You Do (Not) Belong Here: Detecting DPI Evasion Attacks with Context Learning
Shitong Zhu, Shasha Li, Zhongjie Wang, Xun Chen, Zhiyun Qian, Srikanth, V. Krishnamurthy, Kevin S. Chan, Ananthram Swami
TL;DR
This paper introduces CLAP, an unsupervised machine learning method that detects and localizes DPI evasion attacks by learning packet context from benign traffic, achieving high accuracy and robustness.
Contribution
The work presents the first fully-automated, unsupervised ML solution for detecting and localizing DPI evasion attacks based on packet context analysis.
Findings
Achieves 0.963 AUC-ROC in detection
EER of 0.061 in detection
94.6% accuracy in localization
Abstract
As Deep Packet Inspection (DPI) middleboxes become increasingly popular, a spectrum of adversarial attacks have emerged with the goal of evading such middleboxes. Many of these attacks exploit discrepancies between the middlebox network protocol implementations, and the more rigorous/complete versions implemented at end hosts. These evasion attacks largely involve subtle manipulations of packets to cause different behaviours at DPI and end hosts, to cloak malicious network traffic that is otherwise detectable. With recent automated discovery, it has become prohibitively challenging to manually curate rules for detecting these manipulations. In this work, we propose CLAP, the first fully-automated, unsupervised ML solution to accurately detect and localize DPI evasion attacks. By learning what we call the packet context, which essentially captures inter-relationships across both (1)…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsNetwork Security and Intrusion Detection · Internet Traffic Analysis and Secure E-voting · Network Packet Processing and Optimization