Visible to the public Cross-Layer Profiling of Encrypted Network Data for Anomaly Detection

TitleCross-Layer Profiling of Encrypted Network Data for Anomaly Detection
Publication TypeConference Paper
Year of Publication2020
AuthorsMeghdouri, Fares, Vázquez, Félix Iglesias, Zseby, Tanja
Conference Name2020 IEEE 7th International Conference on Data Science and Advanced Analytics (DSAA)
Keywordsanomaly detection, composability, Cross Layer Security, Deep Learning, encrypted communications, Encryption, feature extraction, IP networks, Machine Learning., network data analysis, Protocols, pubcrawl, resilience, Resiliency, Routing protocols

In January 2017 encrypted Internet traffic surpassed non-encrypted traffic. Although encryption increases security, it also masks intrusions and attacks by blocking the access to packet contents and traffic features, therefore making data analysis unfeasible. In spite of the strong effect of encryption, its impact has been scarcely investigated in the field. In this paper we study how encryption affects flow feature spaces and machine learning-based attack detection. We propose a new cross-layer feature vector that simultaneously represents traffic at three different levels: application, conversation, and endpoint behavior. We analyze its behavior under TLS and IPSec encryption and evaluate the efficacy with recent network traffic datasets and by using Random Forests classifiers. The cross-layer multi-key approach shows excellent attack detection in spite of TLS encryption. When IPsec is applied, the reduced variant obtains satisfactory detection for botnets, yet considerable performance drops for other types of attacks. The high complexity of network traffic is unfeasible for monolithic data analysis solutions, therefore requiring cross-layer analysis for which the multi-key vector becomes a powerful profiling core.

Citation Keymeghdouri_cross-layer_2020