Revisiting QUIC attacks: A comprehensive review on QUIC security and a hands-on study

Chatzoglou, Efstratios; Kouliaridis, Vasileios; Καρόπουλος, Γεώργιος; Kambourakis, Georgios

doi:10.21203/rs.3.rs-1676730/v1

Cited by 5 publications

(10 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…This may seem unusual, given that this work does concentrate on the detection of application layer attacks. The basic reason behind this choice is that, typically, the application features are encrypted (and thus not available) due to, say, a TLS tunnel [ 30 ] or other mechanisms [ 31 ], including encrypted DNS [ 32 ]. Additionally, in certain cases, e.g., SSH, the traffic cannot be decrypted.…”

Section: Feature Selection and Data Preprocessingmentioning

confidence: 99%

Best of Both Worlds: Detecting Application Layer Attacks through 802.11 and Non-802.11 Features

Chatzoglou

Kambourakis

Smiliotopoulos

et al. 2022

Sensors

Self Cite

View full text Add to dashboard Cite

Intrusion detection in wireless and, more specifically, Wi-Fi networks is lately increasingly under the spotlight of the research community. However, the literature currently lacks a comprehensive assessment of the potential to detect application layer attacks based on both 802.11 and non-802.11 network protocol features. The investigation of this capacity is of paramount importance since Wi-Fi domains are often used as a stepping stone by threat actors for unleashing an ample variety of application layer assaults. In this setting, by exploiting the contemporary AWID3 benchmark dataset along with both shallow and deep learning machine learning techniques, this work attempts to provide concrete answers to a dyad of principal matters. First, what is the competence of 802.11-specific and non-802.11 features when used separately and in tandem in detecting application layer attacks, say, website spoofing? Second, which network protocol features are the most informative to the machine learning model for detecting application layer attacks? Without relying on any optimization or dimensionality reduction technique, our experiments, indicatively exploiting an engineered feature, demonstrate a detection performance up to 96.7% in terms of the Area under the ROC Curve (AUC) metric.

show abstract

Section: Feature Selection and Data Preprocessingmentioning

confidence: 99%

Best of Both Worlds: Detecting Application Layer Attacks through 802.11 and Non-802.11 Features

Chatzoglou

Kambourakis

Smiliotopoulos

et al. 2022

Sensors

Self Cite

View full text Add to dashboard Cite

show abstract

“…For the hands-on evaluation, we reused the contemporary testbed given in § 5.1 of [46]. Precisely, this testbed is composed of the currently six most popular QUIC-and HTTP/3-enabled server implementations, namely OpenLiteSpeed, Caddy, NGINX, H2O, IIS, and Cloudflare.…”

Section: Hands On Evaluationmentioning

confidence: 99%

“…As already pointed out, in the context of this work, and in view of the results presented in Section 3 and in § 5.2 of [46], we create the first to our knowledge dataset considering attacks on HTTP/2, HTTP/3, and QUIC. A preliminary evaluation of the dataset by means of legacy Machine Learning methods is also offered.…”

Section: Datasetmentioning

confidence: 99%

“…• The quic-flooding, quic-encapsulation, quic-loris, and quic-fuzz assaults introduced in § 5.2 of [46].…”

Section: Datasetmentioning

confidence: 99%

“…This means that some attacks contain different public IP addresses for the same clients. Regarding the configuration of each deployed server, the interested reader is referred to § 5.1 of [46]. Note that IIS 10, H2O, and Caddy enable HTTP/2 by default.…”

Section: Testbedmentioning

confidence: 99%

See 2 more Smart Citations

A hands-on gaze on HTTP/3 security through the lens of HTTP/2 and a public dataset

Chatzoglou¹,

Kouliaridis²,

Kambourakis³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

Following QUIC protocol ratification on May 2021, the third major version of the Hypertext Transfer Protocol, namely HTTP/3, was published around one year later in RFC 9114. In light of these consequential advancements, the current work aspires to provide a full-blown coverage of the following issues, which to our knowledge have received feeble or no attention in the literature so far. First, we provide a complete review of attacks against HTTP/2, and elaborate on if and in which way they can be migrated to HTTP/3. Second, through the creation of a testbed comprising the at present six most popular HTTP/3-enabled servers, we examine the effectiveness of a quartet of attacks, either stemming directly from the HTTP/2 relevant literature or being entirely new. This scrutiny led to the assignment of at least one CVE ID with a critical base score by MITRE. No less important, by capitalizing on a realistic, abundant in devices testbed, we compiled a voluminous, labeled corpus containing traces of ten diverse attacks against HTTP and QUIC services. An initial evaluation of the dataset mainly by means of machine learning techniques is included as well. Given that the 30 GB dataset is made available in both pcap and CSV formats, forthcoming research can easily take advantage of any subset of features, contingent upon the specific network topology and configuration.

show abstract

Event-Flow Correlation for Anomaly Detection in HTTP/3 Web Traffic

Špaček

Velan

Holkovič

et al. 2023

NOMS 2023-2023 IEEE/IFIP Network Operations and Management Symposium

View full text Add to dashboard Cite

The new HTTP/3 protocol for web traffic was recently released, superseding the widely used HTTP/2. It now supports exclusively encrypted transmissions and brings a lot of other changes. Many of these changes promote user privacy but hinder security monitoring of network traffic. In the past, the direct correlation of events and flows generated by the HTTP/2 web traffic enriched the encrypted network flows with the content from the web server's event log. In this paper, we modify the event-flow correlation method for the HTTP/3 protocol. Then, we deploy and evaluate the correlation method on a real traffic dataset. We compare the results of the correlation with the results for HTTP/2 and discuss the differences in the correlation of the new protocol compared to the original one. The results show that event-flow correlation can still enrich HTTP/3 network flows, albeit it introduces new challenges to cope with.

show abstract

Revisiting QUIC attacks: A comprehensive review on QUIC security and a hands-on study

Cited by 5 publications

References 33 publications

Best of Both Worlds: Detecting Application Layer Attacks through 802.11 and Non-802.11 Features

Best of Both Worlds: Detecting Application Layer Attacks through 802.11 and Non-802.11 Features

A hands-on gaze on HTTP/3 security through the lens of HTTP/2 and a public dataset

Event-Flow Correlation for Anomaly Detection in HTTP/3 Web Traffic

Contact Info

Product

Resources

About