Archivio Istituzionale della RicercaVarious applications running in network-based, mobile, Internet of Things, or embedded systems environments exploit the Transport Layer Security (TLS) protocol to secure communication channels. However, in the last decade, several attacks have been discovered that exploit weaknesses in the protocol specification, the extensions, the cryptographic algorithms, or in the implementation and deployment of TLS-enabled software or libraries. A classical solution to counter TLS attacks on a target is to scan the installed TLS software (via dedicated software or services) and update it with versions that are resistant to attacks. However, an (internal) attacker might even temporarily corrupt the end node so that it becomes vulnerable to TLS attacks. So, the TLS scanning operations should be performed often, wasting resources of the monitored target. We propose a network-based intrusion detection tool named Threat-TLS, aimed to individuate weak, suspicious, or malicious TLS connections in intercepted traffic by looking for TLS patterns that contain features exploited to perform attacks, like old protocol versions, weak algorithms, or extensions. We have tested the proposed tool in a testbed environment by exploiting two famous tools, namely Suricata and Zeek, illustrating its performance in detecting some TLS attacks.
Threat-TLS: A Tool for Threat Identification in Weak, Malicious, or Suspicious TLS Connections / Berbecaru, Diana Gratiela; Lioy, Antonio. - ELETTRONICO. - (2024), pp. 1-9. (Intervento presentato al convegno 19th International Conference on Availability, Reliability and Security (ARES 2024) tenutosi a Vienna (AT) nel 30 July - 02 August 2024) [10.1145/3664476.3670945].
Threat-TLS: A Tool for Threat Identification in Weak, Malicious, or Suspicious TLS Connections
Berbecaru, Diana Gratiela;Lioy, Antonio
2024
Abstract
Various applications running in network-based, mobile, Internet of Things, or embedded systems environments exploit the Transport Layer Security (TLS) protocol to secure communication channels. However, in the last decade, several attacks have been discovered that exploit weaknesses in the protocol specification, the extensions, the cryptographic algorithms, or in the implementation and deployment of TLS-enabled software or libraries. A classical solution to counter TLS attacks on a target is to scan the installed TLS software (via dedicated software or services) and update it with versions that are resistant to attacks. However, an (internal) attacker might even temporarily corrupt the end node so that it becomes vulnerable to TLS attacks. So, the TLS scanning operations should be performed often, wasting resources of the monitored target. We propose a network-based intrusion detection tool named Threat-TLS, aimed to individuate weak, suspicious, or malicious TLS connections in intercepted traffic by looking for TLS patterns that contain features exploited to perform attacks, like old protocol versions, weak algorithms, or extensions. We have tested the proposed tool in a testbed environment by exploiting two famous tools, namely Suricata and Zeek, illustrating its performance in detecting some TLS attacks.
| File | Dimensione | Formato | |
|---|---|---|---|
|
3664476.3670945.pdf
accesso aperto
Tipologia:
2a Post-print versione editoriale / Version of Record
Licenza:
PUBBLICO - Tutti i diritti riservati
Dimensione
823.57 kB
Formato
Adobe PDF
|
823.57 kB | Adobe PDF | Visualizza/Apri |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/11583/2991439