A Protocol Conformance Testing Method Based on the FSM for KMIP

Wang, Jie; Yang, Xin; Yu, Jing; Lu, Lu

doi:10.1109/cecit53797.2021.00030

Cited by 1 publication

(1 citation statement)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The server decodes the request to form an intermediate representation; the server API uses this to process the request. One format for KMIP messages (known as TTLV format [7]) includes these elements: the (mandatory) raw Tag (e.g., attribute names), Type (e.g., String, integer), Length (the size of the data), Value (the carried payload). Alternative message encoding formats to TTLV encoding include: Hypertext Transfer Protocol (HTTP), JavaScript Object Notation (JSON), and Extensible Markup Language (XML).…”

Section: Introductionmentioning

confidence: 99%

Anomaly Detection in the Key-Management Interoperability Protocol Using Metadata

Baee,

Simpson,

Armstrong

2024

IEEE Open J. Comput. Soc.

View full text Add to dashboard Cite

Large scale enterprise networks often use Enterprise Key-Management (EKM) platforms for unified management of cryptographic keys. In such a system, requests and responses commonly use the Key Management Interoperability Protocol (KMIP) format. The KMIP client and server use Transport Layer Security (TLS) to negotiate a mutually-authenticated connection. Although KMIP traffic is encrypted, monitoring traffic and usage patterns of EKM Systems (EKMS) may enable detection of anomalous (possibly malicious) activity in the enterprise network that is not detectable by other means. Metadata analysis of enterprise system traffic has been widely studied (for example at the TLS protocol level). However, KMIP metadata in EKMS has not been used for anomaly detection. In this paper, we present a framework for automated outlier rejection and anomaly detection. This involves investigation of KMIP metadata, determining characteristics to extract for dataset generation, and looking for patterns from which behaviors can be inferred. For automated labeling and detection, a deep learning-based model is applied to the generated datasets: Long Short-Term Memory (LSTM) auto-encoder neural networks with specific parameters. This generates heuristics based on categories of behavior. As a proof of concept, we simulated an enterprise environment, collected relevant KMIP metadata, and deployed this framework. Although our implementation used QuintessenceLabs EKMS, the framework we proposed is vendor neutral. The experimental results (Precision, Recall, and F1 = 1.0) demonstrate that our framework can accurately detect all anomalous enterprise network activities. This approach could be integrated with other enterprise information to enhance detection capabilities. Further, our proposal can be used as a general-purpose framework for anomaly detection and diagnosis.INDEX TERMS KMIP metadata analysis, deep learning, anomaly detection, enterprise key-management system, framework.

show abstract

Section: Introductionmentioning

confidence: 99%