Accurate Real-Time Labeling of Application Traffic

In this paper, we present the design and implementation of ATLAS, a novel tool for automatically labeling network packets with the process responsible for them. Our tool is able to label all kinds of outbound packets based on Windows events and TCP stream information with ground-truth accuracy. Additionally, it is able to label DNS packets with the correct process name instead of just the DNS resolver. Using ATLAS, it is possible to create large datasets, e.g., to create software fingerprints or train machine learning classifiers. Another use-case is to inspect the network traffic of a machine to determine which application is communicating with whom. We evaluate the performance considering different load scenarios to demonstrate the real-time capacity of ATLAS. Additionally, we analyze the communication endpoints of a Windows 10 host and compare the results before and after disabling all privacy related settings.