You might want to include mean/median/distribution of read/write IO sizes on SSL connections; you might find 'normal' SSL accesses (even with AJAXed stuff?) has different access patterns versus command-line SSL.
Are there any fingerprint bits in the SSL exchange which would tell you its at least SSL encrypted traffic, versus just traffic not tunneled inside SSL? Thats probably a good starting point. Adrian
