Visible to the public Attacks on Dynamic Protocol Detection of Open Source Network Security Monitoring Tools

TitleAttacks on Dynamic Protocol Detection of Open Source Network Security Monitoring Tools
Publication TypeConference Paper
Year of Publication2020
AuthorsGrashöfer, J., Titze, C., Hartenstein, H.
Conference Name2020 IEEE Conference on Communications and Network Security (CNS)
Keywordsapplication layer protocol, Communication networks, composability, Conferences, dynamic networks, Dynamic Protocol Detection mechanisms, HTTP, Inspection, Intrusion detection, Metrics, Monitoring, monitoring systems, Network security, Protocol detection, protocol disambiguation, protocol-specific deep packet inspection, Protocols, pubcrawl, public domain software, real-world monitoring operations, resilience, Resiliency, security of data, source network monitoring tools, transport protocols, Web servers, widespread open-source network monitoring tools
AbstractProtocol detection is the process of determining the application layer protocol in the context of network security monitoring, which requires a timely and precise decision to enable protocol-specific deep packet inspection. This task has proven to be complex, as isolated characteristics, like port numbers, are not sufficient to reliably determine the application layer protocol. In this paper, we analyze the Dynamic Protocol Detection mechanisms employed by popular and widespread open-source network monitoring tools. On the example of HTTP, we show that all analyzed detection mechanisms are vulnerable to evasion attacks. This poses a serious threat to real-world monitoring operations. We find that the underlying fundamental problem of protocol disambiguation is not adequately addressed in two of three monitoring systems that we analyzed. To enable adequate operational decisions, this paper highlights the inherent trade-offs within Dynamic Protocol Detection.
Citation Keygrashofer_attacks_2020