Network Intrusion Detection in Encrypted Traffic

Traditional signature-based intrusion detection systems inspect packet headers and payloads to report any malicious or abnormal traffic behavior that is observed in the network. With the advent and rapid adoption of network encryption mechanisms, typical deep packet inspection systems that monitor network packet payload contents are becoming less effective. Advancing intrusion detection tools to be also effective in en-crypted networks is crucial. In this work, we propose a simple and mineable signature language to describe packet sequences for the identification of intrusion attempt events in encrypted networks using packet metadata. We demonstrate the effectiveness of this methodology using different tools for penetrating a vulnerable web server and a public dataset with IoT malware traffic. We provide an efficient implementation of the signature language and we integrate it into an intrusion detection system. Using our proposed methodology, the generated signatures can effectively and efficiently report intrusion attempts.