IEEE Access (Jan 2023)

User Behavior Detection Using Multi-Modal Signatures of Encrypted Network Traffic

  • Jee-Tae Park,
  • Chang-Yui Shin,
  • Ui-Jun Baek,
  • Myung-Sup Kim

DOI
https://doi.org/10.1109/ACCESS.2023.3311889
Journal volume & issue
Vol. 11
pp. 97353 – 97372

Abstract

Read online

With the development of the network environment and the emergence of new applications, network traffic has become increasingly complex. This paper focuses on user behavior detection based on encrypted traffic analysis. User behavior information plays a critical role in network management and security, leading to extensive research in this domain. This paper introduces two main contributions. Firstly, we present a categorization method for application types and a behavior definition approach for user behavior detection research. This enables consistent behavior definition for each application type, facilitating objective performance comparison with other studies in the field. Secondly, a behavior detection method based on multi-modal signatures is introduced. The multi-modal signatures represent the multiple signatures extracted from encrypted traffic, including header, SNI, and PSD signatures, which are subsequently defined as a rule. To validate the effectiveness of our proposed method, we conducted 4 experiments on 5 SaaS applications. As a result of the experiments, the proposed method achieves an F-measure of 94~99% and can detect other types of application behaviors with high performance. As this study conducts user behavior detection research based on encrypted traffic analysis, the proposed method can be applied to other research areas that utilize encrypted traffic.

Keywords