Abstract
In recent times, secure communication protocols over web such as HTTPS (Hypertext Transfer Protocol Secure) are being widely used instead of plain web communication protocols like HTTP (Hypertext Transfer Protocol). HTTPS provides end-to-end encryption between the user and service. Nowadays, organizations use network firewalls and/or intrusion detection and prevention systems (IDPS) to analyze the network traffic to detect and protect against attacks and vulnerabilities. Depending on the size of organization, these devices may differ in their capabilities. Simple network intrusion detection system (NIDS) and firewalls generally have no feature to inspect HTTPS or encrypted traffic, so they rely on unencrypted traffic to manage the encrypted payload of the network. Recent and powerful next-generation firewalls have Secure Sockets Layer (SSL) inspection feature which are expensive and may not be suitable for every organizations. A virtual private network (VPN) is a service which hides real traffic by creating SSL-protected channel between the user and server. Every Internet activity is then performed under the established SSL tunnel. The user inside the network with malicious intent or to hide his activity from the network security administration of the organization may use VPN services. Any VPN service may be used by users to bypass the filters or signatures applied on network security devices. These services may be the source of new virus or worm injected inside the network or a gateway to facilitate information leakage. In this paper, we have proposed a novel approach to detect VPN activity inside the network. The proposed system analyzes the communication between user and the server to analyze and extract features from network, transport, and application layer which are not encrypted and classify the incoming traffic as malicious, i.e., VPN traffic or standard traffic. Network traffic is analyzed and classified using DNS (Domain Name System) packets and HTTPS- (Hypertext Transfer Protocol Secure-) based traffic. Once traffic is classified, the connection based on the server’s IP, TCP port connected, domain name, and server name inside the HTTPS connection is analyzed. This helps in verifying legitimate connection and flags the VPN-based traffic. We worked on top five freely available VPN services and analyzed their traffic patterns; the results show successful detection of the VPN activity performed by the user. We analyzed the activity of five users, using some sort of VPN service in their Internet activity, inside the network. Out of total 729 connections made by different users, 329 connections were classified as legitimate activity, marking 400 remaining connections as VPN-based connections. The proposed system is lightweight enough to keep minimal overhead, both in network and resource utilization and requires no specialized hardware.
Highlights
To enable the communication between the computers, TCP/ IP stack was implemented. e stack was implemented without the consideration of security of information being transferred in the communication [1]. is issue raised a lot of security concerns which are constantly managed by di erent security services [2]
A user using Virtual private network (VPN) service connects to a VPN server using normal Transport Layer Security (TLS) connection outside the network. It requests the website or service from the server [9, 10]. e VPN server originates the request on behalf of the user to the server requested. e encrypted response is sent to the user on already established channel; as a result, the whole activity passes any filter on the network firewall
A VPN service inside an organization may generally be used by an individual to hide the real communication. is communication may be harmful or damage the organization, and the organization may not allow such communication over its monitored network
Summary
To enable the communication between the computers, TCP/ IP stack was implemented. e stack was implemented without the consideration of security of information being transferred in the communication [1]. is issue raised a lot of security concerns which are constantly managed by di erent security services [2]. Secure Sockets Layer (SSL) is commonly used to provide authentication and encryption security service in TCP/IP stack [3]. A user using VPN service connects to a VPN server using normal Transport Layer Security (TLS) connection outside the network. E encrypted response is sent to the user on already established channel; as a result, the whole activity passes any filter on the network firewall. Such techniques may be used by the users which aim to hide from or deceive the organization of their Internet activity [9]. More traffic-characterizing features may be added to identify more applications
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
