ML-based tunnel detection and tunneled application classification. (arXiv:2201.10371v1 [cs.CR])

Encrypted tunneling protocols are widely used. Beyond business and personal
uses, malicious actors also deploy tunneling to hinder the detection of Command
and Control and data exfiltration. A common approach to maintain visibility on
tunneling is to rely on network traffic metadata and machine learning to
analyze tunnel occurrence without actually decrypting data. Existing work that
address tunneling protocols however exhibit several weaknesses: their goal is
to detect application inside tunnels and not tunnel identification, they
exhibit limited protocol coverage …

application classification detection tunnel