A Policy-based Framework for Privacy-respecting Deep Packet Inspection in TLS Implementations

Thumbnail Image

Files

Renjan_umbc_0434M_12028.pdf (954.59 KB)

Links to Files

Permanent Link

http://hdl.handle.net/11603/20734

Collections

UMBC Theses and Dissertations
UMBC Computer Science and Electrical Engineering Department
UMBC Graduate School
UMBC Student Collection

Author/Creator

Author/Creator ORCID

Date

2019-01-01

Type of Work

theses
Text
application:pdf

Department

Computer Science and Electrical Engineering

Program

Engineering, Computer

Citation of Original Publication

Rights

Distribution Rights granted to UMBC by the author.
Access limited to the UMBC community. Item may possibly be obtained via Interlibrary Loan thorugh a local library, pending author/copyright holder's permission.
This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.

Subjects

Deep Packet Inspection
Perfect Forward Secrecy

Abstract

Deep Packet Inspection (DPI) is instrumental in investigating the presence of malicious activity in network traffic, and most existing DPI tools work on unencrypted payloads. As the internet is moving towards fully encrypted data-transfer, there is a critical requirement for privacy-aware techniques to efficiently decrypt network payloads. With the introduction of TLS 1.3 standard that only supports protocols with Perfect Forward Secrecy (PFS), many existing techniques for decryption to do further DPI analysis will become ineffective. We have developed an ABAC (Attribute Based Access Control) framework that efficiently supports existing DPI tools while respecting user's privacy requirements and organizational policies. It gives the user the ability to accept or decline access decision based on his privileges. Our solution evaluates various observed and derived meta-characteristics of network connections against user access privileges using policies described with semantic technologies. Network meta-characteristics like IP intelligence is one of the many attributes that can be used in defining access control policies. We also present Dynamic Attribute based Reputation (DAbR), a Euclidean distance based technique, to generate reputation scores for IP addresses by assimilating meta-data from known bad IP addresses. This approach is based on our observation that many bad IP's share similar attributes and the requirement for a lightweight technique for reputation scoring. DAbR generates reputation scores for IP addresses on a 0-10 scale which represents its trustworthiness based on known bad IP address attributes. To evaluate DAbR, we calculated reputation scores on a dataset of 87k IP addresses and used them to classify IP addresses as good/bad based on a threshold. An F-1 score of 78% in this classification task demonstrates our technique's performance. The reputation scores when used in conjunction with the policy enforcement module, can provide high performance and non privacy-invasive malicious traffic filtering. In this theses, we also describe our framework and demonstrate the efficacy of our technique with the help of use-case scenarios to identify network connections that are candidates for Deep Packet Inspection. Since our overall ABAC technique makes selective identification of connections based on policies, both processing and memory load at the gateway will be reduced significantly.