SECURE NETWORK COMMUNICATION ACROSS THE INTERNET
Research Project
Department of Computer Science, University of York
ABOUT THE PROJECT
Our project focuses on secure communication between different networks. We intend to demonstrate existing weaknesses in secure internetworking and propose new protocols to facilitate secure Internet-based communication.
As part of our research, we analyse existing Internet topology, investigate existing security vulnerabilities and explore Virtual Private Networks (VPNs) and next-generation Internet architectures in the delivery of secure Internet-based communication, overcoming existing limitations and improving the Internet for users.
LATEST NEWS
2023/09/28: Panel Session at UKNOF52 (London, UK): Rights, Privacy, and the Network Operator
2023/07/13: Presentation at the Multi-Service Networks Workshop (Coseners) 2023: The Internet Speaks.
2023/06/15: Poster presentation at the Yorkshire Innovation in Science and Engineering Conference (YISEC) 2023.
2023/04/03: Panel Call for UKNOF52 (London, UK): We welcome your thoughts, questions, or expression of interest to join our panel.
2023/04/03: Presentation at UKNOF51 (Manchester, UK): Secure Network Communication Across the Internet.
PROJECT MOTIVATION
INTERNET DRIVES ECONOMIES
The Internet is used regularly by over 92% of adults in the UK [1], and is tied to the success of financial markets and financial institutions [2].
REMOTE WORK SHOWS INSECURITY
A widespread move to hybrid and remote working has highlighted a number of substantial deficiencies in organisational networking and security infrastructure [3].
INTERNET ROUTING HAS SIGNIFICANT VULNERABILITIES
Packet routing across the Internet is facilitated by the Border Gateway Protocol (BGP), introduced in 1989 [4]. The latest specification, BGP-4, has been in operation since 1995 [5], but continues to have many widely known vulnerabilities [6]-[10].
Despite these vulnerabilities, replacement protocols or adaptations/security extensions, like S-BGP, BGPsec and RPKI, are not widely adopted.
PRIVACY BY VPN...
Virtual Private Networks (VPNs) are widely used across enterprise to protect confidential information, and for preserving privacy for individuals.
...MIGHT BE POSSIBLE TO BREAK
We're starting to break VPN confidentiality with machine learning. It's been shown that we can determine the applications and protocols in use over a VPN tunnel [11]-[12].
WHY ARE SOLUTIONS NOT ADOPTED?
We are currently investigating why solutions to security and routing efficiency are not adopted by BGP speakers, such as security-based route-origin verification or path verification BGP-based protocols. We are doing this through analysis of the Internet's topology, identifying key stakeholders and connections and how Internet architecture has influenced topology alongside consideration of political factors.
What we have so far observed is particularly interesting: our approach has enabled us to visually observe a splintering Internet and allow us to measure the level of Internet fragmentation. Our methodology could potentially also be applied to investigate the Internet's topology over time, or to simulate changes to the Internet topology (such as a change of architecture) as applied to any given point in time.
OUR CONTRIBUTION
We have conceived an Internet topology modelling approach that allows for Internet analysis at fixed points in time, mapping Internet resource registration data, and in future capturing smaller prefix spaces and geolocation to provide a fine-grained model of the Internet.
DEMONSTRATING THE PROBLEM
It has been shown that, using classification models on encrypted network packets or encrypted packet flow data, it is possible to ascertain information to varying degrees of specificity about the original unencrypted traffic. In [11], this includes the type of application (eight classification categories, such as data transfer, VOIP). In [12], this extends to 20-class classification about the applications in use (for instance, Twitter, Google Drive, Reddit), and with the scope to raise the number of categories with an increased dataset size. Separate work furthers this by demonstrating that encrypted network traffic over QUIC can also be split into different application categories [13]. Using almost any definition of secure (for demonstrative purposes, we can use that it is confidential, integral and available) it is hence the case that traffic is no longer confidential if we can identify its nature: be it encapsulated applications or protocols.
The conditions for these attacks can be formulated under BGP. We can perform traffic interception or hijacking by introducing ourselves as a 'man in the middle' using BGP (highlighted as router 2, above). A brief overview of this is present at the start of [6], published at the IETF (and in wider literature). We also see this observed in practice - a recent example is Rostelecom (Russian state-affiliated ISP) hijacking traffic from Mastercard, Visa and major banks in January.
And thus, although the conditions require the ability to broadcast BGP messages and have the capacity to receive the intercepted traffic, it is possible to conduct a man-in-the-middle attack using BGP, and then analyse the intercepted VPN traffic observed at the BGP router using the approach above.
OUR CONTRIBUTION
We intend to develop a more fine-grained encrypted traffic classification model for a variety of VPN types and present a generalised approach to encrypted traffic classification. We then hope to develop defence schemes (using adversarial attacks against machine learning classification models) to enhance the security of VPN protocols, with the ultimate objective of using this knowledge to enhance future Internet protocols.
IMPLEMENTING A SOLUTION
We think that political constraints have prevented improvement in Internet routing protocols. Alternatives to BGP routing exist, but have not been widely adopted, potentially because of political considerations, government policies or limited industrial motivation. We're currently investigating Internet governance, the emergence of state sovereignty within the Internet, and understanding key Internet stakeholders and holders of power.
We are hoping to engage with network operators, service and content providers to understand the political dynamics of the Internet, and we are currently investigating borders, sovereignty and power within the Internet through BGP peer mapping.
CONTACT US
Interested in partnering with us? We are open to academic and industry partners and sponsors. We'd be more than happy to talk to you, please get in touch.
REFERENCES
[1] Office for National Statistics, ‘Internet users, UK: 2020’, Apr. 2021. [Online]. Available: https://www.ons.gov.uk/businessindustryandtrade/itandinternetindustry/bulletins/internetusers/2020
[2] C. Phuc Nguyen, T. Dinh Su, and N. Doytch, ‘The drivers of financial development: Global evidence from internet and mobile usage’, Information Economics and Policy, vol. 53, p. 100892, Dec. 2020, doi: 10.1016/j.infoecopol.2020.100892
[3] M. Cooney, “Coronavirus challenges remote networking,” Network World, Mar. 2020. [Online]. Available: https://www.networkworld.com/article/3532440/coronavirus-challenges-remote-networking.html
[4] ‘Border Gateway Protocol (BGP)’, Internet Engineering Task Force, Request for Comments RFC 1105, Jun. 1989. doi: 10.17487/RFC1105.
[5] ‘A Border Gateway Protocol 4 (BGP-4)’, Internet Engineering Task Force, Request for Comments RFC 1771, Mar. 1995. doi: 10.17487/RFC1771.
[6] S. L. Murphy, ‘BGP Security Vulnerabilities Analysis’, Internet Engineering Task Force, Request for Comments RFC 4272, Jan. 2006. doi: 10.17487/RFC4272.
[7] S. Bakkali, H. Benaboud, and M. Ben Mamoun, ‘Security problems in BGP: An overview’, in 2013 National Security Days (JNS3), Apr. 2013, pp. 1–5. doi: 10.1109/JNS3.2013.6595458.
[8] K. Butler, T. R. Farley, P. McDaniel, and J. Rexford, ‘A Survey of BGP Security Issues and Solutions’, Proc. IEEE, vol. 98, no. 1, pp. 100–122, Jan. 2010, doi: 10.1109/JPROC.2009.2034031.
[9] G. Huston, M. Rossi, and G. Armitage, ‘Securing BGP — A Literature Survey’, IEEE Commun. Surv. Tutor., vol. 13, no. 2, pp. 199–222, 2011, doi: 10.1109/SURV.2011.041010.00041.
[10] M. O. Nicholes and B. Mukherjee, ‘A survey of security techniques for the border gateway protocol (BGP)’, IEEE Commun. Surv. Tutor., vol. 11, no. 1, pp. 52–65, 2009, doi: 10.1109/SURV.2009.090105.
[11] G. Draper-Gil, A. H. Lashkari, M. S. I. Mamun, and A. A. Ghorbani, ‘Characterization of Encrypted and VPN Traffic using Time-related Features’:, in Proceedings of the 2nd International Conference on Information Systems Security and Privacy, Rome, Italy: SCITEPRESS - Science and and Technology Publications, 2016, pp. 407–414. doi: 10.5220/0005740704070414.
[12] S. Jorgensen et al., ‘Extensible Machine Learning for Encrypted Network Traffic Application Labeling via Uncertainty Quantification’. arXiv, May 11, 2022. Accessed: Jan. 25, 2023. [Online]. Available: http://arxiv.org/abs/2205.05628.
[13] S. Rezaei and X. Liu, ‘How to Achieve High Classification Accuracy with Just a Few Labels: A Semi-supervised Approach Using Sampled Packets’. arXiv, May 16, 2020. Accessed: Jan. 25, 2023. [Online]. Available: http://arxiv.org/abs/1812.09761.