NETWORK TRAFFIC CLASSIFICATION IN CYBERSECURITY Associate Professor Dr. Nor Badrul Anuar bin Jumaat Bukit Aman - January 4, 2020 

Speaker's Profile Associate Professor at Faculty of Computer Science and Information Technology, Universiti Malaya DR. NOR BADRUL ANUAR BIN JUMAAT Specializes in information and network security, data science and artificial intelligence UMExpert - umexpert.um.edu.my/badrul Google Scholar - bit.do/badrul 

TODAY'S AGENDA 02 - Network traffic classification (NTC) - Existing techniques - NTC in Cybersec - Challenges & Opportunities TOPICS COVERED 

NETWORK TRAFFIC CLASSIFICATION? Given a sample of network traffic, NTC classifies the sample into its originating application. ©mfmz2020 -- Hey NTC, what traffic is this? Hey, it's Facebook traffic! -- NTC sounds pretty trivial. However, there is a very fundamental problem to it - the network traffic does not come with name tags! 

NTC TECHNIQUES There are 5 main techniques to classify traffic: port, deep packet inspection (DPI), statistical, machine learning (ML) and behavioral-based. Port- Uses port numbers. Port 80? HTTP traffic! Port 22? SSH! -- How do you know it's Facebook? Well if you really want to know... -- DPI - Inspects the packet content to find unique signature strings Statistical - Calculates some unique statistical relationship like packet size distribution ML - Uses statistical (and other) features to automate the classification (learning) process Behavioral - Detects the behavior pattern. How many open ports? How many connected clients? ©mfmz2020 

NTC TECHNIQUES Port-based is quick but obsolete as a standalone solution. -- Too many techniques! Of course there are pros and cons, my friend. -- DPI is accurate but only performs well only with clear-text traffic. Statistical-based works with un/encrypted traffic but is sensitive to network conditions. ML-based is the current state of the art. Availability of training data is the challenge. Behavioral-based works with un/encrypted traffic but requires enough data. ©mfmz2020 

NTC GRANULARITY -- I want to know more than just Facebook! So you need multiple classification granularity? -- ©mfmz2020 There are 3 main classes of granularity: coarse-grained, fine-grained and binary. Coarse-grained - High level: application protocol & type. HTTP? Multimedia? Binary - One-versus-one classification. Malicious? Non-malicious? Fine-grained - Low level: application name & service. Facebook? Facebook-video? 

NTC IN CYBERSEC ©mfmz2020 Applications of NTC are endless. Cybersec largely benefits from NTC by the increased network visibility which translates to greater security control. Depending on the objective of NTC in cybersec, there are plenty of use cases of multiple NTC granularity. 

NTC IN CYBERSEC ©mfmz2020 App-aware Firewall User Profiling Digital Forensic Next-generation firewalls are starting to implement higher NTC granularity. Why? Palo Alto's Next-Gen Firewall is able to detect application services like Facebook-chat and Facebook- post. What if we can profile a network user to the most granular level? Can a network profile be used as a support to prove legal charges in the future? Incident responders analyze enormous traffic dump traces. NTC helps by narrowing down the investigation to a specific application class quickly. 

CHALLENGES & OPPORTUNITIES ©mfmz2020 Encrypted traffic - Fortinet Networks states that 73% of Internet traffic is now enrypted! Future NTC engines must be able to classify encrypted traffic accurately. Real-time - Events involving cybersec often require real-time decisions. NTC algorithms must consider some constraints on the algorithm complexity so as to allow it to run in real-time. Data - Publicly available traffic data is scarce. Major factor that contributes to this problem is sensitive data. How can we share traffic data without compromising the confidentiality? 

KEY TAKEAWAYS ©mfmz2020 NTC increases network visibility. NTC is moving towards machine learning to automate the process. Granular NTC allows greater control of the network. Implementation of NTC in cybersec is critical. E.g. Firewalls, Forensics, Profiling. Encrypted traffic, real-time classification and data availability are among the challenges of NTC 

THANK YOU E-MAIL ADDRESS badrul @ um.edu.my Slide deck available at speakerdeck.com/mfaizmzaki ©mfmz2020