Visible to the public A Study on Service Identification Based on Server Name Indication Analysis

TitleA Study on Service Identification Based on Server Name Indication Analysis
Publication TypeConference Paper
Year of Publication2019
AuthorsYamauchi, Hiroaki, Nakao, Akihiro, Oguchi, Masato, Yamamoto, Shu, Yamaguchi, Saneyasu
Conference Name2019 Seventh International Symposium on Computing and Networking Workshops (CANDARW)
Date Publishednov
ISBN Number 978-1-7281-5268-4
Keywordscomputer network security, cryptography, current IP flows, deep packet inspection, Deep Packet Inspection (DPI), Deeply Programmable Network (DPN), DPI, identification accuracy, IP addresses, IP network flows, IP networks, port numbers, pubcrawl, quality of service, resilience, Resiliency, Scalability, security issues, Server Name Indication analysis, Service Identification, service identification method, Service Name Indication (SNI), telecommunication traffic, TLS/SSL, Transport Layer Security
Abstract

Identifying services constituting traffic from given IP network flows is essential to various applications, such as the management of quality of service (QoS) and the prevention of security issues. Typical methods for achieving this objective include identifications based on IP addresses and port numbers. However, such methods are not sufficiently accurate and require improvement. Deep Packet Inspection (DPI) is one of the most promising methods for improving the accuracy of identification. In addition, many current IP flows are encrypted using Transport Layer Security (TLS). Hence, it is necessary for identification methods to analyze flows encrypted by TLS. For that reason, a service identification method based on DPI and n-gram that focuses only on the non-encrypted parts in the TLS session establishment was proposed. However, there is room for improvement in identification accuracy because this method analyzes all the non-encrypted parts including Random Values without protocol analyses. In this paper, we propose a method for identifying the service from given IP flows based on analysis of Server Name Indication (SNI). The proposed method clusters flow according to the value of SNI and identify services from the occurrences of all clusters. Our evaluations, which involve identifications of services on Google and Yahoo sites, demonstrate that the proposed method can identify services more accurately than the existing method.

URLhttps://ieeexplore.ieee.org/document/8951703
DOI10.1109/CANDARW.2019.00089
Citation Keyyamauchi_study_2019