undefined | Better HN

0 pointspeterwwillis9y ago0 comments

True, you would typically use machine learning, which can be used to identify and separate layers in protocols.

0 comments

4 comments · 1 top-level

Buge9y ago· 3 in thread

Machine learning on random data won't get you anything.

And is machine learning fast enough for live network filters?

It was fast enough 10 years ago. And it worked on random data. Luckily though, internet traffic is not random data, and encrypted internet traffic is much less random than you'd think. Of course a lot of it involves inferring information about different parts of flows, but high accuracy is not difficult. (What's difficult to detect is traffic you haven't got any trained models for)

Buge9y ago

If it's actually random data then no it won't work. Actual random data is 100% noise and 0% signal. If the ML thinks it's picked up some signal, then it's wrong.

You're right that TLS is not 100% random, there is some information to work with: the size of the encrypted blobs (they're rounded because of padding) and the timing of them. Are there any commercial firewalls that do analysis of this kind for the purpose of blocking the traffic? It wouldn't be able the block all the traffic, because it would have to wait a while to get more timing data that it can apply its heuristics, then end the connection.

And it wouldn't be able to unpack protocol layers.

1 more reply

NetStrikeForce9y ago

Random data, but what about traffic patterns and timings? I am pretty sure DPI engines are not just based on the packet's data anymore.

j / k navigate · click thread line to collapse