Encrypted Traffic Analysis: Use Cases & Security Challenges

Back to News

The EU Agency for Cybersecurity explores encrypted traffic analysis’ use cases and identifies security challenges & opportunities

The objective of the ENISA Report - Encrypted Traffic Analysis is to highlight an oxymoron, the disrupting effects of encryption network security. It examines whether Machine Learning (ML) and Artificial Intelligence (AI) techniques can be a useful alternative for network administrators and security professionals, offering encrypted traffic analysis capabilities without requiring access to decrypted packet payload. It also discusses  the privacy dangers introduced by the inappropriate use of ML and AI, alerting decision makers of potential risks that may lie in the future.

Background

The introduction of network traffic encryption has significantly improved communication security and user privacy. When using technologies, like Transport Layer Security (TLS), most internet users assume that third parties cannot gain access to their communications and companies rest assured that their transactions are safe from interference and eavesdropping.

However, widespread network traffic encryption has reduced the ability of network administrators to monitor their infrastructures. Crippling their success in dealing with malicious traffic and sensitive data exfiltration, forcing them to resort to traffic decryption through proxies.

Research in ML and AI has provided us with useful tools for combating cyberattacks. At the same time, these new capabilities can be misused to lower user privacy, sometimes even with encryption employed.

Scope of the report

 The new report explores the current state of affairs in Encrypted Traffic Analysis.

To that purpose, research and methods are evaluated through the following essential use cases:

  • Application identification;
  • Network analytics;
  • User information identification;
  • Detection of encrypted malware;
  • File/Device/Website/Location fingerprinting;
  • DNS tunnelling detection.

The analysis of these use cases shows that the techniques presented are very promising. While not achieving the same level of confidence as with analysing unencrypted data, in some scenarios the benefits might outweigh the loss in detection accuracy.

The report highlights how the misuse of ML and AI techniques can lower privacy expectations for users, even though they might use strong encryption. One of these techniques is fingerprinting. Certain properties of encrypted data may allow the creation of data records mapping the properties to corresponding files or websites, providing ways to infer which files, songs, videos, etc. a user is requesting, even though the traffic itself is properly encrypted.

The report also identifies common TLS misconfigurations and bad practices that endanger the confidentiality of communications and users’ privacy, and urges administrators to follow simple countermeasures like:

  • Certification validation and pinning;
  • Minimizing exposed data over HTTP redirects;
  • Deprecating older certificates;
  • Usage of certificate signing and trusted CAs; etc.

These  misconfigurations, which are often easily fixed, deter users from trusting online services and make them avoid online transactions, negatively affecting the Digital Single Market.

Further Information:

ENISA Report - Encrypted Traffic Analysis