Fingerprinting Cryptographic Protocols with Key Exchange using an Entropy Measure
This addresses network security challenges by enabling detection of cryptographic protocols and malware, though it appears incremental as it builds on entropy-based methods.
The paper tackles the problem of identifying key exchange protocols in encrypted network traffic by detecting high-entropy data patterns, resulting in a system that shows potential for protocol identification and malware traffic detection.
Encryption has increasingly been used in all applications for various purposes, but it also brings big challenges to network security. In this paper, we take first steps towards addressing some of these chal- lenges by introducing a novel system to identify key exchange protocols, which are usually required if encryption keys are not pre-shared. We ob- served that key exchange protocols yield certain patterns of high-entropy data blocks, e.g. as found in key material. We propose a multi-resolution approach of accurately detecting high-entropy data blocks and a method of generating scalable fingerprints for cryptographic protocols. We pro- vide experimental evidence that our approach has great potential for identifying cryptographic protocols by their unique key exchanges, and furthermore for detecting malware traffic that includes customized key exchange protocols.