iDeFEND: Intrusion detection framework for encrypted network data

Abstract

Network Intrusion Detection Systems have been used for many years to inspect network data and to detect intruders. Nowadays, more and more often encryption is used to protect the confidentiality of network data. When end-to-end encryption is applied, Network Intrusion Detection Systems are blind and can not protect against attacks. In this paper we present iDeFEND, a framework for inspecting encrypted network data without breaking the security model of end-to-end encryption. Our approach does not require any source code of the involved applications and thereby also protects closed source applications. Our framework works independently of the utilized encryption key. We present two use cases how our framework can detect intruders by analysing the network data and how we can test remote applications with enabled network data encryption. To achieve this iDeFEND detects the relevant functions in the target application, extracts and subsequently inspects the data. To test remote applications iDeFEND intercepts and injects user controlled data into the application to test remote applications. Finally we have implemented our framework to show the feasibility of our approach.