Several fundamental security mechanisms for restricting access to network resources rely on the ability of a reference monitor to inspect the contents of traffic as it traverses the network. However, with the increasing popularity of cryptographic protocols the traditional means of inspecting packet contents to enforce security policies is no longer a viable approach as message contents are concealed by encryption. This project encompasses the first major component of a principled investigation into the feasibility of protocol identification based solely on those features that remain intact after encryption---namely, the packet size, inter-arrival and direction. More specifically, this work attempts to provide a better understanding of the limits of protocol recognition based on a thorough statistical analysis and information theoretic assessment of the available features in protocol behaviors observed in the wild. Specifically, this project advances the current state of the art and contributes to the scientific community by building efficient mixture models for detecting protocols with multi-modal behaviors, designing practical tools for visualizing behavioral motifs in TCP sequences, providing new information-theoretic decision policies for assigning protocol class labels to these sequences, and imparting new notions for assessing realistic masquerading attacks and the appropriate defenses.
