Detecting Traffic in a VPN/SSL Protected Channel

Detecting VPN Users and Traffic

The increasing trend of encrypted traffic has led to more concern about both the security and privacy of data. The use of Secure Sockets Layer (SSL) has become widespread in order to provide authentication and encryption security service with minimal network overhead and cost. A method must be found that will enable detection of legitimate data while minimizing undesirable effects such as increased traffic and latency.

The proposed technique extracts the traffic features to classify whether network traffic is legitimate or not.  It’s suitable, potentially for most systems from detecting blacklilsted IPs accessing Instagram to media sites detecting ‘geo-spoofing’ VPNs on UK TV sites.

The system is also able to spot unusual traffic that does not follow the pattern of normal or normal user activity, and flags this as invalid.

Similar Work and Techniques

Though VPN services like TOR, Hotspot Shield, and others all have similar strategies in common, there are few that cannot be distinguished using a certain type of evaluation.  This is an evaluation based on detection not on which is the best VPN for watching the BBC!

Yamada et al. present a technique that infers aspects of the SSL connection being used on encrypted traffic using statistical analysis techniques. Other suggestions include a proposal of ‘ a man-in-the-middle’ approach to detect VPN traffic in the network.

Another technique used in SSL to detect VPN traffic is a deep packet inspection method that uses multiple sensors throughout the network.

Finally another option is to copy the entire connection traffic and use preshared secret to analyze any malicious traffic. One proposed system analyzes DNS records to identify malicious or illegitimate VPN server names.

Utilizing this novel approach of managing a connection by using the activity preceding the current connection, it is possible to detect and identify VPN traffic inside the network.

Forensics Analysis of VPN Clients

During a forensic analysis of VPN services, we analyzed their network traffic using several tools.
First, we used Wireshark or NetworkMiner to analyze the packets and then detailed each additional service below.

3.1. Hotspot Shield

Hotspot shield is one of the leading free VPN services, developed by AnchorFree.
In the VPN client version of this service, it was observed that once enabled, the service utilizes standard port 443 for HTTPS connections but generally connects to only one server. Hotspot Shield utilizes fake well-known server name in SSL certificates to bypass traffic from name-based filters over networks.

Hotspot Shield for Firefox can be detected by recognizing the domains it uses.

To detect Hotspot Shield traffic on a wired or wireless connection, you should look at port usage as well as domain querying.

3.2. ZenMate

ZenMate is a free VPN service developed by ZenGuard.

ZenMate provides a chrome-based add-on that uses standard https protocol and standard DNS queries. The only way to detect ZenMates inside the network is to identify domain names associated with them.

ZenMate changes domain names against the region selected by the user, but for a particular region, the server identifier of domain name may change but domain remains the same.

If a user is constantly changing locations, after some time when all available location are exhausted, then domains for each location can be used to prepare filters to identify ZenMate VPN

3.3. TOR Browser

TOR Browser is a tool for disguising the identity of its user.

In this article we review TOR itself and explore how it works on client machines.

TOR uses basic onion routing and sophisticated algorithms to generate traffic that is virtually untraceable by any other Web page visited through TOR.

3.4. Browsec VPN

Browsec VPN is a free browser extension which we’ve used in the past.
The only way to identify it from within an SSL traffic stream is by its domain names (to be determined).

3.5. Hoxx VPN

Hoxx VPN is a freely available service for Firefox users that can be downloaded as an addon. It uses standard HTTPS port and standard DNS lookups.

4. Proposed System

A proposed system can distinguish the normal flow of an Internet session from an abnormal one. The system classifies incoming data into multiple categories depending on the current state of connection.

Internet activity preceding our connection is also monitored to identify traffic as a VPN or simple Internet session.

4.1. Feature Extraction

To identify SSL traffic as being a VPN or not, we have to extract features from the traffic.

If you read the original study (referenced at the end) Figure 28 shows the basic data flow of the network traffic analyzer module in our system, which extracts N bytes for categorization purposes.

The analyzer extracts the following information:

4.1.2. Domain Name Server Analysis

Unencrypted traffic information is just as important in traffic characterization and behavior analysis of users as the encrypted traffic.

For any web request, generated by a user, a DNS request is initiated by the user’s browser to request the IP information of the server.

4.1.3. HTTPS Protocol Detection

The system then looks for HTTPS other than 443.

A lot of software and services use the technique to change their ports.

4.1.4. SSL Analysis

The proposed system detects that the data transmission is HTTPS and decodes SSL certificates.

There are 4 basic types of messages in SSL: (i) Handshake, (ii) Change Cipher Spec, (iii) Application data, and (iv) Alert

4.2. Traffic Classification

In Figure 29, we classify the incoming traffic as either normal or VPN connections only for TCP-based connections.

4.2.1. IP-Based Classification

New connections are checked against an IP list of TOR’s exit nodes and previously classified VPN servers.

4.2.2. Server Name-Based Classification

When an Internet service or website needs to be accessed, first its domain is converted into IP address.

Using this technique, we classify the standard domains against those used by VPN services.

4.2.3. No Server Name Analysis

If the given server name does not exist in our DNS list, we will search for connection information from a known IP address.

4.2.4. Server Name Analysis

The server name or domain name of the current connection is looked up against a list of well-known VPN servers.

The connecting client’s IP address is cross-referenced with a database of known VPN servers to identify any potential signs of a VPN encrypted connection.

5. System Evaluation

The deployment of our proposed solution, if used only for detection, will be low-latency and collected by an intermediary appliance.

Well-known VPN services which employ encrypted HTTPS protocols for communication analyzed.

5.1. Traffic Generation

Across multiple systems inside the network, VPN clients were installed and configured to generate traffic.

The activity was monitored by a VPN detector that raised an alert when it detected any traffic coming over one of the configured VPN connections.

5.2. Traffic Classification Alert

The alerts generated above for different VPN services were of different types depending upon the activities performed by the users.

The generated alerts by five of these users are shown in Table 3.

The alerts show the traffic classification of each type of VPN service used with respect to its unique characteristics.

6. Conclusion
Organizations may need to invest heavily on SSL-based proxies to manage their network, which can leave them at risk for VPN detection and blocking.

This paper proposes a lightweight approach to detect unwanted VPN clients inside an organization’s network that will help combat this vulnerability.

Full and original investigation – https://www.hindawi.com/journals/scn/2019/7924690/

Facebooktwitterlinkedininstagramflickrfoursquaremail

Leave a comment