Anomaly Detection in the Key-Management Interoperability Protocol Using Metadata

Large scale enterprise networks often use Enterprise Key-Management (EKM) platforms for unified management of cryptographic keys. In such a system, requests and responses commonly use the Key Management Interoperability Protocol (KMIP) format. The KMIP client and server use Transport Layer Security (TLS) to negotiate a mutually-authenti cated connection. Although KMIP traffic is encrypted, monitoring traffic and usage patterns of EKM Systems (EKMS) may enable detection of anomalous (possibly malicious) activity in the enterprise network that is notdetectable by other means. Metadata analysis of enterprise system traffic has been widely studied (for example at the TLS protocol level). However, KMIP metadata in EKMS has not been used for anomaly detection. In this paper, wepresent a framework for automated outlier rejection and anomaly detection. This involves investigati on of KMIP metadata, determining characteristics to extract for dataset generation, and looking for patt erns from which behaviors can be inferred. For automated labeling and detection, a deep learning-based model is applied to thegenerated datasets: Long Short-Term Memory (LSTM) auto-encoder neural networks with specific parameters. As aproof of concept, we simulated an enterprise environment, collected relevant KMIP metadata, and deployed this framework. Although our implementati on used Quintessence Labs EKMS, the framework we proposed is vendorneutral. The experimental results (Precision, Recall, F1 = 1.0) demonstrate that our framework can accurately detectall anomalous enterprise network activities. This approach could be integrated with other enterprise information toenhance detection capabilities. Our proposal can be used as a general-purpose framework for anomaly detecti on and diagnosis.