Confidential Payload Attribution on Encrypted Traffic of Enterprise Networks
Subject Areas : ICTSeyed Mohammad Hosseini 1 * , amir hosein jahangir 2 , Mahdi Soltani 3
1 - Faculty of Computer Engineering, Shahid Beheshti University, Tehran, Iran
2 - Computer Engineering Department, Sharif University of Technology, Tehran, Iran
3 - Computer Engineering Department, Sharif University of Technology, Tehran, Iran
Keywords: Network forensics, Payload attribution, Encrypted traffic, Confidentiality,
Abstract :
The widespread use of encryption protocols is accompanied by an increased risk of organizational-level security devices becoming ineffective. When network traffic is encrypted, many security tasks such as intrusion detection and network forensics that rely on processing content of flows’ payloads become ineffective. Existing practical approaches to this problem are based on TLS interception methods, which not only violate confidentiality but also impose security issues. This paper introduces a confidential payload attribution system called "JormYab". JormYab is a practical approach to enable data attribution on standard encrypted traffic for organizational networks. JormYab, which can be easily deployed in an enterprise network, is based on a simple traffic digesting mechanism and does not violate confidentiality. Our practical and realistic evaluations show that JormYab can store a history of standard encrypted traffic of an enterprise network for use in network forensic investigations. The realistic scenarios we have used in our research also reveal common challenges and problems in the process of payload attribution investigations, and based on them, we discuss effective methods to address the issues.
[1] Porter Felt, A., Barnes, R., King, A., Palmer, C., Bentzel, C. and Tabriz, P., Measuring HTTPS Adoption on the Web. 26th USENIX Security Symposium (2017), 1323–1338.
[2] de Carnavalet, X. de C. and van Oorschot, P.C., A survey and analysis of TLS interception mechanisms and motivations. ACM Computing Surveys. (Jan. 2023)
[3] Erlacher, F., Woertz, S. and Dressler, F., A TLS Interception Proxy with Real-Time Libpcap Export. 41st IEEE Conference on Local Computer Networks (Nov. 2016), 1–3.
[4] Sophos XG Firewall: https://www.sophos.com/en-us/products/next-gen-firewall.
[5] Symantec SSL visibility appliances: https://www.broadcom.com/products/cybersecurity/network/encrypted-traffic-management/ssl-visibility-appliance.
[6] Durumeric, Z., Ma, Z., Springall, D., Barnes, R., Sullivan, N., Bursztein, E., Bailey, M., Halderman, J.A. and Paxson, V., The security impact of HTTPS interception. Proceedings 2017 Network and Distributed System Security Symposium (San Diego, USA, Feb. 2017), 1–14.
[7] O’Neill, M., Ruoti, S., Seamons, K. and Zappala, D., TLS Proxies: Friend or Foe? Proceedings of the 2016 Internet Measurement Conference (New York, NY, USA, Nov. 2016), 551–557.
[8] Waked, L., Mannan, M. and Youssef, A., The Sorry State of TLS Security in Enterprise Interception Appliances. Digital Threats: Research and Practice. 1, 2 (Jun. 2020), 1–26.
[9] Waked, L., Mannan, M. and Youssef, A., To Intercept or Not to Intercept: Analyzing TLS Interception in Network Appliances. Proceedings of the 2018 on Asia Conference on Computer and Communications Security (New York, NY, USA, May 2018), 399–412.
[10] DPDK: Data Plane Development Kit: https://www.dpdk.org
[11] Shanmugasundaram, K., Brönnimann, H. and Memon, N.D., Payload attribution via hierarchical Bloom filters. Proceedings of the 11th ACM Conference on Computer and Communications Security (Washington, USA, Oct. 2004), 31–41.
[12] Bloom, B.H., Space/time trade-offs in hash coding with allowable errors. Communications of the ACM. 13, 7 (1970), 422–426.
[13] Roussev, V., Hashing and data fingerprinting in digital forensics. IEEE Security & Privacy. 7, 2 (2009), 49–55.
[14] Ponec, M., Giura, P., Brönnimann, H. and Wein, J., Highly efficient techniques for network forensics. Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS ’07) (Alexandria, USA, Oct. 2007), 150–160.
[15] Ponec, M., Giura, P., Wein, J. and Brönnimann, H., New payload attribution methods for network forensic investigations. ACM Transactions on Information and System Security. 13, 2 (2010), 1–32.
[16] Haghighat, M.H., Tavakoli, M. and Kharrazi, M., Payload attribution via character dependent multi-Bloom filters. IEEE Transactions on Information Forensics and Security. 8, 5 (2013), 705–716.
[17] Hosseini, S.M. and Jahangir, A.H., An effective payload attribution scheme for cybercriminal detection using compressed bitmap index tables and traffic downsampling. IEEE Transactions on Information Forensics and Security. 13, 4 (Apr. 2018), 850–860.
[18] Hosseini, S.M., Jahangir, A.H. and Kazemi, M., Digesting network traffic for forensic investigation using digital signal processing techniques. IEEE Transactions on Information Forensics and Security. 14, 12 (2019), 3312–3321.
[19] mitmproxy: https://mitmproxy.org/. Accessed: 2023-04-08.
[20] SSLsplit: https://www.roe.ch/SSLsplit.
[21] Lesniewski-Laas, C. and Kaashoek, M.F., SSL Splitting: Securely Serving Data from Untrusted Caches. 12th USENIX Security Symposium (2003).
[22] Wilkens, F., Haas, S., Amann, J. and Fischer, M., Passive, Transparent, and Selective TLS Decryption for Network Security Monitoring. (2022), 87–105.
[23] Sherry, J., Lan, C., Popa, R.A. and Ratnasamy, S., BlindBox: Deep packet inspection over encrypted traffic. Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication - SIGCOMM ’15 (London, United Kingdom, Aug. 2015), 213–226.
[24] Fan, J., Guan, C., Ren, K., Cui, Y. and Qiao, C., SPABox: Safeguarding privacy during deep packet inspection at a middleBox. IEEE/ACM Transactions on Networking. 25, 6 (2017), 3753–3766.
[25] Ning, J., Poh, G. Sen, Loh, J.C., Chia, J. and Chang, E.C., PrivDPI: Privacy-Preserving Encrypted Traffic Inspection with Reusable Obfuscated Rules. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (New York, NY, USA, Nov. 2019), 1657–1670.
[26] Ning, J., Huang, X., Poh, G. Sen, Xu, S., Loh, J.-C., Weng, J. and Deng, R.H., Pine: Enabling Privacy-Preserving Deep Packet Inspection on TLS with Rule-Hiding and Fast Connection Establishment. European Symposium on Research in Computer Security (2020), 3–22.
[27] Damie, M., Hahn, F. and Peter, A., A Highly Accurate Query-Recovery Attack against Searchable Encryption using Non-Indexed Documents. 30th USENIX Security Symposium (2021), 143–160.
[28] Ning, J., Xu, J., Liang, K., Zhang, F. and Chang, E.-C., Passive Attacks Against Searchable Encryption. IEEE Transactions on Information Forensics and Security. 14, 3 (2019), 789–802.
[29] Xu, H., Zhou, Y., Ming, J. and Lyu, M., Layered obfuscation: a taxonomy of software obfuscation techniques for layered security. Cybersecurity. 3, 1 (Dec. 2020), 1–18.
[30] Palanisamy, R., Norman, A.A. and Kiah, M.L.M., Compliance with Bring Your Own Device security policies in organizations: A systematic literature review. Computers & Security. (2020), 101998.
[31] Safa, N.S., Von Solms, R. and Furnell, S., Information security policy compliance model in organizations. Computers & Security. 56, (2016), 70–82.
[32] Achleitner, S., Burke, Q., McDaniel, P., Jaeger, T., La Porta, T. and Krishnamurthy, S., MLSNet: A policy complying multilevel security framework for software defined networking. IEEE Transactions on Network and Service Management. 18, 1 (2021), 729–744.
[33] Perales, A.P., Adding Support for Automatic Enforcement of Security Policies in NFV Networks. IEEE/ACM Transactions on Networking. 27, 2 (2019), 707–720.
[34] Lara, A. and Ramamurthy, B., OpenSec: Policy-Based Security Using Software-Defined Networking. IEEE Transactions on Network and Service Management. 13, 1 (2016), 30–42.
[35] Mozilla’s webRequest APIs: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest.
[36] Docker virtualization platform: https://www.docker.com.
[37] Merkel, D. 2014. Docker: lightweight Linux containers for consistent development and deployment. Linux Journal. 2014, 239 (2014).
[38] Naik, N., Migrating from virtualization to dockerization in the cloud: Simulation and evaluation of distributed systems. IEEE 10th International Symposium on the Maintenance and Evolution of Service-Oriented and Cloud-Based Environments (MESOCA) (Raleigh, USA, Oct. 2016), 1–8.
[39] Ramalho, F. and Neto, A., Virtualization at the network edge: A performance comparison. IEEE 17th International Symposium on “A World of Wireless, Mobile and Multimedia Networks” (WoWMoM) (Coimbra, Portugal, Jun. 2016), 1–6.