Abstract: With the rapid development of mobile networks, more users choose to protect privacy, hide online behavior and bypass the restrictions of networks by using proxy applications. As a result, new challenges are brought to network management and auditing. In addition, malicious attackers can use proxy to hide their identity, making it more difficult to detect and prevent such malicious behavior. Therefore, proxy application traffic identification plays an important role in network management and security, while this issue has not been fully studied at present. Because the proxy application traffic is usually encrypted and obfuscated, the traditional traffic identification methods can not be applied effectively. To achieve accurate and fast traffic identification of mobile proxy applications, a set of side- channel traffic features that are independent of the payload is proposed. The option field in the TCP header is used for the first time to describe the traffic characteristics. Four machine learning algorithms with two kinds of identification objects are utilized to validate the effectiveness and importance of the proposed feature set. The experimental results show that the proposed features can effectively identify proxy application traffic. More than 99% accuracy can be achieved when identifying whether traffic is forwarded by proxy applications based on random forest. Moreover, the average accuracy is higher than 94% when identifying which proxy application the traffic belongs to. Compared with other methods, the proposed method has better accuracy and faster classification speed on the public dataset ISCX VPN- nonVPN. Hence, it is more suitable for real-time traffic identification scenarios.

Key words: proxy application traffic identification, mobile application, machine learning, traffic feature, decision tree