Encrypted Application Detection Use Case

Increased levels of data encryption pose challenges to IT organizations that are responsible managing and securing a network. Analysts need to know the Internet applications being carried by their network. The use of encrypted traffic carrying Internet applications impedes their ability to perform network planning as well. Also, encrypted traffic poses a challenge for Law Enforcement Agencies (LEA) and Intelligence organization. Regular network probes that rely on Deep Packet Inspection are less accurate and so they fail to classify as expected. Thus, one of the Use Case of ENTA addresses this issue by providing application-level detection and visibility of encrypted traffic.

Three possible levels for application detection can be defined:

The first level of application detection is the identification of an application as belonging to one of the following categories: video streaming, audio streaming, audio chat, text messaging, gaming, file transfer, etc. Academic research in this area is mature and a number of researchers have shown that encrypted applications can be detected and classified to various categories based on temporal and spatial traffic characteristics.

The second level is the identification of a specific application such as being a Netflix, YouTube, DailyMotion, Spotify, WhatsApp, or Zoom application. For examples, Taylor et al profile 110 of the most popular apps in the Google Play Store and are able to re-identify them with more than 99% accuracy in

The third level is the inference of the intent/activity occurring during an application uptime. This is a difficult problem to address, particularly due to the lack of availability of labeled dataset for model training. Although inferring the presence of malware or cyber-attacks also belong to the third level of application visibility, this aspect of cybersecurity visibility is out of scope of the present use case scenario.

To demonstrate the proposed ENTA solution in a realistic manner, the use case to demonstrate the Internet application detection will consider only the second (application detection) and the third level (intent/activity) of application visibilities described above.

IoT Discovery and Rogue IoT Detection Use Case

IoT technologies are becoming more and more popular as they are being implemented in more diverse scenarios and at larger scales. Devices that compose a network might be setup to cover large areas and positioned in hard-to-access locations or remote places.

Periodic interferences, signal loss, and general wear and tear can affect the IoT devices which in turn will be visible in the pattern of the data packages that are being periodically transmitted. Depending on the application, the structure of the packages themselves might change depending on the state of the devices.

Such behavior might either be ignored, offering a possible “cover” for malicious parties who wish to infiltrate the network, or be wrongfully flagged as a totally compromised system by an overzealous assessment tool.

Moreover, encrypted traffic generated by IoT devices presents traffic type and content visibility challenge. Currently, there aren’t any solution that can detect if an encrypted flow traffic is being generated by an IoT device or not, and if this encrypted traffic flow is being used to execute an attack by a rogue IoT device.

In the IoT context described above, the IoT use case will demonstrate the discovery of IoT devices and the detection of rogue IoT devices. Firstly, IoT devices will be identified in term of their presence in the network and their characteristics such as type, category, and usage.

Secondly, an IoT device will be considered rogue if it has been compromised by bad actors and is being used to attack the servers inside the company network. An IoT device can become rogue in the following manners:

  • When a bad actor adds a new compromised device to the network
  • When a bad actor updates an IoT device software trying to gain control over the device