Detection of Encrypted Tunnels Across Network Boundaries
Dusi, M.
Crotti, M.
Gringoli, F.
Salgarelli, L.
DEA, Univ. degli Studi di Brescia, Brescia;
This paper appears in: Communications, 2008. ICC '08. IEEE International Conference on
Publication Date: 19-23 May 2008
On page(s): 1738-1744
Location: Beijing,
ISBN: 978-1-4244-2075-9
INSPEC Accession Number: 10041397
Digital Object Identifier: 10.1109/ICC.2008.334
Current Version Published: 2008-05-30
Abstract
The use of covert application-layer tunnels to bypass security gateways has become quite popular in recent years. By encapsulating blocked or controlled protocols such as peer- to-peer, chat and e-mail into others allowed by the security policies, such as HTTP, SSH or even DNS, both legitimate and malicious users can effectively neutralize many security restrictions enforced at the network edge. Traditional firewalling techniques, based on Application Layer Gateways and even pattern-matching mechanisms are becoming practically useless as tunneling tools grow more sophisticated. In this paper we propose an effective solution to this problem based on a statistical traffic classification technique. Our mechanism relies on the creation of a statistical fingerprint of legitimate usage of a given protocol, such as regular remote interactive logins or secure copying activities. Such fingerprint can then be used to detect with high accuracy non-legitimate sessions, i.e., sessions that tunnel other protocols. Results from experiments conducted on a live network suggest that the technique can be very effective, even when the application layer protocol used as a tunnel is encrypted, such as in the case of SSH.
Index
Terms
Available to subscribers and IEEE members.
References
Available to subscribers and IEEE members.
Citing Documents
Available to subscribers and IEEE members.
Cart
