Please enable JavaScript.
Coggle requires JavaScript to display documents.
BlindIDS, Reference:, S. Canard, A. Diop, N. Kheir, M. Paindavoine, M.…
BlindIDS
PROBLEM
Aside from the usual challenges in inspecting HTTPS traffic of IDS
BlindBox requires middleboxes (MBs) to encrypt entire set of malicious patterns to use in detecting network traffic.
Which actually affects time for connection setup
Needs large amount of memory space
BlindBox requires cleartext format of the signature-based patterns
BlindBox is hard to deploy in real-world
GOAL
Privacy-friendly not only for client-side
Security-aware supports DPI to inspect encrypted network traffic and at the same time protects privacy of signature patterns
Achieve great performance and become deployable in real-world
To achieve the three (3) security model properties
Detection Property
Any malicious traffic must be detected by Service Provider (SP)
Traffic Indistinguishability Property
SP will not know any information about the traffic
Even if some part of the traffic was obtained, adversary cannot distinguish the other parts of the traffic is connected to the obtained network traffic.
Rule Indistinguishability Traffic
SP will never learn any information about the rules
Architecture
Honest-but-Curious Entity
Service Provider - middleboxes that uses Security Editor's rules
Security Editor - the providers of rules for detecting malicious network traffic
Overall Process Flow
RuleGen
3) Generates a pair of its secret key, and SP's public key for SE's encrypted rules
4) Encrypts its rules and passes the encrypted rules to SP
Send
2) Sender will encrypt the token, and sends it along with receiver's public key
Setup
1) Sender will generate a private key for itself, and public key for the receiver
Detect
5) Given its public key, an encrypted traffic, and encrypted rules, SP will do a lookup and match if the encrypted rules match the encrypted traffic
Receive
6) Given the sender's public key and the encrypted traffic, it will decrypt the encrypted traffic into plain traffic
Decryptable Searchable Encryption
Process Flow
Enc
Input: keyword, public key
Output: encrypted keyword, and public key
TrapGen
Input: keyword, trapdoor key
Output: encrypted trapdoor keyword
KeyGen
Input: Security Parameter
Output: Public Key, Private Key, Trapdoor Key
Test
Input: encrypted keyword, encrypted trapdoor keyword
Output: Match or Not matched
Dec
Input: encrypted keyword, private key
Output: plaintext keyword
Final Thoughts
Enhanced version of BlindBox that is implemented in Intrusion Detection System (IDS)
Advantages
Unlike, BlindBox that uses symmetric encryption (AES), BlindIDS uses asymmetric encryption which is using private key and public key so that it no longer generates garble outputs to match the encrypted traffic
BlindIDS really is better since it will just one time send encrypted rules for matching
Disadvantages
Still needs user's resources and implementation
Evaluation
Functional Evaluation
Goal
Show the ability to detect attacks using standard signature-based rules
Result
In supporting the datasets, BlindIDS achieved 100% both in Malware Blocklists and URL Deny Lists, but for Yara rules and Snort rules it achieved 77.3% and 75% respectively. The decrease is due to full regex since it is inherently slow so it was omitted in supporting, but some regex were still included.
In showing the detection capability, BlindIDS uses capture the flag as well to measure it. And it achieved 96.5% of the attack keywords and 98.3% of the attack that Snort should have detected. The result is around 1% lesser than the BlindBox achieved.
Performance Evaluation
Goal
Shows the overhead in client-side and BlindIDS' scability
Result
Decreased the overhead performance of BlindBox by 6 orders of magnitude since lesser memory space is needed
Decrease the latency in setting up HTTPS connections by 3 orders of magnitude
Decryption time takes longer than BlindBox and standard HTTPS since it uses asymmetric encryption scheme
Detection time takes 25% faster than BlindBox
Memory space no longer depends on number of connections and number of tokens but only depends on the number of detection rules
Setup
Intel (R) Xeon (R) with E5-1620 CPU with 4 cores running at 3.70GHz under 64-bit Linux OS
Dataset
Malware Blocklist
URL Deny Lists
Yara rules
Snort Rules
Written in Java
Reference:
S. Canard, A. Diop, N. Kheir, M. Paindavoine, M. Sabt, “BlindIDS: Market-Compliant and Privacy-Friendly
Intrusion Detection System Over Encrypted Traffic”, In Proceedings of the 2017 ACM Conference
Computer and Communications Security, 2017.