DTRAB: Combating Against Attacks on Encrypted Protocols Through Traffic-Feature Analysis

The unbridled growth of the Internet and the network-based applications has contributed to enormous security leaks. Even the cryptographic protocols, which are used to provide secure communication, are often targeted by diverse attacks. Intrusion detection systems (IDSs) are often employed to monitor network traffic and host activities that may lead to unauthorized accesses and attacks against vulnerable services. Most of the conventional misuse-based and anomaly-based IDSs are ineffective against attacks targeted at encrypted protocols since they heavily rely on inspecting the payload contents. To combat against attacks on encrypted protocols, we propose an anomaly-based detection system by using strategically distributed monitoring stubs (MSs). We have categorized various attacks against cryptographic protocols. The MSs, by sniffing the encrypted traffic, extract features for detecting these attacks and construct normal usage behavior profiles. Upon detecting suspicious activities due to the deviations from these normal profiles, the MSs notify the victim servers, which may then take necessary actions. In addition to detecting attacks, the MSs can also trace back the originating network of the attack. We call our unique approach DTRAB since it focuses on both Detection and TRAceBack in the MS level. The effectiveness of the proposed detection and traceback methods are verified through extensive simulations and Internet datasets.

[1]  Peter Szor,et al.  An Analysis of the Slapper Worm Ex-ploit , 2003 .

[2]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[3]  David K. Y. Yau,et al.  You can run, but you can't hide: an effective statistical methodology to trace back DDoS attackers , 2005, IEEE Transactions on Parallel and Distributed Systems.

[4]  Serge Vaudenay,et al.  Password Interception in a SSL/TLS Channel , 2003, CRYPTO.

[5]  Michèle Basseville,et al.  Detection of abrupt changes: theory and application , 1993 .

[6]  Shou-Hsuan Stephen Huang,et al.  Detecting Stepping-Stone with Chaff Perturbations , 2007, 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07).

[7]  Nirwan Ansari,et al.  Tracing cyber attacks from the practical perspective , 2005, IEEE Communications Magazine.

[8]  Clay Shields,et al.  Tracing the Source of Network Attack: A Technical, Legal and Societal Problem , 2001 .

[9]  Stephen R. Tate,et al.  ProtoMon: embedded monitors for cryptographic protocol intrusion detection and prevention , 2004, International Conference on Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004..

[10]  Douglas S. Reeves,et al.  Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones , 2002, ESORICS.

[11]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[12]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[13]  tcpdump Tcpdump/Libpcap public repository , 2010 .

[14]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[15]  Heejo Lee,et al.  On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[16]  Nirwan Ansari,et al.  On IP traceback , 2003, IEEE Commun. Mag..

[17]  Tarik Taleb,et al.  Combating Against Attacks on Encrypted Protocols , 2007, 2007 IEEE International Conference on Communications.

[18]  Angelos D. Keromytis,et al.  WebSOS: an overlay-based system for protecting web servers from denial of service attacks , 2005, Comput. Networks.

[19]  D. M. Goldschlag,et al.  Security issues in networks with Internet access , 1997 .

[20]  Nei Kato,et al.  Towards trapping wily intruders in the large , 2000, Recent Advances in Intrusion Detection.

[21]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[22]  Kohei Ohta,et al.  Thacing DDoS Attacks by Comparing Traffic Patterns Based on Quadratic Programming Method , 2002 .

[23]  Akira Yamada,et al.  Intrusion Detection for Encrypted Web Accesses , 2007, 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07).

[24]  Tarik Taleb,et al.  Tracing back attacks against encrypted protocols , 2007, IWCMC.

[25]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[26]  Bruce Schneier,et al.  Analysis of the SSL 3.0 protocol , 1996 .

[27]  Kang G. Shin,et al.  Change-point monitoring for the detection of DoS attacks , 2004, IEEE Transactions on Dependable and Secure Computing.

[28]  Qi Shi,et al.  Early detection and prevention of denial-of-service attacks: a novel mechanism with propagated traced-back attack blocking , 2005, IEEE Journal on Selected Areas in Communications.

[29]  Boleslaw K. Szymanski,et al.  NETWORK-BASED INTRUSION DETECTION USING NEURAL NETWORKS , 2002 .

[30]  Dawn Xiaodong Song,et al.  Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds , 2004, RAID.

[31]  Gerald A. Marin,et al.  Realistic Internet traffic simulation through mixture modeling and a case study , 2005, Proceedings of the Winter Simulation Conference, 2005..

[32]  Rolf Oppliger,et al.  SSL/TLS session-aware user authentication - Or how to effectively thwart the man-in-the-middle , 2006, Comput. Commun..