-
ML-based tunnel detection and tunneled application classification
Authors:
Johan Mazel,
Matthieu Saudrais,
Antoine Hervieu
Abstract:
Encrypted tunneling protocols are widely used. Beyond business and personal uses, malicious actors also deploy tunneling to hinder the detection of Command and Control and data exfiltration. A common approach to maintain visibility on tunneling is to rely on network traffic metadata and machine learning to analyze tunnel occurrence without actually decrypting data. Existing work that address tunne…
▽ More
Encrypted tunneling protocols are widely used. Beyond business and personal uses, malicious actors also deploy tunneling to hinder the detection of Command and Control and data exfiltration. A common approach to maintain visibility on tunneling is to rely on network traffic metadata and machine learning to analyze tunnel occurrence without actually decrypting data. Existing work that address tunneling protocols however exhibit several weaknesses: their goal is to detect application inside tunnels and not tunnel identification, they exhibit limited protocol coverage (e.g. OpenVPN and Wireguard are not addressed), and both inconsistent features and diverse machine learning techniques which makes performance comparison difficult.
Our work makes four contributions that address these limitations and provide further analysis. First, we address OpenVPN and Wireguard. Second, we propose a complete pipeline to detect and classify tunneling protocols and tunneled applications. Third, we present a thorough analysis of the performance of both network traffic metadata features and machine learning techniques. Fourth, we provide a novel analysis of domain generalization regarding background untunneled traffic, and, both domain generalization and adversarial learning regarding Maximum Transmission Unit (MTU).
△ Less
Submitted 25 January, 2022;
originally announced January 2022.
-
Dynamically Modelling Heterogeneous Higher-Order Interactions for Malicious Behavior Detection in Event Logs
Authors:
Corentin Larroche,
Johan Mazel,
Stephan Clémençon
Abstract:
Anomaly detection in event logs is a promising approach for intrusion detection in enterprise networks. By building a statistical model of usual activity, it aims to detect multiple kinds of malicious behavior, including stealthy tactics, techniques and procedures (TTPs) designed to evade signature-based detection systems. However, finding suitable anomaly detection methods for event logs remains…
▽ More
Anomaly detection in event logs is a promising approach for intrusion detection in enterprise networks. By building a statistical model of usual activity, it aims to detect multiple kinds of malicious behavior, including stealthy tactics, techniques and procedures (TTPs) designed to evade signature-based detection systems. However, finding suitable anomaly detection methods for event logs remains an important challenge. This results from the very complex, multi-faceted nature of the data: event logs are not only combinatorial, but also temporal and heterogeneous data, thus they fit poorly in most theoretical frameworks for anomaly detection. Most previous research focuses on either one of these three aspects, building a simplified representation of the data that can be fed to standard anomaly detection algorithms. In contrast, we propose to simultaneously address all three of these characteristics through a specifically tailored statistical model. We introduce \textsc{Decades}, a \underline{d}ynamic, h\underline{e}terogeneous and \underline{c}ombinatorial model for \underline{a}nomaly \underline{d}etection in \underline{e}vent \underline{s}treams, and we demonstrate its effectiveness at detecting malicious behavior through experiments on a real dataset containing labelled red team activity. In particular, we empirically highlight the importance of handling the multiple characteristics of the data by comparing our model with state-of-the-art baselines relying on various data representations.
△ Less
Submitted 28 June, 2022; v1 submitted 29 March, 2021;
originally announced March 2021.
-
Identifying and characterizing ZMap scans: a cryptanalytic approach
Authors:
Johan Mazel,
Rémi Strullu
Abstract:
Network scanning tools play a major role in Internet security. They are used by both network security researchers and malicious actors to identify vulnerable machines exposed on the Internet. ZMap is one of the most common probing tools for high-speed Internet-wide scanning. We present novel identification methods based on the IPv4 iteration process of ZMap. These methods can be used to identify Z…
▽ More
Network scanning tools play a major role in Internet security. They are used by both network security researchers and malicious actors to identify vulnerable machines exposed on the Internet. ZMap is one of the most common probing tools for high-speed Internet-wide scanning. We present novel identification methods based on the IPv4 iteration process of ZMap. These methods can be used to identify ZMap scans with a small number of addresses extracted from the scan. We conduct an experimental evaluation of these detection methods on synthetic, network telescope, and backbone traffic. We manage to identify 28.5% of the ZMap scans in real-world traffic. We then perform an in-depth characterization of these scans regarding, for example, targeted prefix and probing speed.
△ Less
Submitted 13 August, 2019; v1 submitted 12 August, 2019;
originally announced August 2019.
-
A comparison of web privacy protection techniques
Authors:
Johan Mazel,
Richard Garnier,
Kensuke Fukuda
Abstract:
A comparison of web privacy protection techniques
A comparison of web privacy protection techniques
△ Less
Submitted 19 December, 2017;
originally announced December 2017.