Ändra sökning
RefereraExporteraLänk till posten
Permanent länk

Direktlänk
Referera
Referensformat
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • apa.csl
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf
Using Features of Encrypted Network Traffic to Detect Malware
Karlstads universitet, Fakulteten för hälsa, natur- och teknikvetenskap (from 2013), Institutionen för matematik och datavetenskap (from 2013). KTH Royal Institute of Technology, Sweden. (Datavetenskap, Computer Science)ORCID-id: 0000-0001-9886-6651
Karlstads universitet, Fakulteten för hälsa, natur- och teknikvetenskap (from 2013), Institutionen för matematik och datavetenskap (from 2013). (Datavetenskap, Computer Science)ORCID-id: 0000-0001-7311-9334
Karlstads universitet, Fakulteten för hälsa, natur- och teknikvetenskap (from 2013), Institutionen för matematik och datavetenskap (from 2013). SINTEF Digital, Trondheim, NOR. (Datavetenskap, Computer Science)ORCID-id: 0000-0003-0778-4736
2021 (Engelska)Ingår i: Secure IT Systems: 25th Nordic Conference, NordSec 2020, Virtual Event, November 23–24, 2020, Proceedings / [ed] Mikael Asplund; Simin Nadjm-Tehrani, Springer Publishing Company, 2021Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

Encryption on the Internet is as pervasive as ever. This hasprotected communications and enhanced the privacy of users. Unfortu-nately, at the same time malware is also increasingly using encryptionto hide its operation. The detection of such encrypted malware is cru-cial, but the traditional detection solutions assume access to payloaddata. To overcome this limitation, such solutions employ traffic decryp-tion strategies that have severe drawbacks. This paper studies the usageof encryption for malicious and benign purposes using large datasets andproposes a machine learning based solution to detect malware using con-nection and TLS metadata without any decryption. The classification isshown to be highly accurate with high precision and recall rates by usinga small number of features. Furthermore, we consider the deployment as-pects of the solution and discuss different strategies to reduce the falsepositive rate.

Ort, förlag, år, upplaga, sidor
Springer Publishing Company, 2021.
Serie
Lecture Notes in Computer Science, ISSN 0302-9743, E-ISSN 1611-3349 ; 12556
Nyckelord [en]
malware, encryption, TLS, detection, machine learning
Nationell ämneskategori
Data- och informationsvetenskap
Forskningsämne
Datavetenskap
Identifikatorer
URN: urn:nbn:se:kau:diva-81466DOI: 10.1007/978-3-030-70852-8_3Scopus ID: 2-s2.0-85103538148ISBN: 978-3-030-70851-1 (tryckt)ISBN: 978-3-030-70852-8 (digital)OAI: oai:DiVA.org:kau-81466DiVA, id: diva2:1503410
Konferens
The 25th Nordic Conference on Secure IT Systems (NordSec 2020)
Projekt
High Quality Networked Services in a Mobile WorldHITS
Forskningsfinansiär
KK-stiftelsen, 20140037
Anmärkning

Artikeln ingick som manuskript i Afzals (2020) doktorsavhandling Life of a Security Middlebox: Challenges with Emerging Protocols and Technologies

Tillgänglig från: 2020-11-24 Skapad: 2020-11-24 Senast uppdaterad: 2021-06-07Bibliografiskt granskad
Ingår i avhandling
1. Life of a Security Middlebox: Challenges with Emerging Protocols and Technologies
Öppna denna publikation i ny flik eller fönster >>Life of a Security Middlebox: Challenges with Emerging Protocols and Technologies
2020 (Engelska)Doktorsavhandling, sammanläggning (Övrigt vetenskapligt)
Abstract [en]

The Internet of today has intermediary devices known as middleboxes that perform more functions than the normal packet forwarding function of a router. Security middleboxes are a subset of these middleboxes and face an increasingly difficult task to perform their functions correctly. These middleboxes make many assumptions about the traffic that may not hold true any longer with the advent of new protocols such as MPTCP and technologies like end-to-end encryption.

The work in this thesis focuses on security middleboxes and the challenges they face. We develop methods and solutions to help these security middleboxes continue to function correctly. In particular, we investigate the case of using MPTCP over traditional security infrastructure as well as the case of end-to-end encryption. We study how practical it is to evade a security middlebox by fragmenting and sending traffic across multiple paths using MPTCP. We then go on to propose possible solutions to detect such attacks and implement them. The potential MPTCP scenario where security middleboxes only have access to part of the traffic is also investigated and addressed. Moreover, the thesis contributes a machine learning based approach to help security middleboxes detect malware in encrypted traffic without decryption.

Abstract [en]

The Internet of today has intermediary devices known as middleboxes thatperform more functions than the normal packet forwarding function of arouter. Security middleboxes are a subset of these middleboxes and face anincreasingly difficult task to perform their functions correctly in the wake ofemerging protocols and technologies on the Internet. Security middleboxesmake many assumptions about the traffic, e.g., they assume that traffic froma single connection always arrives over the same path and they often expectto observe plaintext data. These along with many other assumptions may nothold true any longer with the advent of new protocols such as MPTCP andtechnologies like end-to-end encryption.

The work in this thesis focuses on security middleboxes and the challengesthey face in performing their functions in an evolving Internet where newnetworking protocols and technologies are regularly introduced. We developmethods and solutions to help these security middleboxes continue to functioncorrectly. In particular, we investigate the case of using MPTCP overtraditional security infrastructure as well as the case of end-to-end encryption.

We study how practical it is to evade a security middlebox by fragmentingand sending traffic across multiple paths using MPTCP. Attack traffic that isgenerated from a self-developed tool is used to evaluate such attacks to showthat these attacks are feasible. We then go on to propose possible solutionsto detect such attacks and implement them. The potential MPTCP scenariowhere security middleboxes only have access to part of the traffic is also investigated.Furthermore, we propose and implement an algorithm to performintrusion detection in such situations. Moreover, the thesis contributes a machinelearning based approach to help security middleboxes detect malware inencrypted traffic without decryption.

Ort, förlag, år, upplaga, sidor
Karlstad: Karlstads universitet, 2020. s. 26
Serie
Karlstad University Studies, ISSN 1403-8099 ; 2020:10
Nyckelord
network security, TCP, MPTCP, IDS, Snort, edit-distance, encryption
Nationell ämneskategori
Elektroteknik och elektronik
Forskningsämne
Datavetenskap
Identifikatorer
urn:nbn:se:kau:diva-76291 (URN)978-91-7867-093-2 (ISBN)978-91-7867-103-8 (ISBN)
Disputation
2020-02-28, 21A342, Eva Erikssonsalen, Karlstad, 10:15 (Engelska)
Opponent
Handledare
Anmärkning

Article 5 part of thesis as manuscricpt, now published.

Tillgänglig från: 2020-02-05 Skapad: 2020-01-14 Senast uppdaterad: 2021-06-07Bibliografiskt granskad

Open Access i DiVA

Fulltext saknas i DiVA

Övriga länkar

Förlagets fulltextScopus

Person

Afzal, ZeeshanBrunström, AnnaLindskog, Stefan

Sök vidare i DiVA

Av författaren/redaktören
Afzal, ZeeshanBrunström, AnnaLindskog, Stefan
Av organisationen
Institutionen för matematik och datavetenskap (from 2013)
Data- och informationsvetenskap

Sök vidare utanför DiVA

GoogleGoogle Scholar

doi
isbn
urn-nbn

Altmetricpoäng

doi
isbn
urn-nbn
Totalt: 412 träffar
RefereraExporteraLänk till posten
Permanent länk

Direktlänk
Referera
Referensformat
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • apa.csl
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf