Mining Digital Twins of a VPN Server

Andrea Pferscher; Benjamin Wunderling; Bernhard K. Aichernig; Edi Muškardin

Mining Digital Twins of a VPN Server

Andrea Pferscher^*, Benjamin Wunderling, Bernhard K. Aichernig, Edi Muškardin

^*Corresponding author for this work

Research output: Contribution to journal › Conference article › peer-review

Abstract

Virtual private networks (VPNs) are widely used to create a secure communication mode between multiple parties over an insecure channel. A common use case for VPNs is secure access to company networks. Therefore, bugs in VPN software are often severe. The Internet Key Exchange protocol (IKE) is a protocol in the Internet Protocol Security (IPsec) protocol suite used in VPNs. There are two version of IKE, IPsec-IKEv1 and the newer IPsec-IKEv2, with IPsec-IKEv1 still widely used in practice. While IPsec-IKEv2 has been investigated in the context of automata learning, no such work exists for IPsec-IKEv1. This paper closes the gap for the IPsec-IKEv1 protocol and shows the steps taken to learn a digital twin of an IPsec server using automata learning. We present and contrast two learned models of an IPsec server. Using learning, we also found security issues in encryption libraries.

Original language	English
Number of pages	11
Journal	CEUR Workshop Proceedings
Volume	3507
Publication status	Published - 2023
Event	2023 Workshop on Applications of Formal Methods and Digital Twins: FMDT 2023 - Lubeck, Germany Duration: 6 Mar 2023 → 6 Mar 2023

Keywords

active automata learning
digital twin
IPsec
model mining
VPN

ASJC Scopus subject areas

General Computer Science

Access to Document

https://ceur-ws.org/Vol-3507/paper6.pdfLicence: CC BY 4.0

Cite this

@article{3924604c9c954901933aa6d02c3fe8cb,

title = "Mining Digital Twins of a VPN Server",

abstract = "Virtual private networks (VPNs) are widely used to create a secure communication mode between multiple parties over an insecure channel. A common use case for VPNs is secure access to company networks. Therefore, bugs in VPN software are often severe. The Internet Key Exchange protocol (IKE) is a protocol in the Internet Protocol Security (IPsec) protocol suite used in VPNs. There are two version of IKE, IPsec-IKEv1 and the newer IPsec-IKEv2, with IPsec-IKEv1 still widely used in practice. While IPsec-IKEv2 has been investigated in the context of automata learning, no such work exists for IPsec-IKEv1. This paper closes the gap for the IPsec-IKEv1 protocol and shows the steps taken to learn a digital twin of an IPsec server using automata learning. We present and contrast two learned models of an IPsec server. Using learning, we also found security issues in encryption libraries.",

keywords = "active automata learning, digital twin, IPsec, model mining, VPN",

author = "Andrea Pferscher and Benjamin Wunderling and Aichernig, {Bernhard K.} and Edi Mu{\v s}kardin",

note = "Publisher Copyright: {\textcopyright} 2023 CEUR-WS. All rights reserved.; 2023 Workshop on Applications of Formal Methods and Digital Twins : FMDT 2023 ; Conference date: 06-03-2023 Through 06-03-2023",

year = "2023",

language = "English",

volume = "3507",

journal = "CEUR Workshop Proceedings",

issn = "1613-0073",

publisher = "RWTH Aachen",

}

TY - JOUR

T1 - Mining Digital Twins of a VPN Server

AU - Pferscher, Andrea

AU - Wunderling, Benjamin

AU - Aichernig, Bernhard K.

AU - Muškardin, Edi

PY - 2023

Y1 - 2023

N2 - Virtual private networks (VPNs) are widely used to create a secure communication mode between multiple parties over an insecure channel. A common use case for VPNs is secure access to company networks. Therefore, bugs in VPN software are often severe. The Internet Key Exchange protocol (IKE) is a protocol in the Internet Protocol Security (IPsec) protocol suite used in VPNs. There are two version of IKE, IPsec-IKEv1 and the newer IPsec-IKEv2, with IPsec-IKEv1 still widely used in practice. While IPsec-IKEv2 has been investigated in the context of automata learning, no such work exists for IPsec-IKEv1. This paper closes the gap for the IPsec-IKEv1 protocol and shows the steps taken to learn a digital twin of an IPsec server using automata learning. We present and contrast two learned models of an IPsec server. Using learning, we also found security issues in encryption libraries.

AB - Virtual private networks (VPNs) are widely used to create a secure communication mode between multiple parties over an insecure channel. A common use case for VPNs is secure access to company networks. Therefore, bugs in VPN software are often severe. The Internet Key Exchange protocol (IKE) is a protocol in the Internet Protocol Security (IPsec) protocol suite used in VPNs. There are two version of IKE, IPsec-IKEv1 and the newer IPsec-IKEv2, with IPsec-IKEv1 still widely used in practice. While IPsec-IKEv2 has been investigated in the context of automata learning, no such work exists for IPsec-IKEv1. This paper closes the gap for the IPsec-IKEv1 protocol and shows the steps taken to learn a digital twin of an IPsec server using automata learning. We present and contrast two learned models of an IPsec server. Using learning, we also found security issues in encryption libraries.

KW - active automata learning

KW - digital twin

KW - IPsec

KW - model mining

KW - VPN

UR - http://www.scopus.com/inward/record.url?scp=85175944724&partnerID=8YFLogxK

M3 - Conference article

AN - SCOPUS:85175944724

SN - 1613-0073

VL - 3507

JO - CEUR Workshop Proceedings

JF - CEUR Workshop Proceedings

T2 - 2023 Workshop on Applications of Formal Methods and Digital Twins

Y2 - 6 March 2023 through 6 March 2023

ER -

Mining Digital Twins of a VPN Server

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this