Digging into HTTPS: Flow-Based Classification of Webmail Traffic

摘要

Recently, webmail interfaces, e.g., Horde, Outlook Web Access, and webmail platforms such as GMail, Yahoo!, and Hotmail have seen a tremendous boost in popularity. Given the importance of e-mail for personal and business use alike, and its exposure to imminent threats, there exists the need for a comprehensive view of the Internet mail system, including webmail traffic. In this paper we propose a novel, passive approach to identify webmail traffic solely based on network-level data in order to obtain a comprehensive view of the mail system. Key to our approach is that we leverage correlations across protocols and time to introduce novel features for HTTPS webmail classification: First, webmail servers tend to reside close to legacy IMAP and POP mail servers, which are easy to identify. Second, the usage of webmail services results in distinct patterns on sessions' duration and on the diurnal/weekly traffic usage profile. Third, traffic flows to webmail platforms exhibit inherent periodicities since AJAX-based clients periodically check for new messages. We use these features to build a simple classifier and detect webmail traffic on real-world NetFlow traces from a medium-sized backbone network. We believe that the major contribution of this paper - exploring a set of new features that could classify applications that run over HTTPS ports solely based on NetFlow data - will stimulate more general advance in the field of traffic classification.