Intrusion Detection on QUIC Traffic: A Machine Learning Approach

2022 7th International Conference on Data Science and Machine Learning Applications (CDMA) Pub Date : 2022-03-01 DOI:10.1109/CDMA54072.2022.00037

Lama Al-Bakhat, Sultan Almuhammadi

{"title":"Intrusion Detection on QUIC Traffic: A Machine Learning Approach","authors":"Lama Al-Bakhat, Sultan Almuhammadi","doi":"10.1109/CDMA54072.2022.00037","DOIUrl":null,"url":null,"abstract":"Since the introduction of QUIC protocol, a major change has affected the Internet transport layer, which improves user experience with some security threats. Developed by Google in 2012, QUIC provides a low latency, connection-oriented and encrypted transport. In addition to the encryption capability of QUIC, it overcomes many issues found in the current transport protocols, such as the high-latency connection establishment in TCP. On the other hand, studies on the security analysis of QUIC's key establishment showed several drawbacks. Moreover, the encryption mechanism of the protocol allows adversarial Command & Control (C2) packets to blind with regular QUIC traffic without raising any alarms. Therefore, in this study, we develop a machine learning approach based on fingerprinting that can be used in intrusion detection systems to detect malicious C2 QUIC traffic. To demonstrate the effectiveness of this approach, we conducted an experiment and tested the performance of six machine learning classifiers. The results show that by utilizing the fingerprint, most of the classifiers recognized malicious C2 traffic with an average accuracy of 98%.","PeriodicalId":313042,"journal":{"name":"2022 7th International Conference on Data Science and Machine Learning Applications (CDMA)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 7th International Conference on Data Science and Machine Learning Applications (CDMA)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CDMA54072.2022.00037","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

Since the introduction of QUIC protocol, a major change has affected the Internet transport layer, which improves user experience with some security threats. Developed by Google in 2012, QUIC provides a low latency, connection-oriented and encrypted transport. In addition to the encryption capability of QUIC, it overcomes many issues found in the current transport protocols, such as the high-latency connection establishment in TCP. On the other hand, studies on the security analysis of QUIC's key establishment showed several drawbacks. Moreover, the encryption mechanism of the protocol allows adversarial Command & Control (C2) packets to blind with regular QUIC traffic without raising any alarms. Therefore, in this study, we develop a machine learning approach based on fingerprinting that can be used in intrusion detection systems to detect malicious C2 QUIC traffic. To demonstrate the effectiveness of this approach, we conducted an experiment and tested the performance of six machine learning classifiers. The results show that by utilizing the fingerprint, most of the classifiers recognized malicious C2 traffic with an average accuracy of 98%.

查看原文本刊更多论文

快速流量入侵检测:一种机器学习方法

自QUIC协议引入以来，互联网传输层发生了重大变化，在一些安全威胁的情况下改善了用户体验。QUIC由谷歌于2012年开发，提供低延迟、面向连接和加密的传输。QUIC除了具有加密能力外，还克服了TCP中建立连接的高延迟等现有传输协议存在的问题。另一方面，对QUIC密钥建立安全性分析的研究也显示出一些不足。此外，该协议的加密机制允许对抗式命令与控制(C2)数据包与常规QUIC流量盲目，而不会引起任何警报。因此，在本研究中，我们开发了一种基于指纹的机器学习方法，可用于入侵检测系统，以检测恶意C2 QUIC流量。为了证明这种方法的有效性，我们进行了一个实验，并测试了六个机器学习分类器的性能。结果表明，利用指纹识别，大多数分类器识别恶意C2流量的平均准确率为98%。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2022 7th International Conference on Data Science and Machine Learning Applications (CDMA)

自引率

0.00%

发文量