Identification of Low-Latency Obfuscated Traffic Using Multi-Attribute Analysis
Naval Postgraduate School Monterey United States
Pagination or Media Count:
There is no process or system capable of detecting obfuscated network traffic on Department of Defense DOD networks, and the quantity of obfuscated traffic on DOD networks is unknown. The presence of this traffic on a DOD network creates significant risk from both insider-threat and network defense perspectives. This study used quantitative correlation and simple network-traffic analysis to identify common characteristics, relationships, and sources of obfuscated traffic. Each characteristic was evaluated individually for its ability to detect obfuscated traffic and in combination in a set of Naive Bayes multi-attribute prediction models. The best performing evaluations used multi-attribute analysis and proved capable of detecting approximately 80 percent of obfuscated traffic in a mixed dataset. By applying the methods and observations of this study, the threat to DOD networks from obfuscation technologies can be greatly reduced.
- Computer Systems