ENiD: An Encrypted Web Pages Traffic Identification Based on Web Visiting Behavior

With the development of network encryption technologies, more websites use encrypted web pages to protect users' data security. Despite this, attackers use encrypted web pages to hide real web content, such as phishing pages, malware, bots, etc. Detecting such vulnerable web pages and malicious phishing websites can be accomplished by identifying encrypted web pages. In recent years, using traffic features and machine learning to identify encrypted web pages is one of the most important research directions in cyber security. In this paper, we propose ENiD, an encrypted web page traffic identification approach. This method uses upload-only blocks and accumulation response size to describe the web page visiting process. Based on a large number of encrypted web page traffic case studies, we evaluated the contributions of different features and selected those features that contributed the most. We first capture and publish the encrypted web pages traffic dataset, which contains 8,480 web pages traffic. We evaluate our method's effectiveness by four machine learning algorithms, which shows that our approach achieved accuracy and an F1 score of 0.97 on 50 web pages. Moreover, we evaluate the effectiveness of ENiD on different numbers of web pages, and the results demonstrate that our methods are still effective on more than 400 web pages.