Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Multipath TCP IDS Evasion and Mitigation
Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science. (PriSec)ORCID iD: 0000-0001-9886-6651
Karlstad University, Faculty of Economic Sciences, Communication and IT, Department of Computer Science. Karlstad University, Faculty of Health, Science and Technology (starting 2013). (PriSec)ORCID iD: 0000-0003-0778-4736
2015 (English)In: Information Security: 18th International Conference, ISC 2015, Trondheim, Norway, September 9-11, 2015, Proceedings, Springer, 2015, Vol. 9290, 265-282 p.Conference paper, Published paper (Refereed)
Abstract [en]

The existing network security infrastructure is not ready for future protocols such as Multipath TCP (MPTCP). The outcome is that middleboxes are configured to block such protocols. This paper studies the security risk that arises if future protocols are used over unaware infrastructures. In particular, the practicality and severity of cross-path fragmentation attacks utilizing MPTCP against the signature-matching capability of the Snort intrusion detection system (IDS) is investigated. Results reveal that the attack is realistic and opens the possibility to evade any signature-based IDS. To mitigate the attack, a solution is also proposed in the form of the MPTCP Linker tool. The work outlines the importance of MPTCP support in future network security middleboxes.

Place, publisher, year, edition, pages
Springer, 2015. Vol. 9290, 265-282 p.
Series
Lecture Notes in Computer Science, ISSN 0302-9743 ; 9290
National Category
Computer Science
Identifiers
URN: urn:nbn:se:kau:diva-39058DOI: 10.1007/978-3-319-23318-5_15ISI: 000363678700015ISBN: 978-3-319-23317-8 (print)OAI: oai:DiVA.org:kau-39058DiVA: diva2:895187
Conference
The 18th Information Security Conference (ISC), Trondheim, Norway, September 9-11, 2015.
Available from: 2016-01-18 Created: 2016-01-18 Last updated: 2017-03-17Bibliographically approved
In thesis
1. Towards Secure Multipath TCP Communication
Open this publication in new window or tab >>Towards Secure Multipath TCP Communication
2017 (English)Licentiate thesis, comprehensive summary (Other academic)
Abstract [en]

The evolution in networking coupled with an increasing demand to improve user experience has led to different proposals to extend the standard TCP. Multipath TCP (MPTCP) is one such extension that has the potential to overcome few inherent limitations in the standard TCP. While MPTCP's design and deployment progresses, most of the focus has been on its compatibility. The security aspect is confined to making sure that the MPTCP protocol itself offers the same security level as the standard TCP.

The topic of this thesis is to investigate the unexpected security implications raised by using MPTCP in the traditional networking environment. The Internet of today has security middle-boxes that perform traffic analysis to detect intrusions and attacks. Such middle-boxes make use of different assumptions about the traffic, e.g., traffic from a single connection always arrives along the same path. This along with many other assumptions may not be true anymore with the advent of MPTCP as traffic can be fragmented and sent over multiple paths simultaneously.

We investigate how practical it is to evade a security middle-box by fragmenting and sending traffic across multiple paths using MPTCP. Realistic attack traffic is used to evaluate such attacks against Snort IDS to show that these attacks are feasible. We then go on to propose possible solutions to detect such attacks and implement them in an MPTCP proxy. The proxy aims to extend the MPTCP performance advantages to servers that only support standard TCP, while ensuring that intrusions can be detected as before. Finally, we investigate the potential MPTCP scenario where security middle-boxes only have access to some of the traffic. We propose and implement an algorithm to perform intrusion detection in such situations and achieve a nearly 90% detection accuracy. Another contribution of this work is a tool, that converts IDS rules into equivalent attack traffic to automate the evaluation of a middle-box.

Abstract [en]

Multipath TCP (MPTCP) is an extension to standard TCP that is close to being standardized. The design of the protocol is progressing, but most of the focus has so far been on its compatibility. The security aspect is confined to making sure that the MPTCP protocol itself offers the same security level as standard TCP. The topic of this thesis is to investigate the unexpected security implications raised by using MPTCP in a traditional networking environment. Today, the security middleboxes make use of different assumptions that may not be true anymore with the advent of MPTCP.We investigate how practical it is to evade a security middlebox by fragmenting and sending traffic across multiple paths using MPTCP. Realistic attack traffic generated from a tool that is also presented in this thesis is used to show that these attacks are feasible. We then go on to propose possible solutions to detect such attacks and implement them in an MPTCP proxy. The proxy aims to extend secure MPTCP performance advantages. We also investigate the MPTCP scenario where security middleboxes can only observe some of the traffic. We propose and implement an algorithm to perform intrusion detection in such situations and achieve a high detection accuracy.

Place, publisher, year, edition, pages
Karlstad: Karlstads universitet, 2017. 91 p.
Series
Karlstad University Studies, ISSN 1403-8099 ; 2017:12
Keyword
network security, MPTCP, TCP, IDS, snort, edit-distance
National Category
Computer Science
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-48172 (URN)978-91-7063-763-6 (ISBN)978-91-7063-764-3 (ISBN)
Presentation
2017-04-28, 1B364, Karlstad, 13:00 (English)
Opponent
Supervisors
Projects
HITS
Available from: 2017-04-10 Created: 2017-03-17 Last updated: 2017-05-16Bibliographically approved

Open Access in DiVA

No full text

Other links

Publisher's full texthttp://link.springer.com/chapter/10.1007%2F978-3-319-23318-5_15

Search in DiVA

By author/editor
Afzal, ZeeshanLindskog, Stefan
By organisation
Department of Mathematics and Computer ScienceDepartment of Computer ScienceFaculty of Health, Science and Technology (starting 2013)
Computer Science

Search outside of DiVA

GoogleGoogle Scholar

Altmetric score

Total: 480 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf