Large-scale, distributed applications deployed in multi-site enterprise environments have led to wide-spread use of encrypted transits. Current traffic analysis techniques are notcommensurate to the complexity and scale of these applications, and are further exacerbatedby the increased use of encryption. Although several popular and successful approaches exist to analyze traffic through encryption, they rely heavily on traffic signatures that do not scale with large distributions of applications, do not generalize to new applications, or respond tovariations in application instances.
Accurate and Precise Recognition of Obscured Payloads in Operational Systems (APROPOS) addresses the limitations of current approaches to encrypted application and useridentification through several novel techniques, applied intelligently based on the environment and current enterprise priorities.
APROPOS techniques include:
While there are existing encrypted traffic analysis techniques, these techniques do not address the challenges raised by the distributed nature of modern communications, and fail to differentiate encapsulated, multiplexed applications. APROPOS’ techniques overcome theselimitations in four ways. 1) Intrinsically understanding the distributed nature of target environments to produce a holistic analysis of application traffic. 2) Leveraging broad, rapid classification of traffic into groups while using appropriate novel classifiers for fine-grained identification. 3) Constructing weighted hyper-graphs of communication patterns that allow identification of applications, application instances and users through the recognition of correlated behaviors. 4) Employ an algebraic network representation based upon high-accuracy network path analytics to determine optimal observation sites.
When deployed, APROPOS will result in significant improvements in the accuracy and viability of analysis on encrypted traffic for application and user identification. APROPOS will have the following key impacts: