A Policy-based Framework for Privacy-respecting Deep Packet Inspection in TLS Implementations

Abstract

Deep Packet Inspection (DPI) is instrumental in investigating the presence of malicious activity in network traffic, and most existing DPI tools work on unencrypted payloads. As the internet is moving towards fully encrypted data-transfer, there is a critical requirement for privacy-aware techniques to efficiently decrypt network payloads. With the introduction of TLS 1.3 standard that only supports protocols with Perfect Forward Secrecy (PFS), many existing techniques for decryption to do further DPI analysis will become ineffective. We have developed an ABAC (Attribute Based Access Control) framework that efficiently supports existing DPI tools while respecting user's privacy requirements and organizational policies. It gives the user the ability to accept or decline access decision based on his privileges. Our solution evaluates various observed and derived meta-characteristics of network connections against user access privileges using policies described with semantic technologies. Network meta-characteristics like IP intelligence is one of the many attributes that can be used in defining access control policies. We also present Dynamic Attribute based Reputation (DAbR), a Euclidean distance based technique, to generate reputation scores for IP addresses by assimilating meta-data from known bad IP addresses. This approach is based on our observation that many bad IP's share similar attributes and the requirement for a lightweight technique for reputation scoring. DAbR generates reputation scores for IP addresses on a 0-10 scale which represents its trustworthiness based on known bad IP address attributes. To evaluate DAbR, we calculated reputation scores on a dataset of 87k IP addresses and used them to classify IP addresses as good/bad based on a threshold. An F-1 score of 78% in this classification task demonstrates our technique's performance. The reputation scores when used in conjunction with the policy enforcement module, can provide high performance and non privacy-invasive malicious traffic filtering. In this theses, we also describe our framework and demonstrate the efficacy of our technique with the help of use-case scenarios to identify network connections that are candidates for Deep Packet Inspection. Since our overall ABAC technique makes selective identification of connections based on policies, both processing and memory load at the gateway will be reduced significantly.