{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,1]],"date-time":"2026-04-01T14:37:15Z","timestamp":1775054235741,"version":"3.50.1"},"reference-count":51,"publisher":"MDPI AG","issue":"9","license":[{"start":{"date-parts":[[2020,9,22]],"date-time":"2020-09-22T00:00:00Z","timestamp":1600732800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100000780","name":"European Commission","doi-asserted-by":"publisher","award":["780139"],"award-info":[{"award-number":["780139"]}],"id":[{"id":"10.13039\/501100000780","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Symmetry"],"abstract":"<jats:p>It has been proven in research literature that the analysis of encrypted traffic with statistical analysis and machine learning can reveal the type of activities performed by a user accessing the network, thus leading to privacy risks. In particular, different types of traffic (e.g., skype, web access) can be identified by extracting time based features and using them in a classifier. Such privacy attacks are asymmetric because a limited amount of resources (e.g., machine learning algorithms) can extract information from encrypted traffic generated by cryptographic systems implemented with a significant amount of resources. To mitigate privacy risks, studies in research literature have proposed a number of techniques, but in most cases only a single technique is applied, which can lead to limited effectiveness. This paper proposes a mitigation approach for privacy risks related to the analysis of encrypted traffic which is based on the integration of three main components: (1) A machine learning component which proactively analyzes the encrypted traffic in the network to identify potential privacy threats and evaluate the effectiveness of various mitigation techniques (e.g., obfuscation), (2) a policy based component where policies are used to enforce privacy mitigation solutions in the network and (3) a network node profile component based on the Manufacturer Usage Description (MUD) standard to enable changes in the network nodes in the cases where the first two components are not effective in mitigating the privacy risks. This paper describes the different components and how they interact in a potential deployment scenario. The approach is evaluated on the public dataset ISCXVPN2016 and the results show that the privacy threat can be mitigated significantly by removing completely the identification of specific types of traffic or by decreasing the probability of their identification as in the case of VOIP by 50%, Chat by 40% and Browsing by 33%, thus reducing significantly the privacy risk.<\/jats:p>","DOI":"10.3390\/sym12091576","type":"journal-article","created":{"date-parts":[[2020,9,24]],"date-time":"2020-09-24T03:03:39Z","timestamp":1600916619000},"page":"1576","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":7,"title":["Mitigation of Privacy Threats due to Encrypted Traffic Analysis through a Policy-Based Framework and MUD Profiles"],"prefix":"10.3390","volume":"12","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4830-1227","authenticated-orcid":false,"given":"Gianmarco","family":"Baldini","sequence":"first","affiliation":[{"name":"Joint Research Centre, European Commission, 1050 Ispra, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7697-116X","authenticated-orcid":false,"given":"Jos\u00e9 L.","family":"Hernandez-Ramos","sequence":"additional","affiliation":[{"name":"Joint Research Centre, European Commission, 1050 Ispra, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0775-4935","authenticated-orcid":false,"given":"Slawomir","family":"Nowak","sequence":"additional","affiliation":[{"name":"Institute of Theoretical and Applied Informatics of the Polish Academy of Sciences (IITiS PAN), 44-100 Gliwice, Poland"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ricardo","family":"Neisse","sequence":"additional","affiliation":[{"name":"Joint Research Centre, European Commission, 1050 Ispra, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8331-9599","authenticated-orcid":false,"given":"Mateusz","family":"Nowak","sequence":"additional","affiliation":[{"name":"Institute of Theoretical and Applied Informatics of the Polish Academy of Sciences (IITiS PAN), 44-100 Gliwice, Poland"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2020,9,22]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Rescorla, E. (2020, September 18). Rfc 8446: The Transport Layer Security (TLS) Protocol version 1.3. Internet Eng. Task Force (IETF) 2018. ISSN 2070-1721. Available online: https:\/\/tools.ietf.org\/html\/rfc8446.","DOI":"10.17487\/RFC8446"},{"key":"ref_2","unstructured":"Kent, S., and Seo, K. (2020, September 18). IETF RFC 4301: Security Architecture for the Internet Protocol. Available online: https:\/\/tools.ietf.org\/html\/rfc4301."},{"key":"ref_3","unstructured":"Google (2020, September 18). HTTPS Encryption on the Web. Available online: https:\/\/transparencyreport.google.com\/https\/overview."},{"key":"ref_4","unstructured":"Apthorpe, N., Reisman, D., and Feamster, N. (2017). A smart home is no castle: Privacy vulnerabilities of encrypted IoT traffic. arXiv."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Sherry, J., Lan, C., Popa, R.A., and Ratnasamy, S. (2015, January 17\u201321). Blindbox: Deep packet inspection over encrypted traffic. Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication, London, UK.","DOI":"10.1145\/2785956.2787502"},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Bissias, G.D., Liberatore, M., Jensen, D., and Levine, B.N. (2005). Privacy Vulnerabilities in Encrypted HTTP sPrivacy Vulnerabilities in Encrypted HTTP Streamstreams. International Workshop on Privacy Enhancing Technologies, Springer.","DOI":"10.1007\/11767831_1"},{"key":"ref_7","unstructured":"Sun, Q., Simon, D.R., Wang, Y.M., Russell, W., Padmanabhan, V.N., and Qiu, L. (2002, January 12\u201315). Statistical identification of encrypted web browsing traffic. Proceedings of the 2002 IEEE Symposium on Security and Privacy, Berkeley, CA, USA."},{"key":"ref_8","unstructured":"Paraskevi, D., Fajfer, J., M\u00fcller, N., Papadogiannaki, E., Rekleitis, E., and St\u0159as\u00e1k, F. (2020, September 18). Encrypted Traffic Analysis, ENISA Report. Available online: https:\/\/www.enisa.europa.eu\/publications\/encrypted-traffic-analysis."},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Draper-Gil, G., Lashkari, A.H., Mamun, M.S.I., and Ghorbani, A.A. (2016, January 19\u201321). Characterization of encrypted and vpn traffic using time-related features. Proceedings of the 2nd International Conference on Information Systems Security and Privacy (ICISSP), Rome, Italy.","DOI":"10.5220\/0005740704070414"},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"60","DOI":"10.1016\/j.cose.2015.06.002","article-title":"SecKit: A model-based security toolkit for the internet of things","volume":"54","author":"Neisse","year":"2015","journal-title":"Comput. Secur."},{"key":"ref_11","unstructured":"OASIS (2020, September 18). eXtensible Access Control Markup Language Version 3.0. Available online: http:\/\/docs.oasis-open.org\/xacml\/3.0\/xacml-3.0-core-spec-os-en.html."},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Lear, E., Romascanu, D., and Droms, R. (2020, September 18). Manufacturer Usage Description Specification (RFC 8520). Available online: https:\/\/datatracker.ietf.org\/doc\/rfc8520\/.","DOI":"10.17487\/RFC8520"},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"79","DOI":"10.1016\/j.cose.2015.05.006","article-title":"Security of software defined networks: A survey","volume":"53","author":"Alsmadi","year":"2015","journal-title":"Comput. Secur."},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Atlam, H.F., Alassafi, M.O., Alenezi, A., Walters, R.J., and Wills, G.B. (2018, January 19\u201321). XACML for Building Access Control Policies in Internet of Things. Proceedings of the IoTBDS, Funchal\/Madeira, Portugal.","DOI":"10.5220\/0006725102530260"},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Ferraiolo, D., Chandramouli, R., Kuhn, R., and Hu, V. (2016, January 11). Extensible access control markup language (XACML) and next generation access control (NGAC). Proceedings of the 2016 ACM International Workshop on Attribute Based Access Control, New Orleans, LA, USA.","DOI":"10.1145\/2875491.2875496"},{"key":"ref_16","unstructured":"Gerth, R., Peled, D., Vardi, M.Y., and Wolper, P. (2020, September 16). Simple on-the-fly automatic verification of linear temporal logic. Proceedings of the International Conference on Protocol Specification, Testing and Verification, Available online: https:\/\/dl.acm.org\/doi\/10.5555\/645837.670574."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Baldini, G., and Neisse, R. (2020, January 3). On the application of Policy-based Frameworks to Autonomous Vehicles. Proceedings of the 2020 IEEE Global Internet of Things Summit (GIoTS), Dublin, Ireland.","DOI":"10.1109\/GIOTS49054.2020.9119682"},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Hern\u00e1ndez-Ramos, J.L., Baldini, G., Neisse, R., Al-Naday, M., and Reed, M.J. (2019, January 17\u201321). A Policy-based Framework in Fog enabled Internet of Things for Cooperative ITS. Proceedings of the 2019 IEEE Global IoT Summit (GIoTS), Aarhus, Denmark.","DOI":"10.1109\/GIOTS.2019.8766360"},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Bellessa, J., Kroske, E., Farivar, R., Montanari, M., Larson, K., and Campbell, R.H. (2011, January 4\u20137). Netodessa: Dynamic policy enforcement in cloud networks. Proceedings of the 2011 IEEE 30th Symposium on Reliable Distributed Systems Workshops, Madrid, Spain.","DOI":"10.1109\/SRDSW.2011.24"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Mendonca, M., Seetharaman, S., and Obraczka, K. (2012, January 10\u201315). A flexible in-network IP anonymization service. Proceedings of the 2012 IEEE international conference on communications (ICC), Ottawa, ON, Canada.","DOI":"10.1109\/ICC.2012.6364931"},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Kl\u00f6ti, R., Kotronis, V., and Smith, P. (2013, January 7\u201310). OpenFlow: A security analysis. Proceedings of the 2013 21st IEEE International Conference on Network Protocols (ICNP), Goettingen, Germany.","DOI":"10.1109\/ICNP.2013.6733671"},{"key":"ref_22","unstructured":"Polk, T., Souppaya, M., and Barker, W.C. (2020, September 18). Mitigating IoT-Based Automated Distributed Threat, Available online: https:\/\/csrc.nist.gov\/publications\/detail\/white-paper\/2017\/10\/12\/mitigating-iot-based-automated-distributed-threats\/draft."},{"key":"ref_23","unstructured":"NIST (2020, September 18). Securing Small-Business and Home Internet of Things Devices: NIST SP 1800-15, Available online: https:\/\/csrc.nist.gov\/publications\/detail\/sp\/1800-15\/draft."},{"key":"ref_24","unstructured":"Jeffrey, V., Rick, K., Phillip, L., and Sophia, A. (2020, September 18). NISTIR 8222: Internet of Things (IoT) Trust Concerns, Available online: https:\/\/csrc.nist.gov\/publications\/detail\/white-paper\/2018\/10\/17\/iot-trust-concerns\/draft."},{"key":"ref_25","unstructured":"Watrobski, P., Klosterman, J., Barker, W., Souppaya, M., and Methodology for Characterizing Network Behavior of Internet of Things Devices (Draft) (2020, September 18). Technical Report, Available online: https:\/\/csrc.nist.gov\/publications\/detail\/white-paper\/2020\/04\/01\/methodology-for-characterizing-network-behavior-of-iot-devices\/draft."},{"key":"ref_26","unstructured":"Droms, R. (2020, September 18). Dynamic Host Configuration Protocol (RFC 2131). Available online: https:\/\/tools.ietf.org\/html\/rfc2131."},{"key":"ref_27","unstructured":"(2020, September 18). Link Layer Discovery Protocol. Available online: https:\/\/en.wikipedia.org\/wiki\/Link_Layer_Discovery_Protocol."},{"key":"ref_28","unstructured":"Feraudo, A., Yadav, P., Mortier, R., Bellavista, P., and Crowcroft, J. (2020). SoK: Beyond IoT MUD Deployments\u2013 Challenges and Future Directions. arXiv."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Garc\u00eda, S.N.M., Molina Zarca, A., Hern\u00e1ndez-Ramos, J.L., Bernab\u00e9, J.B., and G\u00f3mez, A.S. (2019). Enforcing Behavioral Profiles through Software-Defined Networks in the Industrial Internet of Things. Appl. Sci., 9.","DOI":"10.3390\/app9214576"},{"key":"ref_30","unstructured":"Sarikaya, B., Sethi, M., and Garcia-Carillo, D. (2020, September 18). Secure IoT Bootstrapping: A Survey. Available online: https:\/\/tools.ietf.org\/id\/draft-sarikaya-t2trg-sbootstrapping-05.html."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Matheu, S.N., Robles Enciso, A., Molina Zarca, A., Garcia-Carrillo, D., Hern\u00e1ndez-Ramos, J.L., Bernal Bernabe, J., and Skarmeta, A.F. (2020). Security Architecture for Defining and Enforcing Security Profiles in DLT\/SDN-Based IoT Systems. Sensors, 20.","DOI":"10.3390\/s20071882"},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"4003","DOI":"10.1109\/JIOT.2018.2870984","article-title":"Multihop bootstrapping with EAP through CoAP intermediaries for IoT","volume":"5","year":"2018","journal-title":"IEEE Internet Things J."},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Hamza, A., Gharakheili, H.H., and Sivaraman, V. (2018, January 20). Combining MUD policies with SDN for IoT intrusion detection. Proceedings of the 2018 Workshop on IoT Security and Privacy, Budapest, Hungary.","DOI":"10.1145\/3229565.3229571"},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Hamza, A., Gharakheili, H.H., Benson, T.A., and Sivaraman, V. (2019, January 3\u20134). Detecting volumetric attacks on loT devices via SDN-based monitoring of MUD activity. Proceedings of the 2019 ACM Symposium on SDN Research, San Jose, CA, USA.","DOI":"10.1145\/3314148.3314352"},{"key":"ref_35","unstructured":"Ranganathan, M. (2019, January 24\u201328). Soft MUD: Implementing manufacturer usage descriptions on OpenFlow SDN switches. Proceedings of the International Conference on Networks (ICN), Valencia, Spain."},{"key":"ref_36","doi-asserted-by":"crossref","first-page":"69","DOI":"10.1145\/1355734.1355746","article-title":"OpenFlow-enabling innovation in campus networks","volume":"38","author":"McKeown","year":"2008","journal-title":"ACM Sigcomm Comput. Commun. Rev."},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"3969","DOI":"10.3233\/JIFS-190159","article-title":"Distributed denial of service attack detection using autoencoder and deep neural networks","volume":"37","author":"Catak","year":"2019","journal-title":"J. Intell. Fuzzy Syst."},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Wang, W., Zhu, M., Wang, J., Zeng, X., and Yang, Z. (2017, January 22\u201324). End-to-end encrypted traffic classification with one-dimensional convolution neural networks. Proceedings of the 2017 IEEE International Conference on Intelligence and Security Informatics (ISI), Beijing, China.","DOI":"10.1109\/ISI.2017.8004872"},{"key":"ref_39","doi-asserted-by":"crossref","first-page":"55380","DOI":"10.1109\/ACCESS.2018.2872430","article-title":"Datanet: Deep learning based encrypted network traffic classification in sdn home gateway","volume":"6","author":"Wang","year":"2018","journal-title":"IEEE Access"},{"key":"ref_40","doi-asserted-by":"crossref","first-page":"355","DOI":"10.1002\/nem.1901","article-title":"A survey of methods for encrypted traffic classification and analysis","volume":"25","author":"Velan","year":"2015","journal-title":"Int. J. Netw. Manag."},{"key":"ref_41","doi-asserted-by":"crossref","unstructured":"Fan, Y., Jiang, Y., Zhu, H., and Shen, X. (2009, January 19\u201325). An efficient privacy-preserving scheme against traffic analysis attacks in network coding. Proceedings of the IEEE INFOCOM 2009, Rio de Janeiro, Brazil.","DOI":"10.1109\/INFCOM.2009.5062146"},{"key":"ref_42","unstructured":"Paillier, P. (1999, January 2\u20136). Public-key cryptosystems based on composite degree residuosity classes. Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Prague, Czech Republic."},{"key":"ref_43","first-page":"864","article-title":"Encryption Performance Improvements of the Paillier Cryptosystem","volume":"2015","author":"Jost","year":"2015","journal-title":"IACR Cryptol. EPrint Arch"},{"key":"ref_44","doi-asserted-by":"crossref","unstructured":"Lin, Y.H., Shen, S.H., Yang, M.H., Yang, D.N., and Chen, W.T. (2016, January 22\u201327). Privacy-preserving deep packet filtering over encrypted traffic in software-defined networks. Proceedings of the 2016 IEEE International Conference on Communications (ICC), Kuala Lumpur, Malaysia.","DOI":"10.1109\/ICC.2016.7510993"},{"key":"ref_45","doi-asserted-by":"crossref","first-page":"1206","DOI":"10.1109\/JIOT.2018.2799820","article-title":"Epic: A differential privacy framework to defend smart homes against internet traffic analysis","volume":"5","author":"Liu","year":"2018","journal-title":"IEEE Internet Things J."},{"key":"ref_46","doi-asserted-by":"crossref","first-page":"2916","DOI":"10.1109\/TIFS.2019.2911156","article-title":"Hedge: Efficient traffic classification of encrypted and compressed packets","volume":"14","author":"Casino","year":"2019","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"ref_47","doi-asserted-by":"crossref","unstructured":"Jethanandani, M., Blair, D., Huang, L., and Agarwal, S. (2020, September 18). YANG Data Model for Network Access Control Lists (RFC8519). Available online: https:\/\/tools.ietf.org\/html\/rfc8519.","DOI":"10.17487\/RFC8519"},{"key":"ref_48","unstructured":"Bray, T. (2020, September 18). The JavaScript Object Notation (JSON) Data Interchange Format (RFC8259). Available online: https:\/\/tools.ietf.org\/id\/draft-ietf-jsonbis-rfc7159bis-04.html."},{"key":"ref_49","doi-asserted-by":"crossref","first-page":"273","DOI":"10.1007\/BF00994018","article-title":"Support-vector networks","volume":"20","author":"Cortes","year":"1995","journal-title":"Mach. Learn."},{"key":"ref_50","doi-asserted-by":"crossref","first-page":"23","DOI":"10.1023\/A:1025667309714","article-title":"Theoretical and empirical analysis of ReliefF and RReliefF","volume":"53","author":"Kononenko","year":"2003","journal-title":"Mach. Learn."},{"key":"ref_51","doi-asserted-by":"crossref","unstructured":"Agrawal, R., and Srikant, R. (2000, January 16\u201318). Privacy-preserving data mining. Proceedings of the 2000 ACM SIGMOD International Conference on Management of Data, Dallas, TX, USA.","DOI":"10.1145\/342009.335438"}],"container-title":["Symmetry"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-8994\/12\/9\/1576\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T10:12:31Z","timestamp":1760177551000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-8994\/12\/9\/1576"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,9,22]]},"references-count":51,"journal-issue":{"issue":"9","published-online":{"date-parts":[[2020,9]]}},"alternative-id":["sym12091576"],"URL":"https:\/\/doi.org\/10.3390\/sym12091576","relation":{},"ISSN":["2073-8994"],"issn-type":[{"value":"2073-8994","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,9,22]]}}}