Research On The Key Issues In Evasive Network Attack Detection

With the rapid developments of information technology and the in-tegration of multiple heterogeneous networks, various industries become much more dependent on networks. Driven by political and economic in-terests, cyber attacks and information theft by means of botnets and Tro-jan have been increasing rapidly in recent years, so as the events of net-work infrastructure infiltration and intrusions, as well as advanced per-sistent threats under state support. Therefore, covert cyber attacks and in-formation theft have spread from individual to finance, communications, energy, aviation, transportation and other areas, bringing severe risks for citizens, businesses and national information security. In view of related academic research, we choose Evasive Network Attacks (ENA) to stand for the high-tech, evasive attacks which rely on network based control and aim to steal confidential information or keep long-term control and sabotage. The detection of ENA has undoubtedly great significance to maintaining national information infrastructure security and social stabil-ity, the fight against cybercrime, as well as improving attack tracking abilities. Based on the analysis and summary of current related research and techniques in urgent need in industry, we research on the key issues in evasive network attack detection and the main results are as follows.On the accurate identification of encryption service traffic, we sum-marize the latest advances in this field, and propose a real-time precise detection scheme for SSL/TLS communications using deep protocol message format inspection and state transition validation, which can meet the need of fast detection encrypted flows in high speed network envi-ronment, as well as in countermeasure scenes.On the malicious behavior discovery in encrypted services, data mining of the measurement results on massive network behavior is uti-lized for privacy leakage and malicious services detection. Firstly, we propose an active measurement scheme based on passive NetFlow logs to fulfill the task of X.509 certificate oriented SSL/TLS service measure-ment, which is able to recover large-scale user behaviors approximately. Then, based on the measured data, similarity measure of self-signed cer-tificate attributes and correlation analysis are employed to disclose the privacy leakage on server side in HTTPS, which is useful for discovering new application services and certain types of evil encrypted communica-tions. Compared with the mainstream fine-grained behavior identification methods using statistical fingerprints in encrypted web browsing, ours is quite different, and practical for big datasets.On the evasive malicious behavior detection inside SSL/TLS chan-nels, we present a combined anomaly metric relying on certificate cred-itability and domain reputation to discover suspicious evasive attack channels, which is obtained by simple rules, the security attributes of cer-tificates, the anonymity of certain certificate fields, server domain rank-ing, as well as the reverse DNS lookup results. Experiment results on three public datasets demonstrate that the method is effective for mimic and malicious SSL/TLS communications detection. As a further job, we exploit active service discovery to filter normal innocent services, reduc-ing the false positive rate for practical use. Besides, we try to improve intrusion detection on SSL/TLS channels by classifying certificates based on previous large-scale measurements, in which the popular and high trustworthy normal services are excluded by user visit statistics firstly, and then the left small amount of encrypted flows that use invalidated or low creditable certificates are inspected deeply for suspicious evil behav-iors.As for the network protocol mimicry behavior detection, in face of the challenge that malicious communications usually disguise themselves as popular protocols or common applications, we break up the daily pro-tocol in real world into three aspects on account of the general concept of protocol, namely protocol format and grammar, protocol state transition, and protocol behavior property, and propose a general network protocol mimicry detection framework to inspect and verify a protocol in the above aspects. The scheme can be deployed in passive security devices, and it will not affect network condition or performance as the active methods do, as well as overcome the disadvantages of anomaly detection relying on statistics, knowledge or machine learning. Besides, it is robust in confrontation scenes.Moreover, to fight against the deeply hidden malicious communica-tions, we introduce the knowledge base to transfer data to ability persis-tently, merge the host detection, network detection, and knowledge base organically together, and finally form a practical cooperative detection framework with the above research results in encrypted malicious chan-nels and protocol mimicry, to identify these evasive evil behaviors which aim to evade both the host and network level intrusion detection.To sum up, to fight the emergency security threats in cyberspace, we carry out a series of research on the challenging issues in evasive network attack detection, and have made some progress in encrypted service iden-tification, SSL/TLS service measurement and malicious behavior detec-tion, as well as network protocol mimicry detection. The methods and techniques in our research will do benefit to improving the evasive net-work attack discovery ability in countermeasure scenes, and is meaning-ful and valuable for mitigating cybercrimes, ensuring national infor-mation infrastructure security, as well as protecting people’s privacy and property.