VPN Fingerprinting

Network protocol detection inside virtual private network tunnels

Master thesis (2021)

Authors

R.S. Graafmans Electrical Engineering, Mathematics and Computer Science

Contributors

Christian Doerr Hasso Plattner Institute (supervisor 1)
P.R. Zimmermann Cyber Security - EEMCS (supervisor 1)
Z. Erkin Cyber Security - EEMCS (supervisor 2)
Ranga Rao Venkatesha Prasad Embedded Systems - EEMCS (supervisor 2)
Faculty
Electrical Engineering, Mathematics and Computer Science
Copyright: © 2021 Roy Graafmans
Machine Learning Network protocols VPN Network traffic analysis Virtual Private Network Fingerprinting
More Info
expand_more

Published Date

15-12-2021

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Faculty

Electrical Engineering, Mathematics and Computer Science

Abstract

Virtual private networks are often used to secure communication between two hosts and preserve privacy by tunneling all traffic over a single encrypted channel. Previous work has already shown that metadata of different secured channels can be used to fingerprint various kinds of information. In this work, we will dive into the encrypted tunnels as used by VPNs. We have collected automatically generated data of 9 network protocols sent over 8 different VPN solutions with 3 different rates for mixed traffic each. Due to the single combined traffic channel of the VPN, this work had to focus on packet-wise features instead of stream-wise ones, requiring the development of new features compared to related work. Both Random Forest and Markov Chains are trained to distinguish the network protocols by finding the patterns of the protocols in the developed features. We show that it is possible to fingerprint network protocols in all different scenarios based on the metadata available. Moreover, it was found that size features are more important than timing-related ones, especially when padding comes into place. Lastly, we show that obfuscations methods focussing on distorting size or timing patterns solely are not effective enough and future obfuscation methods should incorporate both features.