It is currently 24-09-2017 15:02

Researchers have developed a way to detect malware inside encrypted traffic

Researchers have developed a way to detect malware inside encrypted traffic

by sigismund » 2016-07-08 11:49:44


the Probability to detect malicious activity in encrypted traffic exceeds 90% for enterprise networks.


A group of researchers from Cisco have managed to develop a way to identify malicious traffic inside the TLS connection. The researchers did not have to decrypt the data.

In the present study, Blake Anderson (Blake Anderson), Subharti Floor (Subharthi Paul) and David McGrew, David McGrew project) explained how it is possible to detect traces of malicious traffic in a TLS stream.

The researchers analyzed thousands of samples of 18 families of malware, tens of thousands of malicious packets and millions of intercepted encrypted packets in enterprise networks. Scientists clarify the invented method of detecting malicious activities may be used only in corporate networks and is not suitable for Internet service providers.

The principles of detecting malicious activities based on analysis of available data when network traffic interception: clientHello and serverHello messages, identifiers for the version of the TLS Protocol, metadata flow (the number of transmitted bytes, packets, port numbers, connection duration), sequence length and packet periodicity, the distribution of bytes within the stream and information from the TLS header.

According to the researchers, it is enough to analyze the flow of transmitted data to detect activity of most existing families of malware. It is also possible to define a family according to the structure of the transmitted data, even when using the same settings for TLS connections.

The algorithms described by researchers reliably determine the activity of the following families of malware: Bergat, Deshacop, Dridex, Dynamer, Kazy, Parite, Razy, Zedbot and Zusy.

The accuracy of the determination of malicious traffic within the encrypted data reaches 90.3% for each family of malware when analysing a network flow, and 93.2% in the analysis of network flows during a 5-minute window.
sigismund
moderators
Сообщений: 788
Депозит: 0 BTC

Rating: 5