MDiET: Malware Detection in Encrypted Traffic

Schoinianakis, Dimitrios; Goetze, Norbert; Lehmann, Gerald

doi:10.14236/ewic/icscsr19.4

Cited by 1 publication

(1 citation statement)

References 1 publication

(1 reference statement)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Besides attacks, fingerprinting techniques have also found applications in malware detection in network settings [23], [16], [24], [25], [26]. Network administrators employ fingerprinting techniques to identify malware based on the TLS channels it establishes with its remote command & control servers (e.g., botnets using Twitter profiles to receive commands from their controllers [27], [28], [29], [30], [31]).…”

Section: Introductionmentioning

confidence: 99%

Adaptive Traffic Fingerprinting: Large-scale Inference under Realistic Assumptions

Mavroudis,

Hayes

2020

Preprint

View full text Add to dashboard Cite

The widespread adoption of encrypted communications (e.g., the TLS protocol, the Tor anonymity network) fixed several critical security flaws and shielded the end-users from adversaries intercepting their transmitted data. While these protocols are very effective in protecting the confidentiality of the users' data (e.g., credit card numbers), it has been shown that they are prone (to different degrees) to adversaries aiming to breach the users' privacy. Traffic fingerprinting attacks allow an adversary to infer the webpage or the website loaded by a user based only on patterns in the user's encrypted traffic. In fact, many recent works managed to achieve a very high classification accuracy under optimal conditions for the adversary. This paper revisits the "optimality" assumptions made by those works and discusses various additional parameters that should be considered when evaluating a fingerprinting model. We propose three realistic scenarios simulating non-optimal fingerprinting conditions where various factors could affect the adversary's performance or operation. We then introduce a novel adaptive fingerprinting adversary and experimentally evaluate its accuracy and operation. Our experiments show that adaptive adversaries can reliably uncover the webpage visited by a user among several thousand potential pages, even under considerable distributional shift (e.g., the webpage contents change significantly over time). Such adversaries could infer the products a user browses on shopping websites or log the browsing habits of state dissidents on online forums and encyclopedias. Our technique achieves ∼90% accuracy in a top-15 setting where the model distinguishes the article visited out of 6,000 Wikipedia webpages, while the same model achieves ∼80% accuracy in a dataset of 13,000 classes that were not included in the training set."The primary goal of the TLS protocol is to provide privacy and data integrity between two communicating applications."Similarly, privacy is also mentioned in a variety of articles

show abstract