HTTPS Event-Flow Correlation: Improving Situational Awareness in Encrypted Web Traffic

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F00216224%3A14610%2F22%3A00125164" target="_blank" >RIV/00216224:14610/22:00125164 - isvavai.cz</a>

Výsledek na webu

<a href="http://dx.doi.org/10.1109/NOMS54207.2022.9789877" target="_blank" >http://dx.doi.org/10.1109/NOMS54207.2022.9789877</a>

DOI - Digital Object Identifier

<a href="http://dx.doi.org/10.1109/NOMS54207.2022.9789877" target="_blank" >10.1109/NOMS54207.2022.9789877</a>

Jazyk výsledku

angličtina

Název v původním jazyce

HTTPS Event-Flow Correlation: Improving Situational Awareness in Encrypted Web Traffic

Popis výsledku v původním jazyce

Achieving situational awareness is a challenging process in current HTTPS-dominant web traffic. In this paper, we propose a new approach to encrypted web traffic monitoring. First, we design a method for correlating host-based and network monitoring data based on their common features and a correlation time-window. Then we analyze the correlation results in detail to identify configurations of web servers and monitoring infrastructure that negatively affect the correlation. We describe these properties and possible data preprocessing techniques to minimize their impact on correlation performance. Furthermore, to test the correlation method's behavior in different web server setups and for recent encryption protocols, we modify it by adapting the correlation features to TLS 1.3 and QUIC. Finally, we evaluate the correlation method on a dataset collected from a campus network. The results show that while the correlation requires monitoring of custom event and flow features, it remains feasible even when using encryption protocols designed for the near future.

Název v anglickém jazyce

HTTPS Event-Flow Correlation: Improving Situational Awareness in Encrypted Web Traffic

Popis výsledku anglicky

Achieving situational awareness is a challenging process in current HTTPS-dominant web traffic. In this paper, we propose a new approach to encrypted web traffic monitoring. First, we design a method for correlating host-based and network monitoring data based on their common features and a correlation time-window. Then we analyze the correlation results in detail to identify configurations of web servers and monitoring infrastructure that negatively affect the correlation. We describe these properties and possible data preprocessing techniques to minimize their impact on correlation performance. Furthermore, to test the correlation method's behavior in different web server setups and for recent encryption protocols, we modify it by adapting the correlation features to TLS 1.3 and QUIC. Finally, we evaluate the correlation method on a dataset collected from a campus network. The results show that while the correlation requires monitoring of custom event and flow features, it remains feasible even when using encryption protocols designed for the near future.

Druh

D - Stať ve sborníku

CEP obor

—

OECD FORD obor

10201 - Computer sciences, information science, bioinformathics (hardware development to be 2.2, social aspect to be 5.8)

Projekt

<a href="/cs/project/EF16_019%2F0000822" target="_blank" >EF16_019/0000822: Centrum excelence pro kyberkriminalitu, kyberbezpečnost a ochranu kritických informačních infrastruktur</a><br>

Návaznosti

P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)

Rok uplatnění

2022

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Název statě ve sborníku

2022 IEEE/IFIP Network Operations and Management Symposium (NOMS 2022)

ISBN

9781665406017

ISSN

1542-1201

e-ISSN

—

Počet stran výsledku

6

Strana od-do

1-6

Název nakladatele

IEEE Xplore Digital Library

Místo vydání

Budapešť, Maďarsko

Místo konání akce

Budapešť, Maďarsko

Datum konání akce

1. 1. 2022

Typ akce podle státní příslušnosti

WRD - Celosvětová akce

Kód UT WoS článku

000851572700131