Towards practical intrusion detection system over encrypted traffic*

Canard, Sébastien; Li, Chaoyun

doi:10.1049/ise2.12017

Cited by 16 publications

(27 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…During the validation process, the client is responsible to authenticate the identity of the destination server, rejecting impostors. To circumvent this 123:21 [106] Extend the TLS protocol to support middleboxes 2015 Asghar et al [34] Trusted execution for Network Functions (NFs) in the cloud 2016 Canard et al [41] DPI on the encrypted traffic using encrypted rules 2017 Lan et al [87] Trusted execution for NFs in the cloud 2016 Yuan et al [171] DPI on the encrypted traffic using encrypted rules 2016 Fan et al [66] DPI on the encrypted traffic using encrypted rules 2017 Naylor et al [105] Secure outsourcing of middlebox NFs in untrusted infrastructures 2017 Han et al [74] Secure outsourcing of middlebox NFs in untrusted infrastructures 2017 Coughlin et al [53] Secure outsourcing of middlebox NFV in untrusted infrastructures 2017 Poddar et al [119] Secure outsourcing of middlebox NFV in untrusted infrastructures 2018 Trach et al [148] Secure outsourcing of middlebox NFs in untrusted infrastructures 2018 Goltzsche et al [71] Secure virtual private network (VPN) with middlebox NF 2018 Duan et al [61] Secure outsourcing of middlebox NFs in untrusted infrastructures 2019 Ning et al [107] DPI on the encrypted traffic using encrypted rules 2019 Guo et al [72] Privacy preserving packet header processing for middleboxes in the cloud 2020 validation process, a self-signed CA certificate is injected into the client browser's root store at the time of installation. For network middleboxes, administrators deploy the middlebox certificate to the corresponding devices (e.g., of the organization) in a similar manner.…”

Section: Network Functions In Middleboxes After Network Encryptionmentioning

confidence: 99%

“…SPABox [66] is a middlebox-based system that supports keyword-based and data analysis-based DPI functions over encrypted traffic without having to decrypt it. Canard et al [41] present BlindIDS, which is able to perform deep packet inspection directly on encrypted network packets for intrusion detection. BlindIDS does not assume knowledge over the traffic content or the patterns of detection signatures.…”

Section: Network Functions In Middleboxesmentioning

confidence: 99%

“…With searchable encryption, tools are able to search directly on encrypted data without decrypting it, and thus, without leaking information in plaintext (e.g., for privacy preserving malware detection [56]). This is achieved by encrypting the rules to be searched against the already encrypted traffic (e.g., [41]). TEEs enable the secure code execution and information processing commonly using hardware-assisted features like memory enclaves.…”

Section: Techniquesmentioning

confidence: 99%

“…Intel SGX [8] is one of the most popular hardware-assisted TEEs and is frequently used to provide confidentiality and integrity guarantees to applications in environments where the OS could eventually become untrusted, like a cloud infrastructure (e.g., trusted antivirus in the cloud [57]). In [34,41,66,72,87,106,107,134,171], the authors perform network middlebox applications with core functionality the deep packet inspection using searchable encryption. In [53,61,71,74,105,119,148] the authors shield the network traffic processing using hardware enclaves that the Intel SGX technology provides.…”

Section: Techniquesmentioning

confidence: 99%

“…The datasets used to evaluate the works of this section are not other than the ones used by traditional works in network traffic processing inside middleboxes. Depending on the application goal (e.g., intrusion detection or firewall), the authors utilize the relevant rules (e.g., Snort rules [22] in [41,66,107,171]) and traffic traces (e.g., DARPA [1] in [171]).…”

Section: Datasetsmentioning

confidence: 99%

See 4 more Smart Citations

A Survey on Encrypted Network Traffic Analysis Applications, Techniques, and Countermeasures

2021

View full text Add to dashboard Cite

The adoption of network traffic encryption is continually growing. Popular applications use encryption protocols to secure communications and protect the privacy of users. In addition, a large portion of malware is spread through the network traffic taking advantage of encryption protocols to hide its presence and activity. Entering into the era of completely encrypted communications over the Internet, we must rapidly start reviewing the state-of-the-art in the wide domain of network traffic analysis and inspection, to conclude if traditional traffic processing systems will be able to seamlessly adapt to the upcoming full adoption of network encryption. In this survey, we examine the literature that deals with network traffic analysis and inspection after the ascent of encryption in communication channels. We notice that the research community has already started proposing solutions on how to perform inspection even when the network traffic is encrypted and we demonstrate and review these works. In addition, we present the techniques and methods that these works use and their limitations. Finally, we examine the countermeasures that have been proposed in the literature in order to circumvent traffic analysis techniques that aim to harm user privacy.

show abstract

Section: Network Functions In Middleboxes After Network Encryptionmentioning

confidence: 99%

Section: Network Functions In Middleboxesmentioning

confidence: 99%

Section: Techniquesmentioning

confidence: 99%

Section: Techniquesmentioning

confidence: 99%

Section: Datasetsmentioning

confidence: 99%

See 3 more Smart Citations

A Survey on Encrypted Network Traffic Analysis Applications, Techniques, and Countermeasures

2021

View full text Add to dashboard Cite

show abstract

Public Key Encryption with Flexible Pattern Matching

Bouscatié

Castagnos

Sanders

2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Many interesting applications of pattern matching (e.g. deeppacket inspection or medical data analysis) target very sensitive data. In particular, spotting illegal behaviour in internet traffic conflicts with legitimate privacy requirements, which usually forces users (e.g. children, employees) to blindly trust an entity that fully decrypts their traffic in the name of security. The compromise between traffic analysis and privacy can be achieved through searchable encryption. However, as the traffic data is a stream and as the patterns to search are bound to evolve over time (e.g. new virus signatures), these applications require a kind of searchable encryption that provides more flexibility than the classical schemes. We indeed need to be able to search for patterns of variable sizes in an arbitrary long stream that has potentially been encrypted prior to pattern identification. To stress these specificities, we call such a scheme a stream encryption supporting pattern matching. Recent papers use bilinear groups to provide public key constructions supporting these features [3,13]. These solutions are lighter than more generic ones (e.g. fully homomorphic encryption) while retaining the adequate expressivity to support pattern matching without harming privacy more than needed. However, all existing solutions in this family have weaknesses with respect to efficiency and security that need to be addressed. Regarding efficiency, their public key has a size linear in the size of the alphabet, which can be quite large, in particular for applications that naturally process data as bytestrings. Regarding security, they all rely on a very strong computational assumption that is both interactive and specially tailored for this kind of scheme. In this paper, we tackle these problems by providing two new constructions using bilinear groups to support pattern matching on encrypted streams. Our first construction shares the same strong assumption but dramatically reduces the size of the public key by removing the dependency on the size of the alphabet, while nearly halving the size of the ciphertext. On a typical application with large patterns, our public key is two order of magnitude smaller than the one of previous schemes, which demonstrates the practicality of our approach. Our second construction manages to retain most of the good features of the first one while exclusively relying on a simple (static) variant of DDH, which solves the security problem of previous works.

show abstract