Authors:
Daniel Hamburg
and
York Tüchelmann
Affiliation:
Integrated Information Systems Group, Ruhr University, Germany
Keyword(s):
Transport Layer Security Sensor, Data Collection, Local Application Proxy, Encrypted Attacks, Intrusion Detection, Intrusion Prevention, Secure Socket Layer.
Related
Ontology
Subjects/Areas/Topics:
Internet Technology
;
Intrusion Detection and Response
;
Web Information Systems and Technologies
;
Web Security and Privacy
Abstract:
Common Intrusion Detection Systems are susceptible to encrypted attacks, i.e. attacks that employ security protocols to conceal malign data. In this work, we introduce a software sensor, called Transport Layer Security Sensor (TLSS), providing detection engines access to network data encrypted at Transport Layer. Transport Layer Encryption, such as SSL, is typically implemented by a local application and not the OS. TLSS resides on the monitored host and executes cryptographic functions on behalf of local applications. TLSS decrypts incoming encrypted network packets and passes the data to the application, e.g., a Web server software. In addition, cleartext data is also passed to a detection engine for analysis. We present an implementation of TLSS designed for Web servers providing SSL-secured HTTP access and evaluate sensor’s performance.