Towards Intrusion Detection for Encrypted Network

1. Introduction
The network based Intrusion Detection system (NIDS) are used to monitor the network traffic for
detection of attacks. The NIDS monitor the patterns of incoming packets for detecting malicious
activities over the network. With passage of time the use of VPNs are increasing which make
the detection of malicious activities impossible by NIDS due to encrypted traffic. Although
making certain changes to our network can be made to overcome this problem just like
decryption of network traffic at gateway but it violates the principle of End to End security (ETE).
ETE in secure networks are employed for sophisticated users to protect their data from insider
threats. However in case of VPNs in which traffic is encrypted/decrypted at gateway the
traditional NIDS can do this job very well but with loss of confidentiality of data moreover
increases the overhead of key management. In this paper an efficeient scheme is proposed
which not only analyze encrypted traffic but also preserve the confidentiality. The Idea is based
upon Shamirs secret sharing scheme and network proxies to detect any malicious activities in
encrypted channels.

2. Problem statement
IDS analysis audit data in computer system or network for detection of malicious activities. The
audit data includes computer log files, settings and network traffic. The IDS are normally of two
types one is anomaly based detection or other is misused detection system. Both categories of
IDS fails if our data is encrypted. Most of the IDS uses one of three approaches for detection of
intrusions. First one approach is to employ statistical traffic analysis for detection of intrusion. In
this scheme only the header of the packets but not its payload are analyzed. This approach are
used by some researcher to identify the malicious active in SSL and VPN traffic. There are two
limitation of this approach one of any malicious code in payload cannot be detected such as
SQL injection and other is very few pattern of attack that can actually be identified by observing
network traffic. The second approach make use of predefined pattern for legal users and any
deviation from these patterns defines intrusion. Like first approach it also has drawback that it
cannot analyze the payload. Payload having malicious code cannot be identified and any
intruder can easily attack by using these legal patterns. Last approach analysis the payload of
network packets, this approach also called deep packet inspection. This approach is suitable for
identifying the attacks like malformed, URL string and SQL injection. For end to end encryption
scenario host bases IDS can analyze the payload at end points but this increases workload on
IDS because it has also to monitor other aspects of host systems such as system calls and
system files statuses.

3. Proposed Methodology
Standard IDS intercepts and analyses the network traffic between two communication parties,
either using man-in-the middle approach or passively sniffing the packet. Passive sniffing
becomes infeasible for NIDS for ETE encrypted network traffic because it needs key of
communicating parties which has a key management issue. In this research paper a Central
IDS is used to carry out traffic analysis. The central IDS is implemented on separate host in the
network. In the next step IDS sensors is installed on all the hosts in the network. The primary
work of IDS sensor is to ensure that all the network traffic which is being send to the receiver
must also being send to CIDS for analyses of intrusion detection purpose. Message proxies and
shmirs secret sharing scheme has been introduced to ensure all the traffic is being forwarded to
both receiver and CIDS. Each proxy is an ordinary network host and must have message
forwarding capability.
In order to send a message sender must divide the message into its cross ponding shares using
secret sharing scheme. In this scheme we have to parameters k and n. The parameter n
specifies the number of shares of a message k specifies the thresholds or minimum no of
shares to require the successfully construct the message. In this manner confidentiality is
achieved.

Figure 1

It must be remember that any k-1 or less shares of a message cannot be used to reconstruct
the message. As shown in the figure 1 any host in the network can be selected as a proxy for
any share of a message. When a proxy receive share of a message it will decrypt the share with
key of the receiver for this purpose every endpoint or host must have the key of other host. The
proxy will perform one of the following four action randomly.
(i) Forward to the receiver with probability Pr.
(ii) Forward to CIDS with probability Pc.
(iii) Forward to both receiver and CIDS with probability Pb.
(iv) Drop the message with probability Pd.
The message M can be reconstructed by both CIDS and receiver if the receive at least k share
of a message according to secret share scheme. The algorithm can be summarized as

Algorithm:
 (i) Sender splits M into {m1,mi, . . . , mn}
(ii) Each mi is sent to a proxy
(iii) Proxy pi does one of the four predefined actions
(iv) Sender receives k or more mi and recovers M
(v) CIDS receives k or more mi and recovers M

4. Shortcomings
Undermentioned are the shortcoming of this proposed scheme.
(i) Since in this proposed each proxy must require the key of other host so for the large
number of host the key management is difficult.
(ii) Active sniffing or man in the middle approach this scheme increases network
overhead.
(iii) The probability function for message forwarding used by proxies are not defined
rather than randomized approach used.