Confidential Payload Attribution on Encrypted Traffic of Enterprise Networks
Subject Areas : ICTSeyed Mohammad Hosseini 1 , amir hosein jahangir 2 , Mahdi Soltani 3
1 - Faculty of Computer Engineering, Shahid Beheshti University, Tehran, Iran
2 - Computer Engineering Department, Sharif University of Technology, Tehran, Iran
3 - Computer Engineering Department, Sharif University of Technology, Tehran, Iran
Keywords: Network forensics, Payload attribution, Encrypted traffic, Confidentiality,
Abstract :
The widespread use of encryption protocols is accompanied by an increased risk of organizational-level security devices becoming ineffective. When network traffic is encrypted, many security tasks such as intrusion detection and network forensics that rely on processing content of flows’ payloads become ineffective. Existing practical approaches to this problem are based on TLS interception methods, which not only violate confidentiality but also impose security issues. This paper introduces a confidential payload attribution system called "JormYab". JormYab is a practical approach to enable data attribution on standard encrypted traffic for organizational networks. JormYab, which can be easily deployed in an enterprise network, is based on a simple traffic digesting mechanism and does not violate confidentiality. Our practical and realistic evaluations show that JormYab can store a history of standard encrypted traffic of an enterprise network for use in network forensic investigations. The realistic scenarios we have used in our research also reveal common challenges and problems in the process of payload attribution investigations, and based on them, we discuss effective methods to address the issues.