Towards Intrusion Detection for Encrypted Networks

2009 International Conference on Availability, Reliability and Security Pub Date : 2009-03-16 DOI:10.1109/ARES.2009.76

V. Goh, J. Zimmermann, M. Looi

{"title":"Towards Intrusion Detection for Encrypted Networks","authors":"V. Goh, J. Zimmermann, M. Looi","doi":"10.1109/ARES.2009.76","DOIUrl":null,"url":null,"abstract":"Traditionally, network-based Intrusion Detection Systems (NIDS) monitor network traffic for signs of malicious activities. However, with the growing use of Virtual Private Networks (VPNs) that encrypt network traffic, the NIDS can no longer analyse the encrypted data. This essentially negates any protection offered by the NIDS. Although the encrypted traffic can be decrypted at a network gateway for analysis, this compromises on data confidentiality. In this paper, we propose a detection framework which allows a traditional NIDS to continue functioning, without compromising the confidentiality afforded by the VPN. Our approach uses Shamir's secret-sharing scheme and randomised network proxies to enable detection of malicious activities in encrypted channels. Additionally, this approach is able to detect any malicious attempts to forge network traffic with the intention of evading detection. Our experiments show that the probability of a successful evasion is low, at about 0.98% in the worst case. We implement our approach in a prototype and present some preliminary results. Overall, the proposed approach is able to consistently detect intrusions and does not introduce any additional false positives.","PeriodicalId":169468,"journal":{"name":"2009 International Conference on Availability, Reliability and Security","volume":"281 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2009-03-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"24","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2009 International Conference on Availability, Reliability and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ARES.2009.76","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 24

Abstract

Traditionally, network-based Intrusion Detection Systems (NIDS) monitor network traffic for signs of malicious activities. However, with the growing use of Virtual Private Networks (VPNs) that encrypt network traffic, the NIDS can no longer analyse the encrypted data. This essentially negates any protection offered by the NIDS. Although the encrypted traffic can be decrypted at a network gateway for analysis, this compromises on data confidentiality. In this paper, we propose a detection framework which allows a traditional NIDS to continue functioning, without compromising the confidentiality afforded by the VPN. Our approach uses Shamir's secret-sharing scheme and randomised network proxies to enable detection of malicious activities in encrypted channels. Additionally, this approach is able to detect any malicious attempts to forge network traffic with the intention of evading detection. Our experiments show that the probability of a successful evasion is low, at about 0.98% in the worst case. We implement our approach in a prototype and present some preliminary results. Overall, the proposed approach is able to consistently detect intrusions and does not introduce any additional false positives.

查看原文本刊更多论文

加密网络入侵检测研究

传统上，基于网络的入侵检测系统(NIDS)监控网络流量以寻找恶意活动的迹象。然而，随着加密网络流量的虚拟专用网(vpn)的使用越来越多，NIDS不再能够分析加密的数据。这基本上否定了NIDS提供的任何保护。虽然可以在网络网关对加密的流量进行解密以进行分析，但这会损害数据的机密性。在本文中，我们提出了一个检测框架，该框架允许传统的NIDS继续运行，而不会损害VPN提供的机密性。我们的方法使用Shamir的秘密共享方案和随机网络代理来检测加密通道中的恶意活动。此外，这种方法能够检测任何伪造网络流量以逃避检测的恶意企图。我们的实验表明，成功规避的概率很低，在最坏的情况下约为0.98%。我们在一个原型中实现了我们的方法，并给出了一些初步的结果。总的来说，所提出的方法能够一致地检测入侵，并且不会引入任何额外的误报。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2009 International Conference on Availability, Reliability and Security

自引率

0.00%

发文量