Behavior-Based Method for Real-Time Identification of Encrypted Proxy Traffic

Encrypted proxy is often used to hide malicious behavior or criminal activity on the Internet. Therefore, identifying encrypted proxy traffic is essential for network management and communication security. Existing researches usually use statistical features to profile network flows, which only have limited effects on encrypted proxy traffic, and are not suitable for real-time identification. In this paper, a novel behavior-based approach for encrypted proxy traffic detection is proposed. Two unique behavior features, IP proxy and data encryption behaviors, which are highly related to the activity of accessing network through encrypted proxies, are defined as learning features. Machine learning techniques are adopted for encrypted proxy traffic identification. The experiments on a real V2Ray traffic dataset demonstrate that the behavior-based method can identify encrypted proxy traffic with high accuracy, up to 99.86%. Besides, the method can timely seek out target flows, as all those behavior features can be obtained in the first packet.