DNSxP: Enhancing data exfiltration protection through data plane programmability

Steadman, Jacob; Scott-Hayward, Sandra

doi:10.1016/j.comnet.2021.108174

Cited by 8 publications

(4 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Once the DoH packets have been successfully extracted from HTTPS traffic, feature analysis is performed to determine, which features are still relevant within encrypted traffic to distinguish malicious traffic from benign. In our previous work [25], five key features were identified to distinguish between malicious and benign DNS traffic. These are shown in Table II.…”

Section: Identifying Features For Doh Data Exfiltration Detectionmentioning

confidence: 99%

“…In this section, an extension to the DNSxP architecture, originally presented in [25], is proposed to enable the handling of DoH traffic. The DoHxP architecture is composed of three main modules; the eBPF labeller attached to the interface of the first switch adjacent to the network hosts, the P4 mirror implemented as the first adjacent switch for hosts within the network, and the ONOS monitor application installed at the network's SDN controller.…”

Section: Dohxp System Architecturementioning

confidence: 99%

See 1 more Smart Citation

Detecting Data Exfiltration over Encrypted DNS

Steadman

Scott-Hayward

2022

2022 IEEE 8th International Conference on Network Softwarization (NetSoft)

Self Cite

View full text Add to dashboard Cite

Data breaches linked to individual and company information are exposed on an almost daily basis. With increasing media attention and visibility of this security issue, users are becoming more aware of privacy concerns related to their activity on the Internet. Fundamental to the operation of the Internet is the Domain Name System (DNS), which translates domain names to IP addresses enabling easy web browsing. Encrypted DNS has become popular to increase user privacy by ensuring that activity transmitted over domain queries is not visible to intermediary network devices between the client and the DNS endpoint. Unfortunately, this undermines the security services designed to analyse DNS traffic for the detection of exploitation of DNS for use as a covert communication and data exfiltration channel. In this work, we propose a solution, DoHxP, to enable protection of DNS over HTTPS (DoH) traffic from data exfiltration without compromising user privacy. Our results show that DoHxP successfully prevents up to 99.88% of the malicious DoH traffic from being transmitted outside of the network.

show abstract

Section: Identifying Features For Doh Data Exfiltration Detectionmentioning

confidence: 99%

Section: Dohxp System Architecturementioning

confidence: 99%

Detecting Data Exfiltration over Encrypted DNS

Steadman

Scott-Hayward

2022

2022 IEEE 8th International Conference on Network Softwarization (NetSoft)

Self Cite

View full text Add to dashboard Cite

show abstract

“…data exfiltration), current BPF-based solutions (e.g. [38]) focus on detection or dropping of suspect packets, rather than scrubbing. Additionally, we assume that an attacker wishes to hide their modifications from the network control plane, which can monitor the compromised switch by tracking how it handles probe packets.…”

Section: Threat Modelmentioning

confidence: 99%

Investigating the Vulnerability of Programmable Data Planes to Static Analysis-Guided Attacks

Black

Scott-Hayward

2022

2022 IEEE 8th International Conference on Network Softwarization (NetSoft)

Self Cite

View full text Add to dashboard Cite

Programmable network data planes are paving the way for networking innovations, with the ability to perform complex, stateful tasks defined in high-level languages such as P4. The enhanced capabilities of programmable data plane devices has made verification of their runtime behaviour, using established methods such as probe packets, impossible to scale beyond probabilistic detection. This has created a potential opportunity for an attacker, with access to a compromised device, to subtly alter its forwarding program to mishandle only a small subset of packets, evading probabilistic detection. In practice, such subtle binary instrumentation attacks require extensive knowledge of the forwarding program, yet it is unclear whether a static analysis of compiled P4 programs to obtain this knowledge can be fast and accurate enough for an on-device attack scenario. In this work, we investigate this possibility by implementing a static analysis of P4 programs compiled to BPF bytecode. This analysis gathers sufficient information for the attacker to identify appropriate (reliably correct) edits to the program. We found that, due to predictable compiler behaviours, our analysis remains accurate even when several program behaviours are abstracted away. Our evaluation of the analysis requirements shows that, from a defensive perspective, there is scope for selectively manipulating those instructions in P4-BPF programs that are critical to attack-focused analysis in order to increase its difficulty, without increasing the number of program instructions.

show abstract

“…With the rapid development and widespread application of cloud computing technology, more and more enterprises and individuals are storing and migrating data to cloud environments [1]. However, in this environment, network terminals are facing increasingly complex and diverse security threats, such as data leaks, malicious software attacks, and so on.…”

Section: Introductionmentioning

confidence: 99%

Design of network terminal data security protection system in cloud computing environment

Liu,

Li,

Jiao

et al. 2024

Fourth International Conference on Sensors and Information Technology (ICSI 2024)

View full text Add to dashboard Cite

In the cloud computing environment, network terminal data has the characteristics of large quantity and real-time changes. In order to ensure the security of network terminal data, a network terminal data security protection system is designed in the cloud computing environment. The system includes hardware modules such as intrusion detection, vulnerability scanning, and cloud security management, which can ensure that only authorized users can access data and achieve recognition and prevention of malicious behavior. On the basis of hardware design, a hybrid encryption algorithm is adopted to encrypt network terminal data, further improving system performance and security, and protecting data security in cloud computing environments. The experimental test results show that the system has a low false alarm rate, a high malicious attack blocking rate, and a malicious attack detection rate, which can effectively ensure the security of network terminal data.

show abstract

DNSxP: Enhancing data exfiltration protection through data plane programmability

Cited by 8 publications

References 23 publications

Detecting Data Exfiltration over Encrypted DNS

Detecting Data Exfiltration over Encrypted DNS

Investigating the Vulnerability of Programmable Data Planes to Static Analysis-Guided Attacks

Design of network terminal data security protection system in cloud computing environment

Contact Info

Product

Resources

About