12342 of 4
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Life of a Security Middlebox: Challenges with Emerging Protocols and Technologies
Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science (from 2013).ORCID iD: 0000-0001-9886-6651
2020 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

The Internet of today has intermediary devices known as middleboxes that perform more functions than the normal packet forwarding function of a router. Security middleboxes are a subset of these middleboxes and face an increasingly difficult task to perform their functions correctly. These middleboxes make many assumptions about the traffic that may not hold true any longer with the advent of new protocols such as MPTCP and technologies like end-to-end encryption.

The work in this thesis focuses on security middleboxes and the challenges they face. We develop methods and solutions to help these security middleboxes continue to function correctly. In particular, we investigate the case of using MPTCP over traditional security infrastructure as well as the case of end-to-end encryption. We study how practical it is to evade a security middlebox by fragmenting and sending traffic across multiple paths using MPTCP. We then go on to propose possible solutions to detect such attacks and implement them. The potential MPTCP scenario where security middleboxes only have access to part of the traffic is also investigated and addressed. Moreover, the thesis contributes a machine learning based approach to help security middleboxes detect malware in encrypted traffic without decryption.

Abstract [en]

The Internet of today has intermediary devices known as middleboxes thatperform more functions than the normal packet forwarding function of arouter. Security middleboxes are a subset of these middleboxes and face anincreasingly difficult task to perform their functions correctly in the wake ofemerging protocols and technologies on the Internet. Security middleboxesmake many assumptions about the traffic, e.g., they assume that traffic froma single connection always arrives over the same path and they often expectto observe plaintext data. These along with many other assumptions may nothold true any longer with the advent of new protocols such as MPTCP andtechnologies like end-to-end encryption.

The work in this thesis focuses on security middleboxes and the challengesthey face in performing their functions in an evolving Internet where newnetworking protocols and technologies are regularly introduced. We developmethods and solutions to help these security middleboxes continue to functioncorrectly. In particular, we investigate the case of using MPTCP overtraditional security infrastructure as well as the case of end-to-end encryption.

We study how practical it is to evade a security middlebox by fragmentingand sending traffic across multiple paths using MPTCP. Attack traffic that isgenerated from a self-developed tool is used to evaluate such attacks to showthat these attacks are feasible. We then go on to propose possible solutionsto detect such attacks and implement them. The potential MPTCP scenariowhere security middleboxes only have access to part of the traffic is also investigated.Furthermore, we propose and implement an algorithm to performintrusion detection in such situations. Moreover, the thesis contributes a machinelearning based approach to help security middleboxes detect malware inencrypted traffic without decryption.

Place, publisher, year, edition, pages
Karlstad: Karlstads universitet, 2020. , p. 26
Series
Karlstad University Studies, ISSN 1403-8099 ; 2020:10
Keywords [en]
network security, TCP, MPTCP, IDS, Snort, edit-distance, encryption
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
Research subject
Computer Science
Identifiers
URN: urn:nbn:se:kau:diva-76291ISBN: 978-91-7867-093-2 (print)ISBN: 978-91-7867-103-8 (electronic)OAI: oai:DiVA.org:kau-76291DiVA, id: diva2:1385548
Public defence
2020-02-28, 21A342, Eva Erikssonsalen, Karlstad, 10:15 (English)
Opponent
Supervisors
Available from: 2020-02-05 Created: 2020-01-14 Last updated: 2020-02-05Bibliographically approved
List of papers
1. Multipath TCP IDS Evasion and Mitigation
Open this publication in new window or tab >>Multipath TCP IDS Evasion and Mitigation
2015 (English)In: Information Security: 18th International Conference, ISC 2015, Trondheim, Norway, September 9-11, 2015, Proceedings / [ed] Javier Lopez & Chris J. Mitchell, Springer, 2015, Vol. 9290, p. 265-282Conference paper, Published paper (Refereed)
Abstract [en]

The existing network security infrastructure is not ready for future protocols such as Multipath TCP (MPTCP). The outcome is that middleboxes are configured to block such protocols. This paper studies the security risk that arises if future protocols are used over unaware infrastructures. In particular, the practicality and severity of cross-path fragmentation attacks utilizing MPTCP against the signature-matching capability of the Snort intrusion detection system (IDS) is investigated. Results reveal that the attack is realistic and opens the possibility to evade any signature-based IDS. To mitigate the attack, a solution is also proposed in the form of the MPTCP Linker tool. The work outlines the importance of MPTCP support in future network security middleboxes.

Place, publisher, year, edition, pages
Springer, 2015
Series
Lecture Notes in Computer Science, ISSN 0302-9743 ; 9290
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-39058 (URN)10.1007/978-3-319-23318-5_15 (DOI)000363678700015 ()978-3-319-23317-8 (ISBN)
Conference
The 18th Information Security Conference (ISC), Trondheim, Norway, September 9-11, 2015.
Projects
HITS, 4707
Funder
Knowledge Foundation
Available from: 2016-01-18 Created: 2016-01-18 Last updated: 2020-01-14Bibliographically approved
2. Towards Multipath TCP Aware Security Technologies
Open this publication in new window or tab >>Towards Multipath TCP Aware Security Technologies
2016 (English)In: 2016 8th IFIP International Conference onNew Technologies, Mobility and Security (NTMS), New York: IEEE, 2016, p. 1-8Conference paper, Published paper (Refereed)
Abstract [en]

Multipath TCP (MPTCP) is a proposed extension to TCP that enables a number of performance advantages that have not been offered before. While the protocol specification is close to being finalized, there still remain some unaddressed challenges regarding the deployment and security implications of the protocol. This work attempts to tackle some of these concerns by proposing and implementing MPTCP aware security services and deploying them inside a proof of concept MPTCP proxy. The aim is to enable hosts, even those without native MPTCP support, to securely benefit from the MPTCP performance advantages. Our evaluations show that the security services that are implemented enable proper intrusion detection and prevention to thwart potential attacks as well as threshold rules to prevent denial of service (DoS) attacks.

Place, publisher, year, edition, pages
New York: IEEE, 2016
National Category
Computer Sciences
Identifiers
urn:nbn:se:kau:diva-47594 (URN)10.1109/NTMS.2016.7792485 (DOI)000391578700063 ()978-1-5090-2914-3 (ISBN)
Conference
8th IFIP International Conference on New Technologies, Mobility and Security (NTMS), Larnaca, Cyprus 21-23 November 2016
Projects
HITS, 4707
Funder
Knowledge Foundation
Available from: 2017-01-06 Created: 2017-01-06 Last updated: 2020-01-14Bibliographically approved
3. Slice Distance: An Insert-Only Levenshtein Distance with a Focus on Security Applications
Open this publication in new window or tab >>Slice Distance: An Insert-Only Levenshtein Distance with a Focus on Security Applications
2018 (English)In: Proceedings of NTMS 2018 Conference and Workshop, New York: IEEE, 2018, p. 1-5Conference paper, Published paper (Refereed)
Abstract [en]

Levenshtein distance is well known for its use in comparing two strings for similarity. However, the set of considered edit operations used when comparing can be reduced in a number of situations. In such cases, the application of the generic Levenshtein distance can result in degraded detection and computational performance. Other metrics in the literature enable limiting the considered edit operations to a smaller subset. However, the possibility where a difference can only result from deleted bytes is not yet explored. To this end, we propose an insert-only variation of the Levenshtein distance to enable comparison of two strings for the case in which differences occur only because of missing bytes. The proposed distance metric is named slice distance and is formally presented and its computational complexity is discussed. We also provide a discussion of the potential security applications of the slice distance.

Place, publisher, year, edition, pages
New York: IEEE, 2018
Keywords
Measurement, Pattern matching, Time complexity, Transforms, Security, DNA
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-67012 (URN)10.1109/NTMS.2018.8328718 (DOI)000448864200049 ()978-1-5386-3662-6 (ISBN)978-1-5386-3663-3 (ISBN)
Conference
9th IFIP International Conference on New Technologies, Mobility and Security, 26-28 February 2018, Paris, France
Projects
HITS, 4707
Funder
Knowledge Foundation, 4707
Available from: 2018-04-17 Created: 2018-04-17 Last updated: 2020-01-14Bibliographically approved
4. Using Partial Signatures in Intrusion Detection for Multipath TCP
Open this publication in new window or tab >>Using Partial Signatures in Intrusion Detection for Multipath TCP
2019 (English)In: Secure IT-systems: 24th Nordic Conference, NordSec 2019, Aalborg, Denmark, November 18–20, 2019, Proceedings / [ed] Aslan Askarov, René Rydhof Hansen, Willard Rafnsson, Cham, Switzerland: Springer, 2019, p. 71-86Conference paper, Published paper (Refereed)
Abstract [en]

Traditional security mechanisms such as signature basedintrusion detection systems (IDSs) attempt to find a perfect match of aset of signatures in network traffic. Such IDSs depend on the availabilityof a complete application data stream. With emerging protocols such asMultipath TCP (MPTCP), this precondition cannot be ensured, result-ing in false negatives and IDS evasion. On the other hand, if approximatesignature matching is used instead in an IDS, a potentially high numberof false positives make the detection impractical. In this paper, we showthat, by using a specially tailored partial signature matcher and knowl-edge about MPTCP semantics, the Snort3 IDS can be empowered withpartial signature detection. Additionally, we uncover the type of Snort3rules suitable for the task of partial matching. Experimental results withthese rules show a low false positive rate for benign traffic and highdetection coverage for attack traffic.

Place, publisher, year, edition, pages
Cham, Switzerland: Springer, 2019
Series
Lecture Notes in Computer Science, ISSN 0302-9743 ; 11875
National Category
Engineering and Technology
Research subject
Computer Science; Computer Science
Identifiers
urn:nbn:se:kau:diva-75755 (URN)10.1007/978-3-030-35055-0_5 (DOI)
Conference
NordSec2019: 24th Nordic Conference on Secure IT Systems, 18-20 November, 2019, Aalborg, Denmark,
Available from: 2019-11-14 Created: 2019-11-14 Last updated: 2020-01-14Bibliographically approved
5. Using Features of Encrypted Network Traffic to Detect Malware
Open this publication in new window or tab >>Using Features of Encrypted Network Traffic to Detect Malware
(English)Manuscript (preprint) (Other academic)
Abstract [en]

Encryption on the Internet is as pervasive as ever. This has protected communications and enhanced the privacy of users. Unfortunately, at the same time malware is also increasingly using encryption to hide its operation. The detection of such encrypted malware is crucial, but the traditional detection solutions assume access to payload data. To overcome this limitation, such solutions employ traffic decryption strategies that have severe drawbacks. This paper studies the usage of encryption for malicious and benign purposes using large datasets and proposes a machine learning based solution to detect malware using connection and TLS metadata without any decryption. The classification is shown to be highly accurate with high precision and recall rates by using only a small number of features. Furthermore, we consider the deployment aspects of the solution and discuss different strategies to reduce the false positive rate.  

National Category
Engineering and Technology
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-76289 (URN)
Available from: 2020-01-14 Created: 2020-01-14 Last updated: 2020-01-14
6. IDS rule management made easy
Open this publication in new window or tab >>IDS rule management made easy
2016 (English)In: Electronics, Computers and Artificial Intelligence (ECAI), 2016 8th International Conference on, IEEE, 2016Conference paper, Published paper (Refereed)
Abstract [en]

Signature-based intrusion detection systems (IDSs) are commonly utilized in enterprise networks to detect and possibly block a wide variety of attacks. Their application in industrial control systems (ICSs) is also growing rapidly as modem ICSs increasingly use open standard protocols instead of proprietary. Due to an ever changing threat landscape, the rulesets used by these IDSs have grown large and there is no way to verify their precision or accuracy. Such broad and non-optimized rulesets lead to false positives and an unnecessary burden on the IDS, resulting in possible degradation of the security. This work proposes a methodology consisting of a set of tools to help optimize the IDS rulesets and make rule management easier. The work also provides attack traffic data that is expected to benefit the task of IDS assessment.

Place, publisher, year, edition, pages
IEEE, 2016
Series
International Conference on Electronics Computers and Artificial Intelligence, ISSN 2378-7147
National Category
Computer Sciences
Identifiers
urn:nbn:se:kau:diva-48016 (URN)10.1109/ECAI.2016.7861119 (DOI)000402541200055 ()978-1-5090-2048-5 (ISBN)978-1-5090-2047-8 (ISBN)
Conference
8th International Conference on Electronics, Computers and Artificial Intelligence (ECAI), 30 June-2 July 2016, Ploiesti, Romania
Projects
HITS, 4707
Funder
Knowledge Foundation
Available from: 2017-02-24 Created: 2017-02-24 Last updated: 2020-01-14Bibliographically approved

Open Access in DiVA

fulltext(1053 kB)10 downloads
File information
File name FULLTEXT01.pdfFile size 1053 kBChecksum SHA-512
43e03fc6e59a693df483d8357c25377d7efb4a7cb59d82808ce6f7c5cd81ae6959b8c3d29142089e8f4724ac691c62fc207eee828f186c772b2e07c7fd7ca254
Type fulltextMimetype application/pdf

Authority records BETA

Afzal, Zeeshan

Search in DiVA

By author/editor
Afzal, Zeeshan
By organisation
Department of Mathematics and Computer Science (from 2013)
Electrical Engineering, Electronic Engineering, Information Engineering

Search outside of DiVA

GoogleGoogle Scholar
Total: 10 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 91 hits
12342 of 4
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf