Chapter 24: Standard
• High Entropy, page 311
• Statistical Protocol IDentification, page 311
24.1. High Entropy
High Entropy is a virtual protocol used to detect potentially encrypted payloads. Important note:
the classification of this layer is effective since the 4.18.0 version of the ixEngine framework. The
classification is based on two methods: entropy value computation, and printable strings
detection. This concerns only unknown sessions over tcp and udp.
Family:
Over:
Revision:
Risk level:
Tag:
24.2. Statistical Protocol IDentification
SPID (Statistical Protocol IDentification) is a statistical classification engine, used to identify
encrypted or obfuscated streams from advanced Peer-to-peer or VPN protocols (ex: BitTorrent
RC4 streams).
Family:
Over:
Over:
Over:
Over:
Revision:
Risk level:
Tag:
Behavioral
unknown
3
1
Not Used
Behavioral
socks4
socks5
tcp
udp
8
1
Not Used
311