|
|
|
|
|
|
by H8crilA
1085 days ago
|
|
|
It's extremely intuitive. You're trying to filter unusual, encrypted traffic. First rule exploits the IND-CPA property of most encryption. You want to kill traffic that has about 4 bits set to 1 per byte, i.e. traffic that "looks random". The following rules are exemptions for permissible encrypted or compressed traffic (note that compression, while not IND-CPA, results in high entropy and thus will trigger the first rule). This could work very well, which is confirmed by the researchers in this paper. |
|
|