Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
Detecting Encrypted Malware Traffic (Without Decryption)
Message
<blockquote data-quote="In2an3_PpG" data-source="post: 771820" data-attributes="member: 56957"><p>Older blog but a good read. </p><p></p><p><a href="https://blogs.cisco.com/security/detecting-encrypted-malware-traffic-without-decryption" target="_blank">Detecting Encrypted Malware Traffic (Without Decryption)</a></p><p></p><p><strong>Introduction</strong></p><p></p><p>Over the past 2 years, we have been systematically collecting and analyzing malware-generated packet captures. During this time, we have observed a steady increase in the percentage of malware samples using TLS-based encryption to evade detection. In August 2015, 2.21% of the malware samples used TLS, increasing to 21.44% in May 2017. During that same time frame, 0.12% of the malware samples used TLS <strong>and</strong> made no unencrypted connections with HTTP, increasing to 4.45%.</p><p></p><p>Identifying threats contained within encrypted network traffic poses a unique set of challenges. It is important to monitor this traffic for threats and malware, but do so in a way that maintains the privacy of the user. Because pattern matching is less effective in the presence of TLS sessions, we needed to develop new methods that can accurately detect malware communication in this setting [1,2,3]. To this end, we used the flow’s individual packet lengths and inter-arrival times to understand the behavioral characteristics of the transmitted data, and we used the TLS metadata contained in the ClientHello to understand the TLS client that is transmitting the data. We combine both of these views in a supervised machine learning framework allowing us to detect both known and unknown threats in TLS communication.</p><p></p><p>As an overview, Figure 1 provides a simplified view of a TLS session. In TLS 1.2 [4], the majority of the interesting TLS handshake messages are unencrypted, and are displayed in red in Figure 1. All of the TLS-specific information that we use for classification comes from the ClientHello, which will also be accessible in TLS 1.3 [7].</p><p><a href="https://alln-extcloud-storage.cisco.com/ciscoblogs/eta-blake-fig-1.png" target="_blank"><img src="https://alln-extcloud-storage.cisco.com/ciscoblogs/eta-blake-fig-1.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></a></p></blockquote><p></p>
[QUOTE="In2an3_PpG, post: 771820, member: 56957"] Older blog but a good read. [URL="https://blogs.cisco.com/security/detecting-encrypted-malware-traffic-without-decryption"]Detecting Encrypted Malware Traffic (Without Decryption)[/URL] [B]Introduction[/B] Over the past 2 years, we have been systematically collecting and analyzing malware-generated packet captures. During this time, we have observed a steady increase in the percentage of malware samples using TLS-based encryption to evade detection. In August 2015, 2.21% of the malware samples used TLS, increasing to 21.44% in May 2017. During that same time frame, 0.12% of the malware samples used TLS [B]and[/B] made no unencrypted connections with HTTP, increasing to 4.45%. Identifying threats contained within encrypted network traffic poses a unique set of challenges. It is important to monitor this traffic for threats and malware, but do so in a way that maintains the privacy of the user. Because pattern matching is less effective in the presence of TLS sessions, we needed to develop new methods that can accurately detect malware communication in this setting [1,2,3]. To this end, we used the flow’s individual packet lengths and inter-arrival times to understand the behavioral characteristics of the transmitted data, and we used the TLS metadata contained in the ClientHello to understand the TLS client that is transmitting the data. We combine both of these views in a supervised machine learning framework allowing us to detect both known and unknown threats in TLS communication. As an overview, Figure 1 provides a simplified view of a TLS session. In TLS 1.2 [4], the majority of the interesting TLS handshake messages are unencrypted, and are displayed in red in Figure 1. All of the TLS-specific information that we use for classification comes from the ClientHello, which will also be accessible in TLS 1.3 [7]. [URL='https://alln-extcloud-storage.cisco.com/ciscoblogs/eta-blake-fig-1.png'][IMG]https://alln-extcloud-storage.cisco.com/ciscoblogs/eta-blake-fig-1.png[/IMG][/URL] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
