TY - GEN
T1 - Combating against attacks on encrypted protocols
AU - Fadlullah, Zubair Md
AU - Taleb, Tarik
AU - Ansari, Nirwan
AU - Hashimoto, Kazuo
AU - Miyake, Yutake
AU - Nemoto, Yoshiaki
AU - Kato, Nei
PY - 2007
Y1 - 2007
N2 - Attacks against encrypted protocols are becoming increasingly popular. They pose a serious challenge to the conventional Intrusion Detection Systems (IDSs) which heavily rely on inspecting the network packet fields and are consequently unable to monitor encrypted sessions. IDSs can be broadly categorized into two types: signature-based and anomaly-based IDSs. The signature-based IDSs rely on previous attack signatures but are often ineffective against new attacks. On the other hand, anomaly-based detection systems depend on detecting the change in the protocol behavior caused by an attack. The latter can be employed to detect novel attacks, and therefore are often preferred over their signature-based counterpart. In this paper, we envision an anomaly-based IDS which can detect attacks against popular encrypted protocols, such as SSH and SSL. The proposed system creates a normal behavior profile and uses nonparametric Cusum algorithm to detect deviation from the normal profile. Upon detecting an anomaly, the proposed mechanism generates an alert, sets a delay to the protocol response, and traces back the attacker. The effectiveness of the proposed detection scheme is verified via simulations.
AB - Attacks against encrypted protocols are becoming increasingly popular. They pose a serious challenge to the conventional Intrusion Detection Systems (IDSs) which heavily rely on inspecting the network packet fields and are consequently unable to monitor encrypted sessions. IDSs can be broadly categorized into two types: signature-based and anomaly-based IDSs. The signature-based IDSs rely on previous attack signatures but are often ineffective against new attacks. On the other hand, anomaly-based detection systems depend on detecting the change in the protocol behavior caused by an attack. The latter can be employed to detect novel attacks, and therefore are often preferred over their signature-based counterpart. In this paper, we envision an anomaly-based IDS which can detect attacks against popular encrypted protocols, such as SSH and SSL. The proposed system creates a normal behavior profile and uses nonparametric Cusum algorithm to detect deviation from the normal profile. Upon detecting an anomaly, the proposed mechanism generates an alert, sets a delay to the protocol response, and traces back the attacker. The effectiveness of the proposed detection scheme is verified via simulations.
UR - http://www.scopus.com/inward/record.url?scp=38549179979&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=38549179979&partnerID=8YFLogxK
U2 - 10.1109/ICC.2007.205
DO - 10.1109/ICC.2007.205
M3 - Conference contribution
AN - SCOPUS:38549179979
SN - 1424403537
SN - 9781424403530
T3 - IEEE International Conference on Communications
SP - 1211
EP - 1216
BT - 2007 IEEE International Conference on Communications, ICC'07
T2 - 2007 IEEE International Conference on Communications, ICC'07
Y2 - 24 June 2007 through 28 June 2007
ER -