Papadogiannaki Eva, Ioannidis Sotiris
Institute of Computer Science, Foundation for Research and Technology-Hellas (FORTH), GR-70013 Heraklion, Crete, Greece.
School of Electrical and Computer Engineering, Technical University of Crete, University Campus, GR-73100 Chania, Crete, Greece.
Sensors (Basel). 2021 Feb 6;21(4):1140. doi: 10.3390/s21041140.
More than 75% of Internet traffic is now encrypted, and this percentage is constantly increasing. The majority of communications are secured using common encryption protocols such as SSL/TLS and IPsec to ensure security and protect the privacy of Internet users. However, encryption can be exploited to hide malicious activities, camouflaged into normal network traffic. Traditionally, network traffic inspection is based on techniques like deep packet inspection (DPI). Common applications for DPI include but are not limited to firewalls, intrusion detection and prevention systems, L7 filtering, and packet forwarding. With the widespread adoption of network encryption though, DPI tools that rely on packet payload content are becoming less effective, demanding the development of more sophisticated techniques in order to adapt to current network encryption trends. In this work, we present HeaderHunter, a fast signature-based intrusion detection system even for encrypted network traffic. We generate signatures using only network packet metadata extracted from packet headers. In addition, we examine the processing acceleration of the intrusion detection engine using different heterogeneous hardware architectures.
现在超过75%的互联网流量都进行了加密,而且这一比例还在不断上升。大多数通信都使用SSL/TLS和IPsec等通用加密协议进行加密,以确保安全性并保护互联网用户的隐私。然而,加密可能会被用于隐藏恶意活动,伪装成正常的网络流量。传统上,网络流量检查基于深度包检测(DPI)等技术。DPI的常见应用包括但不限于防火墙、入侵检测和预防系统、L7过滤以及数据包转发。不过,随着网络加密的广泛采用,依赖数据包有效载荷内容的DPI工具正变得越来越无效,这就需要开发更复杂的技术以适应当前的网络加密趋势。在这项工作中,我们展示了HeaderHunter,这是一种即使对于加密网络流量也能快速基于特征进行入侵检测的系统。我们仅使用从数据包头部提取的网络数据包元数据来生成特征。此外,我们研究了使用不同异构硬件架构对入侵检测引擎进行处理加速的情况。
