Anomaly Detection in the Key-Management Interoperability Protocol Using Metadata

IEEE Open Journal of the Computer Society Pub Date : 2024-04-09 DOI:10.1109/OJCS.2024.3386715

Mir Ali Rezazadeh Baee;Leonie Simpson;Warren Armstrong

{"title":"Anomaly Detection in the Key-Management Interoperability Protocol Using Metadata","authors":"Mir Ali Rezazadeh Baee;Leonie Simpson;Warren Armstrong","doi":"10.1109/OJCS.2024.3386715","DOIUrl":null,"url":null,"abstract":"Large scale enterprise networks often use Enterprise Key-Management (EKM) platforms for unified management of cryptographic keys. In such a system, requests and responses commonly use the Key Management Interoperability Protocol (KMIP) format. The KMIP client and server use Transport Layer Security (TLS) to negotiate a mutually-authenti cated connection. Although KMIP traffic is encrypted, monitoring traffic and usage patterns of EKM Systems (EKMS) may enable detection of anomalous (possibly malicious) activity in the enterprise network that is notdetectable by other means. Metadata analysis of enterprise system traffic has been widely studied (for example at the TLS protocol level). However, KMIP metadata in EKMS has not been used for anomaly detection. In this paper, wepresent a framework for automated outlier rejection and anomaly detection. This involves investigati on of KMIP metadata, determining characteristics to extract for dataset generation, and looking for patt erns from which behaviors can be inferred. For automated labeling and detection, a deep learning-based model is applied to thegenerated datasets: Long Short-Term Memory (LSTM) auto-encoder neural networks with specific parameters. As aproof of concept, we simulated an enterprise environment, collected relevant KMIP metadata, and deployed this framework. Although our implementati on used Quintessence Labs EKMS, the framework we proposed is vendorneutral. The experimental results (Precision, Recall, F1 = 1.0) demonstrate that our framework can accurately detectall anomalous enterprise network activities. This approach could be integrated with other enterprise information toenhance detection capabilities. Our proposal can be used as a general-purpose framework for anomaly detecti on and diagnosis.","PeriodicalId":13205,"journal":{"name":"IEEE Open Journal of the Computer Society","volume":"5 ","pages":"156-169"},"PeriodicalIF":0.0000,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10495152","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Open Journal of the Computer Society","FirstCategoryId":"1085","ListUrlMain":"https://ieeexplore.ieee.org/document/10495152/","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Large scale enterprise networks often use Enterprise Key-Management (EKM) platforms for unified management of cryptographic keys. In such a system, requests and responses commonly use the Key Management Interoperability Protocol (KMIP) format. The KMIP client and server use Transport Layer Security (TLS) to negotiate a mutually-authenti cated connection. Although KMIP traffic is encrypted, monitoring traffic and usage patterns of EKM Systems (EKMS) may enable detection of anomalous (possibly malicious) activity in the enterprise network that is notdetectable by other means. Metadata analysis of enterprise system traffic has been widely studied (for example at the TLS protocol level). However, KMIP metadata in EKMS has not been used for anomaly detection. In this paper, wepresent a framework for automated outlier rejection and anomaly detection. This involves investigati on of KMIP metadata, determining characteristics to extract for dataset generation, and looking for patt erns from which behaviors can be inferred. For automated labeling and detection, a deep learning-based model is applied to thegenerated datasets: Long Short-Term Memory (LSTM) auto-encoder neural networks with specific parameters. As aproof of concept, we simulated an enterprise environment, collected relevant KMIP metadata, and deployed this framework. Although our implementati on used Quintessence Labs EKMS, the framework we proposed is vendorneutral. The experimental results (Precision, Recall, F1 = 1.0) demonstrate that our framework can accurately detectall anomalous enterprise network activities. This approach could be integrated with other enterprise information toenhance detection capabilities. Our proposal can be used as a general-purpose framework for anomaly detecti on and diagnosis.

查看原文本刊更多论文

利用元数据在密钥管理互操作性协议中进行异常检测

大型企业网络通常使用企业密钥管理（EKM）平台来统一管理加密密钥。在这种系统中，请求和响应通常使用密钥管理互操作协议（KMIP）格式。KMIP 客户端和服务器使用传输层安全协议（TLS）来协商一个相互授权的连接。虽然 KMIP 流量是加密的，但通过监控 EKM 系统 (EKMS) 的流量和使用模式，可以检测到企业网络中其他手段无法检测到的异常（可能是恶意）活动。对企业系统流量的元数据分析已被广泛研究（例如在 TLS 协议层面）。但是，EKMS 中的 KMIP 元数据尚未用于异常检测。在本文中，我们提出了一个自动剔除异常值和异常检测的框架。这包括对 KMIP 元数据进行调查，确定要提取用于生成数据集的特征，并从中寻找可推断行为的特征。为实现自动标记和检测，将对生成的数据集应用基于深度学习的模型：长短期记忆（LSTM）自动编码器神经网络具有特定的参数。作为概念验证，我们模拟了一个企业环境，收集了相关的 KMIP 元数据，并部署了这一框架。尽管我们的实施使用了 Quintessence 实验室的 EKMS，但我们提出的框架与供应商无关。实验结果（精确度、召回率、F1 = 1.0）表明，我们的框架可以准确检测到所有异常企业网络活动。这种方法可以与其他企业信息集成，以增强检测能力。我们的建议可用作异常检测和诊断的通用框架。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Open Journal of the Computer Society

CiteScore

12.60

自引率

0.00%

发文量