Revealing Skype Traffic: When Randomness Plays with You

Transcription

1 Revealing Skype Traffic: When Randomness Plays with You Dario Bonfiglio Marco Mellia Michela Meo Dario Rossi Paolo Tofanelli Our Goal Identify Skype traffic Motivations Operators need to know what is running in their network New business models, provisioning, TE, etc. Understand user behaviour Traffic characterization, security 2 1

2 Skype Overview State-of-the-Art No server No standard Skype offers voice, Encryption/Obfuscation No video, well-known chat and port data transfer services over No RFC Mechanisms IP Closed design, proprietary solutions P2P technology Proprietary protocols Encrypted communications Easy to use, difficult to reveal 3 Our Goal Identify Skype traffic Voice stream first: both E2E and SkypeOut/In streams Possible video/chat/file transfers/signaling Constraints Passive observation of traffic Protocol ignorance 4 2

3 Three Classifiers Payload Based Classifier Limited Traffic Flow Naïve Bayes Traditio a Classifier Chi Square Classifier EXCITING 5 Three Classifiers Payload Based Classifier Traffic Flow Naïve Bayes Classifier Chi Square Classifier A N D 6 3

4 Skype Source Model (What we understand about it) Skype as VoIP Application Skype selects the voice codec from a list Low bit rate: kbps Regular Inter-Packet-Gap (30 ms frames) Redundancy may be added to mitigate packet loss Framing may be modified from the original codec one Multiplexes different source into the same message (voice, video, chat, ) 8 4

5 Skype Source Model Skype Message TCP/UDP IP 9 Skype Header Formats (What we guess about it) Payload Based Classifier Limited 5

6 Possible Skype Messages Signaling and data messages Use TCP, with ciphered payload Login, lookup, signaling Data flow Use UDP whenever possible: payload is encrypted but some header MUST be exposed Source AES Unreliable Impossible to exploit. Everything is ciphered Receiver AES 11 Skype Source Model Skype Message TCP/UDP IP 12 6

7 SoM Format for E2E Messages ID FUNC Start of Message (SoM) of End2End messages carried by UDP has: ID: 16 bits long random identifier FUNC: 5 bits long function (multiplexing?), obfuscated in a Byte 13 Function Values 0x01 =??Query message 0x02 =??Query 0x0d = Data 0x07 = NAK Voice Video Chat File 14 7

8 PBC SoM can be used to identify Skype flows carried by UDP 5bits long signature Classic signature based classifier Identify Skype socket address at clients To make it more robust, look for Skype flows with the same UDP port It works with UDP only at edge node only Complex Cannot discriminate VOICE/VIDEO/CHAT/DATA 15 Skype Encrypts Traffic Chi Square Classifier EXCIT ING 8

9 Skype Source Model Skype Message TCP/UDP IP 17 Randomness Classifier Skype encrypts traffic payload looks like random Some headers are constant (FUNC) Apply randomness test to the payload bits Chi-Square test: statistic test for random sequences 2 χ 2 ( x E) = i E i 18 9

10 CSC Split the payload into groups Apply the test on the groups at the flow end: each message is a sample Some groups will contain Random bits Mixed bits Deterministic bits ID FUNC e Deterministic group Random group Mixed group CSC Set a threshold 2 χ e+006 n [pkt] 20 10

11 Skype is a VoIP Application Naïve Bayes Classifier Traditio a Skype Source Model Skype Message TCP/UDP IP 22 11

12 Sample Trace [Kbps] [ms] [Bytes] Average Throughput Bandwidth limit Framing Skype Message Size Time [s] Regular IPG Small/regular packets 23 NBC Simple classifier: based on the a-priori prob, evaluate the a-posteriori prob How similar is this flow to a Skype voice flow? What makes VoIP traffic different from other traffic? Packet size, i.e., small packets (packet NBC) Inter-Packet-Gap, i.e., small NBC) IPG (IPG 24 12

13 Skype Naive Bayes Classifier W (k) W (k+1) W (k+2) W (k+3) W (k+4) X Packet NBC Packet NBC Packet NBC max B s (k,j) AVG E[B s (,j) ] min B Y IPG NBC IPG NBC IPG NBC`` max AVG (k) B E[B τ ] τ 25 NBC over Time [Bytes] Belief Set a threshold E[PKT] = 90B E[PKT] = 210B E[PKT] = 252B Time 26 13

14 Results Three Classifiers Payload Based Classifier UDP benchmar k dataset Traffic Flow Naïve Bayes Classifier Chi Square Classifier A N D 28 14

15 Scenario Testbed traces: 100% accuracy Campus Simple scenario, no P2P, no VoIP Italian ISP Fastweb Stiff scenario: lot of P2P, tons of VoIP Results consider True positive (OK): Skype, and identified False positive (FP): Not Skype, but identified False negative (FN): Skype, but discarded 29 Performance Evaluation: UDP N OK FP FP% FN FN% PBC 65 Payload (50) Based Classifier NBC Naïve 50Based Classifier 73.73% % CSC 191 Chi 57 Square Classifier % % NBC+CSC 51 49NBC + CSC2 0.01% % TOT >

16 CSC Threshold Impact 1e+006 Deterministic group Random group Mixed group e+00 n [pkt] FP [%] FN [%] E2E CSC Threshold 31 Conclusions Revealed Skype traffic Two novel classifiers Excellent results NBC to detect voice flows CSC to detect randomness in traffic Work online, for both UDP and TCP NBC and CSC are nice tools NBC can be tuned for other services (e.g. video, data) CSC can be extended to other protocols (e.g., P2P) 32 16