Hunting for Hidden RDP-MITM: Analyzing and Detecting RDP MITM Tools Based on Network Features

2023 IEEE Symposium on Computers and Communications (ISCC) Pub Date : 2023-07-09 DOI:10.1109/ISCC58397.2023.10218180

Hao Miao, Zhou-yu Zhou, Renjie Li, Fengyuan Shi, Wei Yang, Shu Li, Qingyun Liu

{"title":"Hunting for Hidden RDP-MITM: Analyzing and Detecting RDP MITM Tools Based on Network Features","authors":"Hao Miao, Zhou-yu Zhou, Renjie Li, Fengyuan Shi, Wei Yang, Shu Li, Qingyun Liu","doi":"10.1109/ISCC58397.2023.10218180","DOIUrl":null,"url":null,"abstract":"Remote Desktop Protocol (RDP) is commonly used for remote access to windows computers. As more and more people work remotely, the number of users of RDP is increasing, making RDP a growing concern in cybersecurity. The latest way to threaten RDP security is RDP man-in-the-middle (MITM) tools which realize the MITM function in an RDP connection and automate the MITM attack process, significantly reducing the difficulty of network attacks. At the same time, RDP MITM tools can be used for high-interaction RDP honeypots. In order to mitigate this risk, we present the first in-depth study of RDP MITM tools in this paper. By analysis and experiment, we identify network features that can be used to detect RDP MITM tools effectively. Based on packet latency and TLS handshake, we propose a machine learning classifier that can detect RDP MITM tools for securing RDP connections. Finally, we analyze the deployment of RDP MITM tools in the wild and effectively measure the RDP MITM tools using our proposed detection approach.","PeriodicalId":265337,"journal":{"name":"2023 IEEE Symposium on Computers and Communications (ISCC)","volume":"32 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-07-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2023 IEEE Symposium on Computers and Communications (ISCC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISCC58397.2023.10218180","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Remote Desktop Protocol (RDP) is commonly used for remote access to windows computers. As more and more people work remotely, the number of users of RDP is increasing, making RDP a growing concern in cybersecurity. The latest way to threaten RDP security is RDP man-in-the-middle (MITM) tools which realize the MITM function in an RDP connection and automate the MITM attack process, significantly reducing the difficulty of network attacks. At the same time, RDP MITM tools can be used for high-interaction RDP honeypots. In order to mitigate this risk, we present the first in-depth study of RDP MITM tools in this paper. By analysis and experiment, we identify network features that can be used to detect RDP MITM tools effectively. Based on packet latency and TLS handshake, we propose a machine learning classifier that can detect RDP MITM tools for securing RDP connections. Finally, we analyze the deployment of RDP MITM tools in the wild and effectively measure the RDP MITM tools using our proposed detection approach.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

寻找隐藏的RDP-MITM:基于网络特征的RDP MITM工具分析与检测

远程桌面协议(RDP)通常用于远程访问windows计算机。随着越来越多的人远程工作，RDP的用户数量不断增加，使得RDP在网络安全中越来越受到关注。威胁RDP安全的最新手段是RDP MITM (man-in-the-middle)工具，它在RDP连接中实现MITM功能，使MITM攻击过程自动化，大大降低了网络攻击的难度。同时，RDP MITM工具可以用于高交互的RDP蜜罐。为了降低这种风险，我们在本文中首次对RDP MITM工具进行了深入研究。通过分析和实验，我们确定了可用于有效检测RDP MITM工具的网络特征。基于数据包延迟和TLS握手，我们提出了一个机器学习分类器，可以检测RDP MITM工具来保护RDP连接。最后，我们分析了RDP MITM工具在野外的部署，并使用我们提出的检测方法有效地测量了RDP MITM工具。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

2023 IEEE Symposium on Computers and Communications (ISCC)

自引率

0.00%

发文量