Is Encrypted ClientHello a Challenge for Traffic Classification?

Abstract

Although the widely-used Transport Layer Security (TLS) protocol hides application data, an unencrypted part of the TLS handshake, specifically the server name indication (SNI), is a backdoor for encrypted traffic classification frameworks. The recently developed Encrypted ClientHello (ECH) amendment to the TLS protocol aims to protect the privacy-sensitive content of the ClientHello message, including SNI. Conversely, ECH can be a game-changer in the early detection of encrypted traffic. The paper shows that the performance of the state-of-the-art traffic classification algorithms degrades significantly with the introduction of the ECH. Hence, novel approaches to real-time traffic classification are required. The paper develops two novel traffic classification algorithms to address this challenge. The first one uses unencrypted bytes of the TLS Hello messages as independent features of the Random Forest algorithm. It is extremely lightweight and suits throughput-focused traffic classification. It is faster than state-of-the-art algorithms by three times and achieves higher classification quality. The second algorithm augments the approach of the first one by focusing on the particular metadata of the handshake. This way, it efficiently extracts data from the exchange and achieves the highest classification quality in all the considered scenarios. It has a three times lower error rate than state-of-the-art algorithms and provides a reliable classification of ECH traffic.