iDeFEND: Intrusion Detection Framework for Encrypted Network Data

  • Fatih KilicEmail author
  • Claudia Eckert
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9476)


Network Intrusion Detection Systems have been used for many years to inspect network data and to detect intruders. Nowadays, more and more often encryption is used to protect the confidentiality of network data. When end-to-end encryption is applied, Network Intrusion Detection Systems are blind and can not protect against attacks. In this paper we present iDeFEND, a framework for inspecting encrypted network data without breaking the security model of end-to-end encryption. Our approach does not require any source code of the involved applications and thereby also protects closed source applications. Our framework works independently of the utilized encryption key. We present two use cases how our framework can detect intruders by analysing the network data and how we can test remote applications with enabled network data encryption. To achieve this iDeFEND detects the relevant functions in the target application, extracts and subsequently inspects the data. To test remote applications iDeFEND intercepts and injects user controlled data into the application to test remote applications. Finally we have implemented our framework to show the feasibility of our approach.


Network security Reverse engineering Intrusion detection 


  1. 1.
    Calvet, J., Fernandez, J.M., Marion, J.-Y.: Aligot: cryptographic function identification in obfuscated binary programs. In: ACM Conference on Computer and Communications Security, pp. 2–4 (2012)Google Scholar
  2. 2.
    Goh, V.T., Zimmermann, J., Looi, M.: Intrusion detection system for encrypted networks using secret-sharing schemes. In: 2nd International Cryptology Conference (Cryptology 2010), Malaysian Society for Cryptology Research, July 2010Google Scholar
  3. 3.
    Gröbert, F., Willems, C., Holz, T.: Automated identification of cryptographic primitives in binary programs. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 41–60. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  4. 4.
    Kenkre, P.S., Pai, A., Colaco, L.: Real time intrusion detection and prevention system. In: Satapathy, S.C., Biswal, B.N., Udgata, S.K., Mandal, J.K. (eds.) Proc. of the 3rd Int. Conf. on Front. of Intell. Comput. (FICTA) 2014- Vol. 1. AISC, vol. 327, pp. 405–411. Springer, Heidelberg (2015) Google Scholar
  5. 5.
    Kilic, F., Kittel, T., Eckert, C.: Blind format string attacks. In: International Workshop on Data Protection in Mobile and Pervasive Computing (2014)Google Scholar
  6. 6.
    Koch, R., Golling, M., Rodosek, G.D.: Behavior-based intrusion detection in encrypted environments. IEEE Commun. Mag. 52(7), 124–131 (2014)CrossRefGoogle Scholar
  7. 7.
    Li, X., Meng, J., Zhao, H., Zhao, J.: Overview of intrusion detection systems. J. Appl. Sci. Eng. Innovation 2(6), 230–232 (2015)Google Scholar
  8. 8.
    Runtime process infection. Accessed 09 June 2015
  9. 9.
    Radu, V.: Application. In: Radu, V. (ed.) Stochastic Modeling of Thermal Fatigue Crack Growth. ACM, vol. 1, pp. 63–70. Springer, Heidelberg (2015) Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Technische Universität MünchenMunichGermany

Personalised recommendations