DTRAB: Combating Against Attacks on Encrypted Protocols Through Traffic-Feature Analysis
- 19 January 2010
- journal article
- research article
- Published by Institute of Electrical and Electronics Engineers (IEEE) in IEEE/ACM Transactions on Networking
- Vol. 18 (4), 1234-1247
- https://doi.org/10.1109/tnet.2009.2039492
Abstract
The unbridled growth of the Internet and the network-based applications has contributed to enormous security leaks. Even the cryptographic protocols, which are used to provide secure communication, are often targeted by diverse attacks. Intrusion detection systems (IDSs) are often employed to monitor network traffic and host activities that may lead to unauthorized accesses and attacks against vulnerable services. Most of the conventional misuse-based and anomaly-based IDSs are ineffective against attacks targeted at encrypted protocols since they heavily rely on inspecting the payload contents. To combat against attacks on encrypted protocols, we propose an anomaly-based detection system by using strategically distributed monitoring stubs (MSs). We have categorized various attacks against cryptographic protocols. The MSs, by sniffing the encrypted traffic, extract features for detecting these attacks and construct normal usage behavior profiles. Upon detecting suspicious activities due to the deviations from these normal profiles, the MSs notify the victim servers, which may then take necessary actions. In addition to detecting attacks, the MSs can also trace back the originating network of the attack. We call our unique approach DTRAB since it focuses on both Detection and TRAceBack in the MS level. The effectiveness of the proposed detection and traceback methods are verified through extensive simulations and Internet datasets.Keywords
This publication has 18 references indexed in Scilit:
- SSL/TLS session-aware user authentication – Or how to effectively thwart the man-in-the-middleComputer Communications, 2006
- WebSOS: an overlay-based system for protecting web servers from denial of service attacksComputer Networks, 2005
- Remote timing attacks are practicalComputer Networks, 2005
- Change-point monitoring for the detection of DoS attacksIEEE Transactions on Dependable and Secure Computing, 2004
- On IP tracebackIEEE Communications Magazine, 2003
- Password Interception in a SSL/TLS ChannelLecture Notes in Computer Science, 2003
- Network support for IP tracebackIEEE/ACM Transactions on Networking, 2001
- Practical network support for IP tracebackACM SIGCOMM Computer Communication Review, 2000
- Towards trapping wily intruders in the largeComputer Networks, 2000
- Security issues in networks with Internet accessProceedings of the IEEE, 1997