Insights into Encrypted Network Connections: Analyzing Remote Desktop Protocol Traffic

2016 24th Euromicro International Conference on Parallel, Distributed, and Network-Based Processing (PDP) Pub Date : 2016-02-01 DOI:10.1109/PDP.2016.38

M. Ussath, Feng Cheng, C. Meinel

{"title":"Insights into Encrypted Network Connections: Analyzing Remote Desktop Protocol Traffic","authors":"M. Ussath, Feng Cheng, C. Meinel","doi":"10.1109/PDP.2016.38","DOIUrl":null,"url":null,"abstract":"An increasing number of network connections are encrypted to protect the confidentiality of the transferred data. Also attackers make greater use of encrypted protocols to hide from detection and to hinder investigations. Currently, most security systems (e.g., Intrusion Detection Systems (IDSs) and firewalls) cannot effectively analyze encrypted traffic. This results in \"blind spots\", which can put the security of a whole environment at risk. In this paper, we propose a system that is capable of investigating encrypted Remote Desktop Protocol (RDP) connections. In the first step the private RSA key of the RDP server is used to decrypt the TLS/SSL layer of the RDP stream. In the second step our system extracts all relevant information (e.g., keystrokes and transferred files) from the RDP connection. This information makes it possible to reconstruct the behavior and the activities of an attacker with a high accuracy. For the evaluation of our approach we performed a scan of 231,025 internet facing RDP systems and revealed that over 95 % of the RDP connections to these systems can be decrypted with our system.","PeriodicalId":192273,"journal":{"name":"2016 24th Euromicro International Conference on Parallel, Distributed, and Network-Based Processing (PDP)","volume":"84 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 24th Euromicro International Conference on Parallel, Distributed, and Network-Based Processing (PDP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/PDP.2016.38","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

An increasing number of network connections are encrypted to protect the confidentiality of the transferred data. Also attackers make greater use of encrypted protocols to hide from detection and to hinder investigations. Currently, most security systems (e.g., Intrusion Detection Systems (IDSs) and firewalls) cannot effectively analyze encrypted traffic. This results in "blind spots", which can put the security of a whole environment at risk. In this paper, we propose a system that is capable of investigating encrypted Remote Desktop Protocol (RDP) connections. In the first step the private RSA key of the RDP server is used to decrypt the TLS/SSL layer of the RDP stream. In the second step our system extracts all relevant information (e.g., keystrokes and transferred files) from the RDP connection. This information makes it possible to reconstruct the behavior and the activities of an attacker with a high accuracy. For the evaluation of our approach we performed a scan of 231,025 internet facing RDP systems and revealed that over 95 % of the RDP connections to these systems can be decrypted with our system.

查看原文本刊更多论文

洞察加密网络连接:分析远程桌面协议流量

越来越多的网络连接被加密以保护传输数据的机密性。此外，攻击者更多地利用加密协议来躲避检测和阻碍调查。目前，大多数安全系统(例如入侵检测系统(ids)和防火墙)都不能有效地分析加密流量。这导致了“盲点”，这可能使整个环境的安全处于危险之中。在本文中，我们提出了一个能够调查加密远程桌面协议(RDP)连接的系统。第一步使用RDP服务器的RSA私钥对RDP流的TLS/SSL层进行解密。在第二步，我们的系统从RDP连接中提取所有相关信息(例如，击键和传输的文件)。这些信息使得以高精度重建攻击者的行为和活动成为可能。为了评估我们的方法，我们对231,025个面向互联网的RDP系统进行了扫描，发现超过95%的RDP连接可以用我们的系统解密。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2016 24th Euromicro International Conference on Parallel, Distributed, and Network-Based Processing (PDP)

自引率

0.00%

发文量