Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an heuristic to detect fully encrypted flows #2058

Merged
merged 1 commit into from
Jul 26, 2023
Merged

Add an heuristic to detect fully encrypted flows #2058

merged 1 commit into from
Jul 26, 2023

Conversation

IvanNardi
Copy link
Collaborator

A fully encrypted session is a flow where every bytes of the payload is encrypted in an attempt to “look like nothing”. The heuristic needs only the very first packet of the flow. See: https://www.usenix.org/system/files/sec23fall-prepub-234-wu-mingshi.pdf

A basic, but generic, inplementation of the popcpunt alg has been added

@IvanNardi IvanNardi marked this pull request as draft July 24, 2023 07:53
@IvanNardi
Add an heuristic to detect fully encrypted flows
df8c9e9 
A fully encrypted session is a flow where every bytes of the
payload is encrypted in an attempt to “look like nothing”.
The heuristic needs only the very first packet of the flow.
See: https://www.usenix.org/system/files/sec23fall-prepub-234-wu-mingshi.pdf

A basic, but generic, inplementation of the popcpunt alg has been added
@IvanNardi IvanNardi marked this pull request as ready for review July 24, 2023 09:24
@sonarcloud
Copy link

sonarcloud bot commented Jul 24, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@utoni
Copy link
Collaborator

utoni commented Jul 25, 2023

Interesting. Did you try to implement Ex4/Ex5?

@lucaderi lucaderi merged commit 3326fa2 into ntop:dev Jul 26, 2023
33 checks passed
@IvanNardi
Copy link
Collaborator Author

Interesting. Did you try to implement Ex4/Ex5?

They are already implemented... You can see Ex4 comment just below Ex3.
I implemented a stronger version of Ex5: instead of looking for HTTP/TLS only, we exclude a flow matching ANY nDPI protocols, i.e. this heuristic is triggered only for unknown traffic, which seems the right approach to me (I don't want the risk set for a Whataspp or Telegram flow, I already know what they are...). This is the reason the new risk is set in ndpi_protocol ndpi_detection_giveup

@IvanNardi IvanNardi deleted the popcount branch July 26, 2023 07:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@IvanNardi @utoni @lucaderi