Gaining reliable endpoint awareness in a network security solution
Heino, Jenny (2025-05-09)
Gaining reliable endpoint awareness in a network security solution
(09.05.2025)
Turun yliopisto
Julkaisun pysyvä osoite on:
https://urn.fi/URN:ISBN:978-952-02-0085-5
https://urn.fi/URN:ISBN:978-952-02-0085-5
Tiivistelmä
The field of network security has been going through a significant evolution during recent years. Services that used to be run locally by organizations, such as email servers and office solutions, have largely been transformed into cloud services. In addition, the amount of remote work has increased considerably, mostly due to the COVID-19 pandemic which forced network users to become remote almost overnight. The separation of good and bad network traffic has become increasingly difficult, and the appearance of false positive and false negative security events is unacceptably frequent. Network security solutions are forced to produce innovative approaches for providing reliable protection for their users.
This thesis focuses on the concept of improving the traffic inspection process of a network security solution with endpoint awareness. There are three main contributions in this thesis. The first contribution is in providing a comprehensive understanding of how a network security solution can gain endpoint awareness. A patent is included in the thesis, introducing a novel, concrete way of gaining further awareness of the endpoint based on the information stored in the extensions included in the handshake process of an encrypted TLS connection. This method has already been implemented into the Forcepoint Network Security Platform and has proven to be a valuable addition to the product. In addition, a study is performed on existing methods of gaining endpoint awareness where both active and passive methods are examined, as well as the state-of-the-art in different network security solutions. The second contribution is in introducing well rationalized improvements for the existing hash fingerprinting algorithms. An update is proposed for these algorithms where the pre-hash string is used as the fingerprint instead of taking the final hash value. Experiments are performed using machine learning on the pre-hash strings for endpoint awareness, showing promising results. The third contribution is in defining two concrete methodologies for implementing endpoint awareness into a network security solution. The efficacy of the second methodology, entitled JAPPI, is evaluated in a larger-scale experiment. The model performed exceptionally well, with 99.5% coverage, demonstrating that it provides an excellent means for introducing endpoint awareness into the inspection process of a network security solution.
This thesis focuses on the concept of improving the traffic inspection process of a network security solution with endpoint awareness. There are three main contributions in this thesis. The first contribution is in providing a comprehensive understanding of how a network security solution can gain endpoint awareness. A patent is included in the thesis, introducing a novel, concrete way of gaining further awareness of the endpoint based on the information stored in the extensions included in the handshake process of an encrypted TLS connection. This method has already been implemented into the Forcepoint Network Security Platform and has proven to be a valuable addition to the product. In addition, a study is performed on existing methods of gaining endpoint awareness where both active and passive methods are examined, as well as the state-of-the-art in different network security solutions. The second contribution is in introducing well rationalized improvements for the existing hash fingerprinting algorithms. An update is proposed for these algorithms where the pre-hash string is used as the fingerprint instead of taking the final hash value. Experiments are performed using machine learning on the pre-hash strings for endpoint awareness, showing promising results. The third contribution is in defining two concrete methodologies for implementing endpoint awareness into a network security solution. The efficacy of the second methodology, entitled JAPPI, is evaluated in a larger-scale experiment. The model performed exceptionally well, with 99.5% coverage, demonstrating that it provides an excellent means for introducing endpoint awareness into the inspection process of a network security solution.
Kokoelmat
- Väitöskirjat [2896]