Intrusion Detection and Ubiquitous Host to Host Encryption

TL;DR

This paper proposes a heuristic network intrusion detection model that effectively identifies threats in fully encrypted networks by analyzing deviations from normal behavior, addressing privacy concerns and the limitations of signature-based detection.

Contribution

It introduces a novel heuristic approach for intrusion detection suitable for encrypted networks, moving beyond traditional signature-based methods.

Findings

Effective detection of intrusions in encrypted traffic

Network monitoring based on normal behavior deviations

Supports privacy-preserving security models

Abstract

Growing concern for individual privacy, driven by an increased public awareness of the degree to which many of our electronic activities are tracked by interested third parties (e.g. Google knows what I am thinking before I finish entering my search query), is driving the development anonymizing technologies (e.g. Tor). The coming mass migration to IPv6 as the primary transport of Internet traffic promises to make one such technology, end-to-end host based encryption, more readily available to the average user. In a world where end-to-end encryption is ubiquitous, what can replace the existing models for network intrusion detection? How can network administrators and operators, responsible for securing networks against hostile activity, protect a network they cannot see? In an encrypted world, signature based event detection is unlikely to prove useful. In order to secure a network in such an environment, without trampling the privacy afforded to users by end-to-end encryption, our threat detection model needs to evolve from signature based detection to a heuristic model that flags deviations from normal network-wide behavior for further investigation. In this paper we present such a heuristic model and test its effectiveness for detecting intrusions in an entirely encrypted network environment. Our results demonstrate the network intrusion detection system's ability to monitor a network carrying only host-to-host encrypted traffic. This work indicates that a broad perspective change is required. Network security models need to evolve from endeavoring to define attack signatures to describing what the network looks like under normal conditions and searching for deviations from the norm.