Behavior-based intrusion detection in encrypted environments

In recent years the Internet has evolved into a critical communication infrastructure that is omnipresent in almost all aspects of our daily life. This dependence of modern societies on the Internet has also resulted in more criminals using the Internet for their purposes, causing a steady increase of attacks, both in terms of quantity as well as quality. Although research on the detection of attacks has been performed for several decades, today´s systems are not able to cope with modern attack vectors. One of the reasons is the increasing use of encrypted communication that strongly limits the detection of malicious activities. While encryption provides a number of significant advantages for the end user like, for example, an increased level of privacy, many classical approaches of intrusion detection fail. Since it is typically not possible to decrypt the traffic, performing analysis w.r.t. the presence of certain patterns is almost impossible. To overcome this shortcoming we present a new behavior-based detection architecture that uses similarity measurements to detect intrusions as well as insider activities like data exfiltration in encrypted environments.