METADATA ANALYSIS OF ENCRYPTED TRAFFIC TO ELIMINATE SECURITY «BLIND SPOTS» OF MODERN INFORMATION SYSTEMS

doi:10.26565/2519-2310-2025-2-04

Maksym Horelko Student (Bachelor's degree, specialty F5) at the Department of Cybersecurity of Information Systems, Networks and Technologies, V. N. Karazin Kharkiv National University
Serhii Malakhov Ph.D., Senior Researcher, Associate Professor of the Department of Cybersecurity of Information Systems, Networks and Technologies, V. N. Karazin Kharkiv National University, Ukraine https://orcid.org/0000-0001-8826-1616

DOI: https://doi.org/10.26565/2519-2310-2025-2-04

Keywords: traffic, Filtering, Traffic Fingerprinting, Pattern, Information Security (IS), VPN, Tor, Cyber Deception

Abstract

A review of recent developments is offered on the issues in the complex analysis of encrypted network traffic in modern information systems. The main research methods are: - analysis, generalization and comparison. The paper considers the issue of finding possible ways to ensure a compromise in the conditional triangle of «influence factors» when solving the tasks of operational detection of dangers in the data structure of encrypted traffic. As «influence factors» a combination of the following factors is considered: - the need to ensure the required level of Information Security (IS); - support for the right of users to their confidentiality; - resource consensus of the implemented software and hardware solutions. Attention is drawn to the fact that the integration of artificial intelligence and machine learning (AI/ML) technologies into the structure of network traffic control algorithms is a key lever for influencing the final result. It is emphasized that the opposing party will also use these technologies to mask its activities. It is concluded that the implementation of procedures for analyzing network traffic metadata is a compromise solution. The implementation of such an approach allows to improve the «transparency» of current network activity for early detection of security threats, without directly resorting to traffic decryption procedures. It is emphasized that the implementation of the «Cyber Deception» paradigm and a comprehensive analysis of the metadata of circulating encrypted traffic are a promising vector of efforts for preventive elimination of the prerequisites of the formation of "blind spots" in the security of modern IT systems.

Downloads

Download data is not yet available.

References

Cloudflare. What is a VPN? https://www.cloudflare.com/ru-ru/learning/access-management/whatisavpn/

Tor Project. Tor: Overview https://2019.www.torproject.org/about/overview.html.en

Cloudflare. ECH Protocol https://developers.cloudflare.com/ssl/edge-certificates/ech/

Multilogin. What is Traffic Fingerprinting? https://surl.lt/empsdf

Kokhanovska, T., Narezhnyi, O., & Diachenko, O. (2020). Exploring the possibilities of Honeypot technology. Computer Science and Cybersecurity, 1(17), 33-42. https://doi.org/10.26565/2519-2310-2020-1-03 [in Ukrainian]

Softpiua. What is NetFlow? https://surl.li/dqzslu [in Ukrainian]

Pitutin V. Softpiua. What is IP Flow Information Export? https://surl.lu/cwmkud [in Ukrainian]

Peakhour. What is JA3 Fingerprinting? https://www.peakhour.io/learning/fingerprinting/what-is-ja3-fingerprinting/

Cloudflare. What is an SSL certificate? https://www.cloudflare.com/ru-ru/learning/ssl/what-is-an-ssl-certificate/

Cherubin, G., Jansen, R., & Troncoso, C. (2022, August 10-12). Online Website Fingerprinting: Evaluating Website Fingerprinting Attacks on Tor in the Real World https://www.usenix.org/system/files/sec22-cherubin.pdf

Chepel, D., & Malakhov, S. (2024). Summary of DNS traffic filtering trends as a component of modern information systems security. Computer Science and Cybersecurity, 1(25), 6–21. https://doi.org/10.26565/2519-2310-2024-1-01 [in Ukrainian]

DeFabbia-Kane, S. (2011, April). Analyzing the Effectiveness of Passive Correlation Attacks on the Tor Anonymity Network https://surl.li/zghbyu

Xue, D., Ramesh, R., Jain, A., Kallitsis, M., Halderman, J. A., Crandall, J. R., & Ensafi, R. (2024, March 6). OpenVPN is Open to VPN Fingerprinting https://arxiv.org/html/2403.03998v1

DeFabbia-Kane, S. (2023, June 15). The Effect Background Traffic in VPNs has on Website Fingerprinting https://www.diva-portal.org/smash/get/diva2:1779408/FULLTEXT01.pdf

Tor Project. Tor metrics. Directly connecting users https://metrics.torproject.org/userstats-relay-countryjpng?start=2013-06-05&end=2013-11-02&country=all&events=off

Fajana, O. (2023, October). Novel Techniques for Detecting Tor Botnets https://pure.port.ac.uk/ws/portalfiles/portal/91457639/up797388-Oluwatobi-Fajana-Thesis-2023-final.pdf

Stormshield Customer Security Lab. (2014, August 20). Win32/Atrax.A https://www.stormshield.com/news/win32atrax-a/

Matrosov, A. (2013, July 24). The rise of TOR-based botnets https://www.welivesecurity.com/2013/07/24/the-rise-of-tor-based-botnets/

Fajana, O., Owenson, G., & Cocea, M. TorBot Stalker: Detecting Tor Botnets through Intelligent Circuit Data Analysis https://pure.port.ac.uk/ws/portalfiles/portal/12745078/TorBot_Stalker_new.pdf

Khanna, N. (2021, August 18). J48 Classification (C4.5 Algorithm) in a Nutshell https://medium.com/@nilimakhanna1/j48-classification-c4-5-algorithm-in-a-nutshell-24c50d20658e

Pawan Saxena. GeeksforGeeks. (2025, October 24). XGBoost https://www.geeksforgeeks.org/machine-learning/xgboost/

Sing, K., Kashyap, A., & Cherukuri, A. K. (2025, May). Interpretable Anomaly Detection in Encrypted Traffic Using SHAP with Machine Learning Models https://surl.lt/oidsuz

METADATA ANALYSIS OF ENCRYPTED TRAFFIC TO ELIMINATE SECURITY «BLIND SPOTS» OF MODERN INFORMATION SYSTEMS

Abstract

Downloads

References

Most read articles by the same author(s)