Pascal Wichmann, Matthias Marx, H. Federrath, Mathias Fischer
{"title":"Detection of Brute-Force Attacks in End-to-End Encrypted Network Traffic","authors":"Pascal Wichmann, Matthias Marx, H. Federrath, Mathias Fischer","doi":"10.1145/3465481.3470113","DOIUrl":null,"url":null,"abstract":"Network intrusion detection systems (NIDSs) can detect attacks in network traffic. However, the increasing ratio of encrypted connections on the Internet restricts their ability to observe such attacks. This paper proposes a completely passive method that allows to detect brute-force attacks in encrypted traffic without the need to decrypt it. For that, we propose five novel metrics for attack detection which quantify metadata like packet size or packet timing. We evaluate the performance of our method with synthetically generated but realistic traffic as well as on real-world traffic from a Tor exit node on the Internet. Our results indicate that the proposed metrics can reliably detect brute-force attacks in encrypted traffic in protocols like HTTPS, FTPS, IMAPS, SMTPS, and SSH. Simultaneously, our approach causes only a few false positives, achieving an F-measure between 75% and 100%.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 16th International Conference on Availability, Reliability and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3465481.3470113","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 5
Abstract
Network intrusion detection systems (NIDSs) can detect attacks in network traffic. However, the increasing ratio of encrypted connections on the Internet restricts their ability to observe such attacks. This paper proposes a completely passive method that allows to detect brute-force attacks in encrypted traffic without the need to decrypt it. For that, we propose five novel metrics for attack detection which quantify metadata like packet size or packet timing. We evaluate the performance of our method with synthetically generated but realistic traffic as well as on real-world traffic from a Tor exit node on the Internet. Our results indicate that the proposed metrics can reliably detect brute-force attacks in encrypted traffic in protocols like HTTPS, FTPS, IMAPS, SMTPS, and SSH. Simultaneously, our approach causes only a few false positives, achieving an F-measure between 75% and 100%.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
