Published September 30, 2020 | Version v1
Conference paper Restricted

Head(er)Hunter: Fast Intrusion Detection using Packet Metadata Signatures

  • 1. FORTH-ICS
  • 2. Technical University of Crete

Description

More than 75% of the Internet traffic is now encrypted, while this percentage is constantly increasing. The majority of communications are secured using common encryption protocols such as SSL/TLS and IPsec to ensure security and protect the privacy of Internet users. Yet, encryption can be exploited to hide malicious activities. Traditionally, network traffic inspection is based on techniques like deep packet inspection (DPI). Common applications for DPI include but are not limited to firewalls, intrusion detection and prevention systems, L7 filtering and packet forwarding. The core functionality of such DPI implementations is based on pattern matching that enables searching for specific strings or regular expressions inside the packet contents. With the widespread adoption of network encryption though, DPI tools that rely on packet payload content are becoming less effective, demanding the development of more sophisticated techniques in order to adapt to current network encryption trends. In this work, we present HeaderHunter, a fast signature-based intrusion detection system even in encrypted network traffic. We generate signatures using only network packet metadata extracted from packet headers. Also, to cope with the ever increasing network speeds, we accelerate the inner computations of our proposed system using off-the-shelf GPUs.

Files

Restricted

The record is publicly accessible, but files are restricted to users with access.

Additional details

Funding

CONCORDIA – Cyber security cOmpeteNCe fOr Research anD InnovAtion 830927
European Commission
I-BiDaaS – Industrial-Driven Big Data as a Self-Service Solution 780787
European Commission
CyberSANE – Cyber Security Incident Handling, Warning and Response System for the European Critical Infrastructures 833683
European Commission