Detection of Encrypted Streams for Egress Monitoring
ProQuest, 2007 - 53 pages
The solution proposed in this thesis is simple yet an effective approach to prevent information leakage when the data is encrypted. We assume that a policy is in place which disallows encrypted content from specific hosts, ports and applications and wish to detect any violations to this policy. This work aims at analyzing encrypted and unencrypted traffic flows across a gateway and detecting unauthorized encrypted traffic flows. The work discusses a low level approach to detect encryption, based on entropy calculation and packet analysis. The technique is based on the fact that encrypted data consists of a random distribution of symbols whose entropy is expected to be quite high as compared to an unencrypted file. Techniques to differentiate between encrypted and high entropy compressed traffic are also discussed. This thesis implements and compares statistical methods for a fast online detection of encrypted traffic from all the other unencrypted traffic flowing across a network.
What people are saying - Write a review
We haven't found any reviews in the usual places.
arithmetic mean ASCII auto-correlation values Blocks required bytes Chi-Square test chi-square value Cipher Block Chaining company's compressed and encrypted compressed stream compression algorithms confidence level critical value cryptography decryption routine detect compressed detect encryption differentiate between encrypted differentiate encrypted streams differentiating high entropy Doc File Egress filtering emails encrypted and unencrypted encrypted content encrypted data stream encrypted file entropy and randomness entropy data stream entropy test equation extrusion detection false negative rate false positive figure 11 file streams Frequency Distribution Gzip header high entropy compressed high entropy content high entropy streams highly random hypothesized distribution implemented Index of Coincidence Information Entropy IOC peaks IOC plots IOC values IP addresses JPEG Kolmogorov-Smirnov test low entropy data low entropy streams null hypothesis PDF plot plot of Blocks probability of occurrence statistical tests stream is calculated stream of data stream shows streams from encrypted technique test corpus Threat Model uniform distribution