Skip to main content
SpringerLink
Log in

Find Behaviors of Network Evasion and Protocol Obfuscation Using Traffic Measurement

  • Conference paper
  • First Online:
Book cover Trustworthy Computing and Services (ISCTCS 2014)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 520))

Included in the following conference series:

Abstract

With the development of computer network, security has become more and more important. Intrusion Detection Systems (IDS) and firewalls have been used to detect and block malicious applications and specific protocols. As a result, some malicious applications begin to mimic common application protocol or obfuscate themselves to get rid of detection, which is called Network Evasion. Evasion hazards the Internet security seriously. So it is necessary to find a method to detect behavior of network evasion and protocol obfuscation. In this paper, we analyzed and listed some common network evasion techniques and protocol obfuscation examples. We proposed a method based on measurement and statistics to find protocol obfuscation behavior. We took web crawler as an example. We measured massive of traffic in the real high speed network, found the differences of statistical characteristics between Google web crawlers and the private web crawlers. A model was proposed to detect obfuscation of web crawlers. With this model, we found some web crawlers with the behavior of protocol obfuscation. And we think this method is useful to discover and verify other behaviors of network evasion and protocol obfuscation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Cohen, F.: Managing network security—Part 14: 50 ways to defeat your intrusion detection system. Netw. Secur. 1997(12), 11–14 (1997)

    Article  Google Scholar 

  2. Vidal, J.M., Castro, J.D.M., Orozco, A.L.S., et al.: Evolutions of evasion techniques against network intrusion detection systems. In: ICIT 2013 The 6th International conference on Information Technology (2013)

    Google Scholar 

  3. Khan, H., Khayam, S.A., Rajarajan, M., et al.: Wirespeed, privacy-preserving P2P traffic detection on commodity switches. (under submission, 2013)

    Google Scholar 

  4. Puangpronpitag, S., Chuachan, T., Pawara, P.: Classifying peer-to-peer traffic using protocol hierarchy. In: 2014 International Conference on Computer and Information Sciences (ICCOINS), pp. 1–6. IEEE (2014)

    Google Scholar 

  5. Hernacki, B., Bennett, J., Hoagland, J.: An overview of network evasion methods. Inf. Secur. Tech. Rep. 10(3), 140–149 (2005)

    Article  Google Scholar 

  6. Rostami-Hesarsorkh, S., Jacobsen, M.: Detecting encrypted tunneling traffic: U.S. Patent 8,856,910, 2014 October 7

    Google Scholar 

  7. Winter, P.: Enhancing Censorship Resistance in the Tor Anonymity Network (2014)

    Google Scholar 

  8. Ptacek, T.H., Newsham, T.N.: Insertion, evasion, and denial of service: eluding network intrusion detection. Technical report, Secure Networks, January 1998

    Google Scholar 

  9. Vigna, G., Robertson, W., Balzarotti, D.: Testing network-based intrusion detection signatures using mutant exploits. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 21–30. ACM (2004)

    Google Scholar 

  10. Roelker, D.J.: HTTP IDS evasions revisited. Sourcefire Inc. (2003)

    Google Scholar 

  11. Bonfiglio, D., Mellia, M., Meo, M., et al.: Revealing skype traffic: when randomness plays with you. ACM SIGCOMM Comput. Commun. Rev. 37(4), 37–48 (2007). ACM

    Article  Google Scholar 

  12. Hjelmvik, E., John, W.: Breaking and improving protocol obfuscation. Technical report 123751, Chalmers University of Technology (2010)

    Google Scholar 

  13. Bar - Yanai, R., Langberg, M., Peleg, D., Roditty, L.: Realtime classification for encrypted traffic. In: Festa, P. (ed.) SEA 2010. LNCS, vol. 6049, pp. 373–385. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  14. Dyer, K.P., Coull, S.E., Ristenpart, T., et al.: Format-transforming encryption: more than meets the DPI. IACR Cryptology ePrint Arch. 2012, 494 (2012)

    Google Scholar 

  15. Moghaddam, H.M., Li, B., Derakhshani, M., et al.: SkypeMorph: protocol obfuscation for Tor bridges. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 97–108. ACM (2012)

    Google Scholar 

Download references

Acknowledgements

This work is supported by the National Science and Technology Support Program (No. 2012BAH46B02, No. 2012BAH45B01); the National High Technology Research and Development Program (863 Program) of China (No. 2011AA010703); the Strategic Priority Research Program of the Chinese Academy of Sciences (No. XDA06030200).

Author information

Authors and Affiliations

  1. Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Quan Bai, Gang Xiong & Yong Zhao

  2. University of Chinese Academy of Sciences, Beijing, China

    Quan Bai

Authors
  1. Quan Bai
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gang Xiong
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yong Zhao
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Gang Xiong .

Editor information

Editors and Affiliations

  1. Beijing University of Posts and Telecommuncations, Beijing, China

    Lu Yueming

  2. Beijing University of Posts and Telecommunications, Beijing, China

    Wu Xu

  3. Beijing University of Posts and Telecommunications, Beijing, China

    Zhang Xi

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Bai, Q., Xiong, G., Zhao, Y. (2015). Find Behaviors of Network Evasion and Protocol Obfuscation Using Traffic Measurement. In: Yueming, L., Xu, W., Xi, Z. (eds) Trustworthy Computing and Services. ISCTCS 2014. Communications in Computer and Information Science, vol 520. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-47401-3_45

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-47401-3_45

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-47400-6

  • Online ISBN: 978-3-662-47401-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation