Abstract |
The growing adoption of network encryption protocols, like TLS, has altered the scene of
network traffic monitoring. With the advent and rapid increase in network encryption
mechanisms, typical deep packet inspection systems that monitor network packet payload contents are gradually becoming obsolete, while in the meantime, adversaries abuse
the utilization of the TLS protocol to bypass them.
In this work, we propose a pattern language to describe packet sequences for the purpose of fine-grained identification of events even in encrypted network traffic. The first
use case for our pattern language is the identification of application-level events in encrypted network traffic. We demonstrate its expressiveness with case studies for distinguishing messaging, voice, and video events in Facebook, Skype, Viber, and WhatsApp
network traffic. The second use case for our pattern language is the identification of intrusions and suspicious events in encrypted network traffic. Similarly, we investigate its
expressiveness with case studies for distinguishing events originating from penetration
tools, such as password cracking, or botnet communications. We provide an efficient implementation for the proposed pattern language, which we integrate into two different
DPI systems. We evaluate the proposed pattern language with respect to the level of expressiveness and the processing performance. Finally, we demonstrate that the proposed
language can be mined from traffic samples automatically, minimizing the otherwise high
ruleset maintenance burden.
Except for our passive analysis approach, we actively contact IP addresses known to
participate in malicious activities, since we aim to understand the botnet ecosystem in the
wild. We utilize an open-source tool for active probing and TLS fingerprint construction.
Based on packets acquired from TLS handshakes, server fingerprints are constructed durix
ing a time period of 7 months. The fingerprints express servers’ responses to a sequence
of several ‘‘TLS Client Hello’’ packets with different TLS attributes and we investigate
if it is feasible to detect suspicious servers and re-identify other similar within blocklists
with no prior knowledge of their activities. Based on our findings, we can see that fingerprints originating from suspicious servers are repetitive among similarly configured
servers, while it is rare to overlap with fingerprints that correspond to legitimate domains.
The findings of our measurement study encourage the utilization of actively generated
TLS fingerprints for detecting malicious command and control servers in the wild.
Subsequently, we present the literature that manages to perform network traffic analysis and inspection after the ascent of encryption. We observe that the research community has already started proposing solutions on how to perform inspection even when the
network traffic is encrypted and we review these works. We present the techniques and
methods that these works use and their limitations.
Lastly, we do not omit to examine the countermeasures that have been proposed to
circumvent traffic analysis and we discuss about our system’s limitations related to traffic
analysis resistance.
|