| Title | Attacks on Dynamic Protocol Detection of Open Source Network Security Monitoring Tools |
| Publication Type | Conference Paper |
| Year of Publication | 2020 |
| Authors | Grashöfer, J., Titze, C., Hartenstein, H. |
| Conference Name | 2020 IEEE Conference on Communications and Network Security (CNS) |
| Keywords | application layer protocol, Communication networks, composability, Conferences, dynamic networks, Dynamic Protocol Detection mechanisms, HTTP, Inspection, Intrusion detection, Metrics, Monitoring, monitoring systems, Network security, Protocol detection, protocol disambiguation, protocol-specific deep packet inspection, Protocols, pubcrawl, public domain software, real-world monitoring operations, resilience, Resiliency, security of data, source network monitoring tools, transport protocols, Web servers, widespread open-source network monitoring tools |
| Abstract | Protocol detection is the process of determining the application layer protocol in the context of network security monitoring, which requires a timely and precise decision to enable protocol-specific deep packet inspection. This task has proven to be complex, as isolated characteristics, like port numbers, are not sufficient to reliably determine the application layer protocol. In this paper, we analyze the Dynamic Protocol Detection mechanisms employed by popular and widespread open-source network monitoring tools. On the example of HTTP, we show that all analyzed detection mechanisms are vulnerable to evasion attacks. This poses a serious threat to real-world monitoring operations. We find that the underlying fundamental problem of protocol disambiguation is not adequately addressed in two of three monitoring systems that we analyzed. To enable adequate operational decisions, this paper highlights the inherent trade-offs within Dynamic Protocol Detection. |
| DOI | 10.1109/CNS48642.2020.9162332 |
| Citation Key | grashofer_attacks_2020 |
Attacks on Dynamic Protocol Detection of Open Source Network Security Monitoring Tools