KIT | KIT-Bibliothek | Impressum | Datenschutz

Attacks on Dynamic Protocol Detection of Open Source Network Security Monitoring Tools

Grashöfer, Jan; Titze, Christian; Hartenstein, Hannes

Abstract (englisch):

Protocol detection is the process of determining the application layer protocol in the context of network security monitoring, which requires a timely and precise decision to enable protocol-specific deep packet inspection. This task has proven to be complex, as isolated characteristics like port numbers are not sufficient to reliably determine the application layer protocol. Hence, more dynamic detection approaches have been developed. In this paper, we analyze the Dynamic Protocol Detection mechanisms employed by popular and widespread open-source network monitoring tools. We show on the example of HTTP that all analyzed detection mechanisms are vulnerable to evasion attacks, which pose a serious threat to real-world monitoring operations. We find that the underlying fundamental problem of protocol disambiguation is not adequately addressed in two of three monitoring systems that we analyzed. To enable adequate operational decisions, this paper highlights the inherent trade-offs within Dynamic Protocol Detection.


Volltext §
DOI: 10.5445/IR/1000100823
Cover der Publikation
Zugehörige Institution(en) am KIT Institut für Telematik (TM)
Kompetenzzentrum für angewandte Sicherheitstechnologie (KASTEL)
Publikationstyp Forschungsbericht/Preprint
Publikationsjahr 2019
Sprache Englisch
Identifikator KITopen-ID: 1000100823
Vorab online veröffentlicht am 09.12.2019
Nachgewiesen in arXiv
Relationen in KITopen
KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft
KITopen Landing Page