IM session identification by outlier detection in cross-correlation functions

Saad Saleh; Muhammad U. Ilyas; Khawar Khurshid; Alex X. Liu; Hayder Radha

doi:10.1109/CISS.2015.7086851

IM session identification by outlier detection in cross-correlation functions

Saad Saleh, Muhammad U. Ilyas, Khawar Khurshid, Alex X. Liu, Hayder Radha

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

The identification of encrypted Instant Messaging (IM) channels between users is made difficult by the presence of variable and high levels of uncorrelated background traffic. In this paper, we propose a novel Cross-correlation Outlier Detector (CCOD) to identify communicating end-users in a large group of users. Our technique uses traffic flow traces between individual users and IM service provider's data center. We evaluate the CCOD on a data set of Yahoo! IM traffic traces with an average SNR of -6.11dB (data set includes ground truth). Results show that our technique provides 88% true positives (TP) rate, 3% false positives (FP) rate and 96% ROC area. Performance of the previous correlation-based schemes on the same data set was limited to 63% TP rate, 4% FP rate and 85% ROC area.

Original language	English
Title of host publication	2015 49th Annual Conference on Information Sciences and Systems (CISS)
Publisher	IEEE
Pages	1-5
Number of pages	5
ISBN (Print)	978-1-4799-8428-2
DOIs	https://doi.org/10.1109/CISS.2015.7086851
Publication status	Published - 20 Mar 2015
Event	2015 49th Annual Conference on Information Sciences and Systems (CISS) - Baltimore, MD, USA Duration: 18 Mar 2015 → 20 Mar 2015

Conference

Conference	2015 49th Annual Conference on Information Sciences and Systems (CISS)
Period	18/03/15 → 20/03/15

Keywords

Correlation
Privacy
Instant messaging
Time series analysis
Security
Delays
Signal to noise ratio

Access to Document

10.1109/CISS.2015.7086851

https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7086851

Cite this

@inproceedings{e8efccb56f474879800095bc64fb7518,

title = "IM session identification by outlier detection in cross-correlation functions",

abstract = "The identification of encrypted Instant Messaging (IM) channels between users is made difficult by the presence of variable and high levels of uncorrelated background traffic. In this paper, we propose a novel Cross-correlation Outlier Detector (CCOD) to identify communicating end-users in a large group of users. Our technique uses traffic flow traces between individual users and IM service provider's data center. We evaluate the CCOD on a data set of Yahoo! IM traffic traces with an average SNR of -6.11dB (data set includes ground truth). Results show that our technique provides 88% true positives (TP) rate, 3% false positives (FP) rate and 96% ROC area. Performance of the previous correlation-based schemes on the same data set was limited to 63% TP rate, 4% FP rate and 85% ROC area.",

keywords = "Correlation, Privacy, Instant messaging, Time series analysis, Security, Delays, Signal to noise ratio",

author = "Saad Saleh and Ilyas, {Muhammad U.} and Khawar Khurshid and Liu, {Alex X.} and Hayder Radha",

year = "2015",

month = mar,

day = "20",

doi = "10.1109/CISS.2015.7086851",

language = "English",

isbn = "978-1-4799-8428-2",

pages = "1--5",

booktitle = "2015 49th Annual Conference on Information Sciences and Systems (CISS)",

publisher = "IEEE",

note = "2015 49th Annual Conference on Information Sciences and Systems (CISS) ; Conference date: 18-03-2015 Through 20-03-2015",

}

TY - GEN

T1 - IM session identification by outlier detection in cross-correlation functions

AU - Saleh, Saad

AU - Ilyas, Muhammad U.

AU - Khurshid, Khawar

AU - Liu, Alex X.

AU - Radha, Hayder

PY - 2015/3/20

Y1 - 2015/3/20

N2 - The identification of encrypted Instant Messaging (IM) channels between users is made difficult by the presence of variable and high levels of uncorrelated background traffic. In this paper, we propose a novel Cross-correlation Outlier Detector (CCOD) to identify communicating end-users in a large group of users. Our technique uses traffic flow traces between individual users and IM service provider's data center. We evaluate the CCOD on a data set of Yahoo! IM traffic traces with an average SNR of -6.11dB (data set includes ground truth). Results show that our technique provides 88% true positives (TP) rate, 3% false positives (FP) rate and 96% ROC area. Performance of the previous correlation-based schemes on the same data set was limited to 63% TP rate, 4% FP rate and 85% ROC area.

AB - The identification of encrypted Instant Messaging (IM) channels between users is made difficult by the presence of variable and high levels of uncorrelated background traffic. In this paper, we propose a novel Cross-correlation Outlier Detector (CCOD) to identify communicating end-users in a large group of users. Our technique uses traffic flow traces between individual users and IM service provider's data center. We evaluate the CCOD on a data set of Yahoo! IM traffic traces with an average SNR of -6.11dB (data set includes ground truth). Results show that our technique provides 88% true positives (TP) rate, 3% false positives (FP) rate and 96% ROC area. Performance of the previous correlation-based schemes on the same data set was limited to 63% TP rate, 4% FP rate and 85% ROC area.

KW - Correlation

KW - Privacy

KW - Instant messaging

KW - Time series analysis

KW - Security

KW - Delays

KW - Signal to noise ratio

UR - https://ieeexplore.ieee.org/document/7086851/

U2 - 10.1109/CISS.2015.7086851

DO - 10.1109/CISS.2015.7086851

M3 - Conference contribution

SN - 978-1-4799-8428-2

SP - 1

EP - 5

BT - 2015 49th Annual Conference on Information Sciences and Systems (CISS)

PB - IEEE

T2 - 2015 49th Annual Conference on Information Sciences and Systems (CISS)

Y2 - 18 March 2015 through 20 March 2015

ER -

IM session identification by outlier detection in cross-correlation functions

Abstract

Conference

Keywords

Access to Document

Fingerprint

Cite this