You Do (Not) Belong Here: Detecting DPI Evasion Attacks with Context Learning

by   Shitong Zhu, et al.

As Deep Packet Inspection (DPI) middleboxes become increasingly popular, a spectrum of adversarial attacks have emerged with the goal of evading such middleboxes. Many of these attacks exploit discrepancies between the middlebox network protocol implementations, and the more rigorous/complete versions implemented at end hosts. These evasion attacks largely involve subtle manipulations of packets to cause different behaviours at DPI and end hosts, to cloak malicious network traffic that is otherwise detectable. With recent automated discovery, it has become prohibitively challenging to manually curate rules for detecting these manipulations. In this work, we propose CLAP, the first fully-automated, unsupervised ML solution to accurately detect and localize DPI evasion attacks. By learning what we call the packet context, which essentially captures inter-relationships across both (1) different packets in a connection; and (2) different header fields within each packet, from benign traffic traces only, CLAP can detect and pinpoint packets that violate the benign packet contexts (which are the ones that are specially crafted for evasion purposes). Our evaluations with 73 state-of-the-art DPI evasion attacks show that CLAP achieves an Area Under the Receiver Operating Characteristic Curve (AUC-ROC) of 0.963, an Equal Error Rate (EER) of only 0.061 in detection, and an accuracy of 94.6 suggest that CLAP can be a promising tool for thwarting DPI evasion attacks.


page 9

page 10


Packet2Vec: Utilizing Word2Vec for Feature Extraction in Packet Data

One of deep learning's attractive benefits is the ability to automatical...

Fundamental Limits of Covert Packet Insertion

Covert communication conceals the existence of the transmission from a w...

Dynamic MTU for Reducing the Packet Drop in IPv6 Protocol

With an increase in the number of internet users and the need to secure ...

Evaluating Snowflake as an Indistinguishable Censorship Circumvention Tool

Tor is the most well-known tool for circumventing censorship. Unfortunat...

CANflict: Exploiting Peripheral Conflicts for Data-Link Layer Attacks on Automotive Networks

Current research in the automotive domain has proven the limitations of ...

Lattice Structural Analysis on Sniffing to Denial of Service Attacks

Sniffing is one of the most prominent causes for most of the attacks in ...

Tracemax: A Novel Single Packet IP Traceback Strategy for Data-Flow Analysis

The identification of the exact path that packets are routed on in the n...

Please sign up or login with your details

Forgot password? Click here to reset