Intrusion Detection Systems (IDS) are integral components for the detection of malicious code and attacks. Detection methods can be differentiated in signature-based and anomaly-based systems. While the former ones search for well-known patterns which are available in a database, the latter ones build a model of the normal behavior of a network and later on attacks can be detected by measuring significant deviation of the network status against the normal behavior described by the model. Often this requires the availability of the payload of the network packets. If encryption protocols like SSL or SSH are used, searching for attack signatures in the payload is not possible any longer and also the usage of behavior based techniques is limited: Statistical methods like flow evaluation can be used for anomaly detection, but application level attacks hidden in the encrypted traffic can be undetectable. At the moment, only a few systems are designed to cope with encrypted network traffic. Even so, none of these systems can be easily deployed in general because of the need for protocol modifications, special infrastructures or because of high false alarm rates which are not acceptable in a production environment. In this paper, we propose a new IDS for encrypted traffic which identifies command sequences in encrypted network traffic and evaluates the attack possibility of them. The encrypted traffic is clustered and possibilities for different commands are calculated. Based on that, command sequences are analysed. The system evaluates probabilities for commands and command sequences and the likeliness for an attack based on the identified sequences without a decryption of the packets. Because of only using statistical data gathered from the network traffic, the system can be deployed in general. The current prototype of the system focuses on the command evaluation.
[1]
N. Paulauskas,et al.
Computer System Attack Classification
,
2006
.
[2]
V.A. Foroushani,et al.
Intrusion detection in encrypted accesses with SSH protocol to network public servers
,
2008,
2008 International Conference on Computer and Communication Engineering.
[3]
Aiko Pras,et al.
An Overview of IP Flow-Based Intrusion Detection
,
2010,
IEEE Communications Surveys & Tutorials.
[4]
Stephen R. Tate,et al.
ProtoMon: embedded monitors for cryptographic protocol intrusion detection and prevention
,
2004,
International Conference on Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004..
[5]
Walter D. Potter,et al.
A Blackboard-Based Learning Intrusion Detection System: A New Approach
,
2003,
IEA/AIE.
[6]
Akira Yamada,et al.
Intrusion Detection for Encrypted Web Accesses
,
2007,
21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07).
[7]
Richard Lippmann,et al.
The Effect of Identifying Vulnerabilities and Patching Software on the Utility of Network Intrusion Detection
,
2002,
RAID.
[8]
J. Meigs,et al.
WHO Technical Report
,
1954,
The Yale Journal of Biology and Medicine.
[9]
Ming-Yuh Huang,et al.
A large scale distributed intrusion detection framework based on attack strategy analysis
,
1999,
Comput. Networks.
[10]
Robert Koch,et al.
Changing Network Behavior
,
2009,
2009 Third International Conference on Network and System Security.
[11]
An Intrusion Detection System for Security Protocol Traffic
,
2001
.
[12]
S. E. Smaha.
Haystack: an intrusion detection system
,
1988,
[Proceedings 1988] Fourth Aerospace Computer Security Applications.
[13]
Vik Tor Goh,et al.
Experimenting with an Intrusion Detection System for Encrypted Networks
,
2010,
Int. J. Bus. Intell. Data Min..