ME-Box: A reliable method to detect malicious encrypted traffic. (June 2021)
- Record Type:
- Journal Article
- Title:
- ME-Box: A reliable method to detect malicious encrypted traffic. (June 2021)
- Main Title:
- ME-Box: A reliable method to detect malicious encrypted traffic
- Authors:
- Xu, Bingfeng
He, Gaofeng
Zhu, Haiting - Abstract:
- Abstract: Currently, encryption (such as the Transport Layer Security protocol) is used by increasingly more network applications to protect their security and privacy, while it also benefits network attackers who can encrypt their traffic to evade detection. The detection of malicious encrypted traffic is becoming a critical task for cyber security. To accomplish this task, researchers have proposed several enlightening methods, including decryption followed by deep packet inspection (DPI), direct DPI on ciphertext and identification by machine learning algorithms. However, due to privacy violations or performance limitations, the state-of-the-art is far from satisfactory. In this paper, we propose a novel framework and system called ME-Box (Machine learning and Evidence verification) for reliable detection of malicious encrypted traffic. ME-Box has middleboxes deployed in the network and agents installed on the sending hosts. Middleboxes first evaluate the trust degrees of encrypted flows by machine learning methods. If some flows are classified as suspicious, then middleboxes provide evidence of the evaluation results and request the corresponding session-keys from the agents. The agents verify the evidence, and if it is convincing, respond with the correct session-keys. With the session-keys, middleboxes finally decrypt the suspected encrypted flows and perform conventional DPI using intrusion signatures. We implement a prototype system of ME-Box and test it with realAbstract: Currently, encryption (such as the Transport Layer Security protocol) is used by increasingly more network applications to protect their security and privacy, while it also benefits network attackers who can encrypt their traffic to evade detection. The detection of malicious encrypted traffic is becoming a critical task for cyber security. To accomplish this task, researchers have proposed several enlightening methods, including decryption followed by deep packet inspection (DPI), direct DPI on ciphertext and identification by machine learning algorithms. However, due to privacy violations or performance limitations, the state-of-the-art is far from satisfactory. In this paper, we propose a novel framework and system called ME-Box (Machine learning and Evidence verification) for reliable detection of malicious encrypted traffic. ME-Box has middleboxes deployed in the network and agents installed on the sending hosts. Middleboxes first evaluate the trust degrees of encrypted flows by machine learning methods. If some flows are classified as suspicious, then middleboxes provide evidence of the evaluation results and request the corresponding session-keys from the agents. The agents verify the evidence, and if it is convincing, respond with the correct session-keys. With the session-keys, middleboxes finally decrypt the suspected encrypted flows and perform conventional DPI using intrusion signatures. We implement a prototype system of ME-Box and test it with real malware traffic. The experimental results show that ME-Box requires no modification of current cryptographic protocols and keeps end-users' privacy well, and its performance is practically deployable. … (more)
- Is Part Of:
- Journal of information security and applications. Volume 59(2021)
- Journal:
- Journal of information security and applications
- Issue:
- Volume 59(2021)
- Issue Display:
- Volume 59, Issue 2021 (2021)
- Year:
- 2021
- Volume:
- 59
- Issue:
- 2021
- Issue Sort Value:
- 2021-0059-2021-0000
- Page Start:
- Page End:
- Publication Date:
- 2021-06
- Subjects:
- Encrypted traffic -- Malicious detection -- DPI -- Machine learning -- Evidence
Computer security -- Periodicals
Information technology -- Security measures -- Periodicals
005.805 - Journal URLs:
- http://www.sciencedirect.com/ ↗
- DOI:
- 10.1016/j.jisa.2021.102823 ↗
- Languages:
- English
- ISSNs:
- 2214-2126
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - BLDSS-3PM
British Library STI - ELD Digital store - Ingest File:
- 16867.xml