kau.se
EnglishSvenskaNorsk
Endre søk
RefereraExporteraLink to record
Permanent link

Direct link
Referera
Referensformat
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • apa.csl
  • Annet format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annet språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf
Using Partial Signatures in Intrusion Detection for Multipath TCP
Karlstads universitet, Fakulteten för hälsa, natur- och teknikvetenskap (from 2013), Institutionen för matematik och datavetenskap (from 2013). (PriSec)ORCID-id: 0000-0001-9886-6651
Karlstads universitet, Fakulteten för hälsa, natur- och teknikvetenskap (from 2013), Institutionen för matematik och datavetenskap (from 2013).ORCID-id: 0000-0003-3461-7079
Karlstads universitet, Fakulteten för hälsa, natur- och teknikvetenskap (from 2013), Institutionen för matematik och datavetenskap (from 2013).ORCID-id: 0000-0003-0778-4736
Karlstads universitet, Fakulteten för hälsa, natur- och teknikvetenskap (from 2013), Institutionen för matematik och datavetenskap (from 2013).ORCID-id: 0000-0001-7311-9334
2019 (engelsk)Inngår i: Secure IT-systems: 24th Nordic Conference, NordSec 2019, Aalborg, Denmark, November 18–20, 2019, Proceedings / [ed] Aslan Askarov, René Rydhof Hansen, Willard Rafnsson, Cham, Switzerland: Springer, 2019, s. 71-86Konferansepaper, Publicerat paper (Fagfellevurdert)
Abstract [en]

Traditional security mechanisms such as signature basedintrusion detection systems (IDSs) attempt to find a perfect match of aset of signatures in network traffic. Such IDSs depend on the availabilityof a complete application data stream. With emerging protocols such asMultipath TCP (MPTCP), this precondition cannot be ensured, result-ing in false negatives and IDS evasion. On the other hand, if approximatesignature matching is used instead in an IDS, a potentially high numberof false positives make the detection impractical. In this paper, we showthat, by using a specially tailored partial signature matcher and knowl-edge about MPTCP semantics, the Snort3 IDS can be empowered withpartial signature detection. Additionally, we uncover the type of Snort3rules suitable for the task of partial matching. Experimental results withthese rules show a low false positive rate for benign traffic and highdetection coverage for attack traffic.
sted, utgiver, år, opplag, sider
Cham, Switzerland: Springer, 2019. s. 71-86
Serie
Lecture Notes in Computer Science, ISSN 0302-9743 ; 11875
HSV kategori
Forskningsprogram
Datavetenskap; Datavetenskap
Identifikatorer
URN: urn:nbn:se:kau:diva-75755DOI: 10.1007/978-3-030-35055-0_5OAI: oai:DiVA.org:kau-75755DiVA, id: diva2:1370341
Konferanse
NordSec2019: 24th Nordic Conference on Secure IT Systems, 18-20 November, 2019, Aalborg, Denmark,
Prosjekter
HITS, 4707
Forskningsfinansiär
Knowledge FoundationTilgjengelig fra: 2019-11-14 Laget: 2019-11-14 Sist oppdatert: 2026-02-12bibliografisk kontrollert
Inngår i avhandling
1. Life of a Security Middlebox: Challenges with Emerging Protocols and Technologies
Åpne denne publikasjonen i ny fane eller vindu >>Life of a Security Middlebox: Challenges with Emerging Protocols and Technologies
2020 (engelsk)Doktoravhandling, med artikler (Annet vitenskapelig)
Abstract [en]

The Internet of today has intermediary devices known as middleboxes that perform more functions than the normal packet forwarding function of a router. Security middleboxes are a subset of these middleboxes and face an increasingly difficult task to perform their functions correctly. These middleboxes make many assumptions about the traffic that may not hold true any longer with the advent of new protocols such as MPTCP and technologies like end-to-end encryption.

The work in this thesis focuses on security middleboxes and the challenges they face. We develop methods and solutions to help these security middleboxes continue to function correctly. In particular, we investigate the case of using MPTCP over traditional security infrastructure as well as the case of end-to-end encryption. We study how practical it is to evade a security middlebox by fragmenting and sending traffic across multiple paths using MPTCP. We then go on to propose possible solutions to detect such attacks and implement them. The potential MPTCP scenario where security middleboxes only have access to part of the traffic is also investigated and addressed. Moreover, the thesis contributes a machine learning based approach to help security middleboxes detect malware in encrypted traffic without decryption.
Abstract [en]

The Internet of today has intermediary devices known as middleboxes thatperform more functions than the normal packet forwarding function of arouter. Security middleboxes are a subset of these middleboxes and face anincreasingly difficult task to perform their functions correctly in the wake ofemerging protocols and technologies on the Internet. Security middleboxesmake many assumptions about the traffic, e.g., they assume that traffic froma single connection always arrives over the same path and they often expectto observe plaintext data. These along with many other assumptions may nothold true any longer with the advent of new protocols such as MPTCP andtechnologies like end-to-end encryption.

The work in this thesis focuses on security middleboxes and the challengesthey face in performing their functions in an evolving Internet where newnetworking protocols and technologies are regularly introduced. We developmethods and solutions to help these security middleboxes continue to functioncorrectly. In particular, we investigate the case of using MPTCP overtraditional security infrastructure as well as the case of end-to-end encryption.

We study how practical it is to evade a security middlebox by fragmentingand sending traffic across multiple paths using MPTCP. Attack traffic that isgenerated from a self-developed tool is used to evaluate such attacks to showthat these attacks are feasible. We then go on to propose possible solutionsto detect such attacks and implement them. The potential MPTCP scenariowhere security middleboxes only have access to part of the traffic is also investigated.Furthermore, we propose and implement an algorithm to performintrusion detection in such situations. Moreover, the thesis contributes a machinelearning based approach to help security middleboxes detect malware inencrypted traffic without decryption.
sted, utgiver, år, opplag, sider
Karlstad: Karlstads universitet, 2020. s. 26
Serie
Karlstad University Studies, ISSN 1403-8099 ; 2020:10
Emneord
network security, TCP, MPTCP, IDS, Snort, edit-distance, encryption
HSV kategori
Forskningsprogram
Datavetenskap
Identifikatorer
urn:nbn:se:kau:diva-76291 (URN)978-91-7867-093-2 (ISBN)978-91-7867-103-8 (ISBN)
Disputas
2020-02-28, 21A342, Eva Erikssonsalen, Karlstad, 10:15 (engelsk)
Opponent
Veileder
Merknad

Article 5 part of thesis as manuscricpt, now published.

Tilgjengelig fra: 2020-02-05 Laget: 2020-01-14 Sist oppdatert: 2026-02-12bibliografisk kontrollert

Open Access i DiVA

Fulltekst mangler i DiVA

Andre lenker

Forlagets fulltekst

Person

Afzal, ZeeshanGarcia, JohanLindskog, StefanBrunström, Anna

Søk i DiVA

Av forfatter/redaktør
Afzal, ZeeshanGarcia, JohanLindskog, StefanBrunström, Anna
Av organisasjonen

Søk utenfor DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric

doi
urn-nbn
Totalt: 907 treff
RefereraExporteraLink to record
Permanent link

Direct link
Referera
Referensformat
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • apa.csl
  • Annet format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annet språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf
v. 2.47.0
|
WCAG
|
Karlstads universitet
|
Universitetsbiblioteket
|
Forskarstöd