Abstract
With the development of computer network, security has become more and more important. Intrusion Detection Systems (IDS) and firewalls have been used to detect and block malicious applications and specific protocols. As a result, some malicious applications begin to mimic common application protocol or obfuscate themselves to get rid of detection, which is called Network Evasion. Evasion hazards the Internet security seriously. So it is necessary to find a method to detect behavior of network evasion and protocol obfuscation. In this paper, we analyzed and listed some common network evasion techniques and protocol obfuscation examples. We proposed a method based on measurement and statistics to find protocol obfuscation behavior. We took web crawler as an example. We measured massive of traffic in the real high speed network, found the differences of statistical characteristics between Google web crawlers and the private web crawlers. A model was proposed to detect obfuscation of web crawlers. With this model, we found some web crawlers with the behavior of protocol obfuscation. And we think this method is useful to discover and verify other behaviors of network evasion and protocol obfuscation.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Cohen, F.: Managing network security—Part 14: 50 ways to defeat your intrusion detection system. Netw. Secur. 1997(12), 11–14 (1997)
Vidal, J.M., Castro, J.D.M., Orozco, A.L.S., et al.: Evolutions of evasion techniques against network intrusion detection systems. In: ICIT 2013 The 6th International conference on Information Technology (2013)
Khan, H., Khayam, S.A., Rajarajan, M., et al.: Wirespeed, privacy-preserving P2P traffic detection on commodity switches. (under submission, 2013)
Puangpronpitag, S., Chuachan, T., Pawara, P.: Classifying peer-to-peer traffic using protocol hierarchy. In: 2014 International Conference on Computer and Information Sciences (ICCOINS), pp. 1–6. IEEE (2014)
Hernacki, B., Bennett, J., Hoagland, J.: An overview of network evasion methods. Inf. Secur. Tech. Rep. 10(3), 140–149 (2005)
Rostami-Hesarsorkh, S., Jacobsen, M.: Detecting encrypted tunneling traffic: U.S. Patent 8,856,910, 2014 October 7
Winter, P.: Enhancing Censorship Resistance in the Tor Anonymity Network (2014)
Ptacek, T.H., Newsham, T.N.: Insertion, evasion, and denial of service: eluding network intrusion detection. Technical report, Secure Networks, January 1998
Vigna, G., Robertson, W., Balzarotti, D.: Testing network-based intrusion detection signatures using mutant exploits. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 21–30. ACM (2004)
Roelker, D.J.: HTTP IDS evasions revisited. Sourcefire Inc. (2003)
Bonfiglio, D., Mellia, M., Meo, M., et al.: Revealing skype traffic: when randomness plays with you. ACM SIGCOMM Comput. Commun. Rev. 37(4), 37–48 (2007). ACM
Hjelmvik, E., John, W.: Breaking and improving protocol obfuscation. Technical report 123751, Chalmers University of Technology (2010)
Bar - Yanai, R., Langberg, M., Peleg, D., Roditty, L.: Realtime classification for encrypted traffic. In: Festa, P. (ed.) SEA 2010. LNCS, vol. 6049, pp. 373–385. Springer, Heidelberg (2010)
Dyer, K.P., Coull, S.E., Ristenpart, T., et al.: Format-transforming encryption: more than meets the DPI. IACR Cryptology ePrint Arch. 2012, 494 (2012)
Moghaddam, H.M., Li, B., Derakhshani, M., et al.: SkypeMorph: protocol obfuscation for Tor bridges. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 97–108. ACM (2012)
Acknowledgements
This work is supported by the National Science and Technology Support Program (No. 2012BAH46B02, No. 2012BAH45B01); the National High Technology Research and Development Program (863 Program) of China (No. 2011AA010703); the Strategic Priority Research Program of the Chinese Academy of Sciences (No. XDA06030200).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bai, Q., Xiong, G., Zhao, Y. (2015). Find Behaviors of Network Evasion and Protocol Obfuscation Using Traffic Measurement. In: Yueming, L., Xu, W., Xi, Z. (eds) Trustworthy Computing and Services. ISCTCS 2014. Communications in Computer and Information Science, vol 520. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-47401-3_45
Download citation
DOI: https://doi.org/10.1007/978-3-662-47401-3_45
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-47400-6
Online ISBN: 978-3-662-47401-3
eBook Packages: Computer ScienceComputer Science (R0)