A Machine Learning-Based Intrusion Detection System for Securing Remote Desktop Connections to Electronic Flight Bag Servers

Abstract

Remote desktop protocols (RDP) are commonly used for connecting and interacting with computers remotely. In this case, a server component runs on the remote computer and shares its desktop (i.e., screen) with the client component which runs on an end user device. In recent years, a number of vulnerabilities have been identified in two widely used remote desktop implementations, Microsoft Remote Desktop and RealVNC. These vulnerabilities may expose the remote server to a new attack vector. This concern is increased when it comes to a cyber-physical system (CPS) in which a client device with a low trust level connects to the critical system via the remote desktop server. In order to mitigate this risk, in this paper we propose a network based intrusion detection system (NIDS) specifically designed for securing the remote desktop connections. The propose method utilizes an innovative anomaly detection technique based on machine learning for detecting malicious TCP packets, which can carry exploits aimed at the RDP server. An empirical evaluation conducted on an avionic system setup consisting of a commercial tablet (Samsung Galaxy Tab) connected through a Virtual Network Computing (VNC) remote desktop implementation to a real electronic flight bag (EFB) server shows that the proposed method can detect malicious packets carrying real exploits (reported in recent years) with a true positive rate of 0.863 and a false positive rate of 0.0001.