انتساب داده روی ترافیک رمز شده سازمانی بدون نقض محرمانگی
محورهای موضوعی : فناوری اطلاعات و ارتباطاتسید محمد حسینی 1 * , امیرحسین جهانگیر 2 , مهدی سلطانی 3
1 - دانشکده مهندسی و علوم کامپیوتر، دانشگاه شهید بهشتی، تهران، ایران
2 - دانشکده مهندسي کامپیوتر ، دانشگاه صنعتی شریف، تهران، ایران
3 - دانشکده مهندسی کامپیوتر، دانشگاه صنعتی شریف، تهران، ایران
کلید واژه: جرمشناسی شبکه, انتساب داده, ترافیک رمز شده, محرمانگی,
چکیده مقاله :
استفاده فراگیر از پروتکلهای رمزنگاری با افزایش خطر ناتوانی دستگاههای امنیتی سطح سازمانی همراه است. وقتی ترافیک شبکه رمزگذاری میشود، بسیاری از وظایف امنیتی مانند تشخیص نفوذ و جرمشناسی شبکه که به پردازش محتوای جریانها وابستهاند، بیاثر میگردند. رویکردهای عملی موجود برای این مشکل بر اساس روش رهگیری TLS هستند که نه تنها محرمانگی را نقض ، بلکه مشکلات امنیتی نیز ایجاد میکنند. این مقاله یک سامانه انتساب داده محرمانه به نام «جرمیاب» را معرفی میکند. جرمیاب یک رویکرد عملی برای فراهم کردن امکان انتساب داده بر روی ترافیک رمزگذاری شده استاندارد برای شبکههای سازمانی است. جرمیاب که به راحتی در شبکههای سازمانی قابل استقرار است، بر اساس یک سازوکار ساده مبتنی بر چکیدهسازی ترافیک عمل میکند و محرمانگی را نقض نمیکند. ارزیابیهای عملی و واقعگرایانه ما نشان میدهند که جرمیاب میتواند تاریخچهای از ترافیک رمزگذاری شده استاندارد یک شبکه سازمانی را برای استفاده در تجسسهای جرمشناسی شبکه ذخیره کند. سناریوهای واقعگرایانهای که ما در تحقیقات خود استفاده کردهایم، چالشها و مشکلات عمومی در فرآیند تجسسهای انتساب داده را نیز آشکار میکند و بر اساس آنها، روشهای موثری را برای رفع مشکلات مورد بحث قرار میدهیم.
The widespread use of encryption protocols is accompanied by an increased risk of organizational-level security devices becoming ineffective. When network traffic is encrypted, many security tasks such as intrusion detection and network forensics that rely on processing content of flows’ payloads become ineffective. Existing practical approaches to this problem are based on TLS interception methods, which not only violate confidentiality but also impose security issues. This paper introduces a confidential payload attribution system called "JormYab". JormYab is a practical approach to enable data attribution on standard encrypted traffic for organizational networks. JormYab, which can be easily deployed in an enterprise network, is based on a simple traffic digesting mechanism and does not violate confidentiality. Our practical and realistic evaluations show that JormYab can store a history of standard encrypted traffic of an enterprise network for use in network forensic investigations. The realistic scenarios we have used in our research also reveal common challenges and problems in the process of payload attribution investigations, and based on them, we discuss effective methods to address the issues.
[1] Porter Felt, A., Barnes, R., King, A., Palmer, C., Bentzel, C. and Tabriz, P., Measuring HTTPS Adoption on the Web. 26th USENIX Security Symposium (2017), 1323–1338.
[2] de Carnavalet, X. de C. and van Oorschot, P.C., A survey and analysis of TLS interception mechanisms and motivations. ACM Computing Surveys. (Jan. 2023)
[3] Erlacher, F., Woertz, S. and Dressler, F., A TLS Interception Proxy with Real-Time Libpcap Export. 41st IEEE Conference on Local Computer Networks (Nov. 2016), 1–3.
[4] Sophos XG Firewall: https://www.sophos.com/en-us/products/next-gen-firewall.
[5] Symantec SSL visibility appliances: https://www.broadcom.com/products/cybersecurity/network/encrypted-traffic-management/ssl-visibility-appliance.
[6] Durumeric, Z., Ma, Z., Springall, D., Barnes, R., Sullivan, N., Bursztein, E., Bailey, M., Halderman, J.A. and Paxson, V., The security impact of HTTPS interception. Proceedings 2017 Network and Distributed System Security Symposium (San Diego, USA, Feb. 2017), 1–14.
[7] O’Neill, M., Ruoti, S., Seamons, K. and Zappala, D., TLS Proxies: Friend or Foe? Proceedings of the 2016 Internet Measurement Conference (New York, NY, USA, Nov. 2016), 551–557.
[8] Waked, L., Mannan, M. and Youssef, A., The Sorry State of TLS Security in Enterprise Interception Appliances. Digital Threats: Research and Practice. 1, 2 (Jun. 2020), 1–26.
[9] Waked, L., Mannan, M. and Youssef, A., To Intercept or Not to Intercept: Analyzing TLS Interception in Network Appliances. Proceedings of the 2018 on Asia Conference on Computer and Communications Security (New York, NY, USA, May 2018), 399–412.
[10] DPDK: Data Plane Development Kit: https://www.dpdk.org
[11] Shanmugasundaram, K., Brönnimann, H. and Memon, N.D., Payload attribution via hierarchical Bloom filters. Proceedings of the 11th ACM Conference on Computer and Communications Security (Washington, USA, Oct. 2004), 31–41.
[12] Bloom, B.H., Space/time trade-offs in hash coding with allowable errors. Communications of the ACM. 13, 7 (1970), 422–426.
[13] Roussev, V., Hashing and data fingerprinting in digital forensics. IEEE Security & Privacy. 7, 2 (2009), 49–55.
[14] Ponec, M., Giura, P., Brönnimann, H. and Wein, J., Highly efficient techniques for network forensics. Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS ’07) (Alexandria, USA, Oct. 2007), 150–160.
[15] Ponec, M., Giura, P., Wein, J. and Brönnimann, H., New payload attribution methods for network forensic investigations. ACM Transactions on Information and System Security. 13, 2 (2010), 1–32.
[16] Haghighat, M.H., Tavakoli, M. and Kharrazi, M., Payload attribution via character dependent multi-Bloom filters. IEEE Transactions on Information Forensics and Security. 8, 5 (2013), 705–716.
[17] Hosseini, S.M. and Jahangir, A.H., An effective payload attribution scheme for cybercriminal detection using compressed bitmap index tables and traffic downsampling. IEEE Transactions on Information Forensics and Security. 13, 4 (Apr. 2018), 850–860.
[18] Hosseini, S.M., Jahangir, A.H. and Kazemi, M., Digesting network traffic for forensic investigation using digital signal processing techniques. IEEE Transactions on Information Forensics and Security. 14, 12 (2019), 3312–3321.
[19] mitmproxy: https://mitmproxy.org/. Accessed: 2023-04-08.
[20] SSLsplit: https://www.roe.ch/SSLsplit.
[21] Lesniewski-Laas, C. and Kaashoek, M.F., SSL Splitting: Securely Serving Data from Untrusted Caches. 12th USENIX Security Symposium (2003).
[22] Wilkens, F., Haas, S., Amann, J. and Fischer, M., Passive, Transparent, and Selective TLS Decryption for Network Security Monitoring. (2022), 87–105.
[23] Sherry, J., Lan, C., Popa, R.A. and Ratnasamy, S., BlindBox: Deep packet inspection over encrypted traffic. Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication - SIGCOMM ’15 (London, United Kingdom, Aug. 2015), 213–226.
[24] Fan, J., Guan, C., Ren, K., Cui, Y. and Qiao, C., SPABox: Safeguarding privacy during deep packet inspection at a middleBox. IEEE/ACM Transactions on Networking. 25, 6 (2017), 3753–3766.
[25] Ning, J., Poh, G. Sen, Loh, J.C., Chia, J. and Chang, E.C., PrivDPI: Privacy-Preserving Encrypted Traffic Inspection with Reusable Obfuscated Rules. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (New York, NY, USA, Nov. 2019), 1657–1670.
[26] Ning, J., Huang, X., Poh, G. Sen, Xu, S., Loh, J.-C., Weng, J. and Deng, R.H., Pine: Enabling Privacy-Preserving Deep Packet Inspection on TLS with Rule-Hiding and Fast Connection Establishment. European Symposium on Research in Computer Security (2020), 3–22.
[27] Damie, M., Hahn, F. and Peter, A., A Highly Accurate Query-Recovery Attack against Searchable Encryption using Non-Indexed Documents. 30th USENIX Security Symposium (2021), 143–160.
[28] Ning, J., Xu, J., Liang, K., Zhang, F. and Chang, E.-C., Passive Attacks Against Searchable Encryption. IEEE Transactions on Information Forensics and Security. 14, 3 (2019), 789–802.
[29] Xu, H., Zhou, Y., Ming, J. and Lyu, M., Layered obfuscation: a taxonomy of software obfuscation techniques for layered security. Cybersecurity. 3, 1 (Dec. 2020), 1–18.
[30] Palanisamy, R., Norman, A.A. and Kiah, M.L.M., Compliance with Bring Your Own Device security policies in organizations: A systematic literature review. Computers & Security. (2020), 101998.
[31] Safa, N.S., Von Solms, R. and Furnell, S., Information security policy compliance model in organizations. Computers & Security. 56, (2016), 70–82.
[32] Achleitner, S., Burke, Q., McDaniel, P., Jaeger, T., La Porta, T. and Krishnamurthy, S., MLSNet: A policy complying multilevel security framework for software defined networking. IEEE Transactions on Network and Service Management. 18, 1 (2021), 729–744.
[33] Perales, A.P., Adding Support for Automatic Enforcement of Security Policies in NFV Networks. IEEE/ACM Transactions on Networking. 27, 2 (2019), 707–720.
[34] Lara, A. and Ramamurthy, B., OpenSec: Policy-Based Security Using Software-Defined Networking. IEEE Transactions on Network and Service Management. 13, 1 (2016), 30–42.
[35] Mozilla’s webRequest APIs: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest.
[36] Docker virtualization platform: https://www.docker.com.
[37] Merkel, D. 2014. Docker: lightweight Linux containers for consistent development and deployment. Linux Journal. 2014, 239 (2014).
[38] Naik, N., Migrating from virtualization to dockerization in the cloud: Simulation and evaluation of distributed systems. IEEE 10th International Symposium on the Maintenance and Evolution of Service-Oriented and Cloud-Based Environments (MESOCA) (Raleigh, USA, Oct. 2016), 1–8.
[39] Ramalho, F. and Neto, A., Virtualization at the network edge: A performance comparison. IEEE 17th International Symposium on “A World of Wireless, Mobile and Multimedia Networks” (WoWMoM) (Coimbra, Portugal, Jun. 2016), 1–6.