In the Line of Fire: Risks of DPI-triggered Data CollectionDownload PDFOpen Website

Ariana Mirian, Alisha Ukani, Ian D. Foster, Gautam Akiwate, Taner Halicioglu, Cynthia T. Moore, Alex C. Snoeren, Geoffrey M. Voelker, Stefan Savage

Published: 01 Jan 2023, Last Modified: 30 Sept 2023CSET @ USENIX Security Symposium 2023Readers: Everyone
Abstract: Cybersecurity companies routinely rely on telemetry from inside customer networks to collect intelligence about new online threats. However, the mechanism by which such intelligence is gathered can itself create new security risks. In this paper, we explore one such subtle situation that arises from an intelligence gathering feature present in FireEye’s widely-deployed passive deep-packet inspection appliances. In particular, FireEye’s systems will report back to the company Web requests containing particular content strings of interest. Based on these reports, the company then schedules independent requests for the same content using distributed Internet proxies. By broadly scanning the Internet using a known trigger string we are able to reverse engineer how these measurements work. We show that these side-effects provide a means to empirically establish which networks and network links are protected by such appliances. Further, we also show how to influence the associatied proxies to issue requests to any URL.
0 Replies