications based on any segment of the traffic flow. We consider different signals that can be derived from the network flow such as the packet sizes and inter-arrival times and apply simple statistical and spectral analysis to identify distinguishing features of the applications. Our classification system yields a classification rate of 93% or better using only packet size statistics. We evaluate our system on network flows collected from the backbone of the UC Davis campus network. Furthermore, we consider two types of noise an adversary may inject to evade detection: packet padding and altering the inter-packet delays. Despite these two types of noise, using our classification method we are still able to achieve a reasonable classification rate.