Advanced Information Networking and Applications Workshops, International Conference on (2007)
Niagara Falls, Ontario, Canada
May 21, 2007 to May 23, 2007
Akira Yamada , KDDI R&D Laboratories Inc., Japan
Yutaka Miyake , KDDI R&D Laboratories Inc., Japan
Keisuke Takemori , KDDI R&D Laboratories Inc., Japan
Ahren Studer , Carnegie Mellon University
Adrian Perrig , Carnegie Mellon University
As various services are provided as web applications, attacks against web applications constitute a serious problem. Intrusion Detection Systems (IDSes) are one solution, however, these systems do not work effectively when the accesses are encrypted by protocols. Because the IDSes inspect the contents of a packet, it is difficult to find attacks by the current IDS. This paper presents a novel approach to anomaly detection for encrypted web accesses. This approach applies encrypted traffic analysis to intrusion detection, which analyzes contents of encrypted traffic using only data size and timing without decryption. First, the system extracts information from encrypted traffic, which is a set comprising data size and timing for each web client. Second, the accesses are distinguished based on similarity of the information and access frequencies are calculated. Finally, malicious activities are detected according to rules generated from the frequency of accesses and characteristics of HTTP traffic. The system does not extract private information or require enormous pre-operation beforehand, which are needed in conventional encrypted traffic analysis. We show that the system detects various attacks with a high degree of accuracy, adopting an actual dataset gathered at a gateway of a network and the DARPA dataset.
A. Yamada, Y. Miyake, K. Takemori, A. Studer and A. Perrig, "Intrusion Detection for Encrypted Web Accesses," Advanced Information Networking and Applications Workshops, International Conference on(AINAW), Niagara Falls, Ontario, Canada, 2007, pp. 569-576.