SlideShare a Scribd company logo

Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без дешифровки)

Positive Hack Days
Positive Hack Days

В рамках секции: Безопасность в динамике: анализ трафика и защита сети

Technology
1 of 43
Deciphering Malware’s Use of TLS (without Decryption) Ruslan Ivanov Consulting Systems Engineer, Cisco ruivanov@cisco.com
В докладе рассматривается работа группы исследователей компании Cisco, доказывающая применимость традиционных методов статистического и поведенческого анализа для обнаружения и атрибуции вредоносного ПО, использующего TLS в качестве метода шифрования каналов взаимодействия, без дешифровки или компрометации TLS-сессии. О чём этот доклад?
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public People Blake Anderson – Technical Leader PhD in Computer Science (Machine Learning) Started at Cisco in 2015 David McGrew – Cisco Fellow PhD in Physics (Chaos Theory) Started at Cisco in 1998 BRKSEC-2809 3
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Problem: Encrypted Malware Traffic • TLS usage increasing (this is not bad!) • String-matching solutions less ineffective • MITM problems • Privacy, legal, deployment, expense, non-cooperating clients InternetPremises BRKSEC-2809 4
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Our Approach: Leverage All Data Features InternetPremises Netflow data: SrcIP, DstIP, SrcPort, DstPort, Proto, #Bytes, #Packets Intraflow data: Packet Lengths & Inter-arrival Times, Byte Distribution, … TLS metadata: Extensions, Ciphersuites, SNI, Certificate Strings, … DNS data: Names and TTLs of linked responses HTTP data: Headers and File Magic for other flows from target 5BRKSEC-2809
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Flow Monitoring Export Collection Analysis StorageObservation Observation Observation srcIP, dstIP, srcPort, dstPort, prot, startTime, stopTime, numBytes, numPackets BRKSEC-2809 6
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Enhanced Telemetry Export Collection Analysis StorageObservation Observation Observation srcIP, dstIP, srcPort, dstPort, prot, startTime, stopTime, numBytes, numPackets New Data Features BRKSEC-2809 7
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Solution Overview OS inference Endpoint Context OS, Applications, PMTU, RTT, Infection, … ETTA data flow record labels flow record fingerprint rules classifier description Cisco Products ETTA data Application inference Malware Detection Malware Family Crypto Audit BRKSEC-2809 8
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Data Collection Training/Storage • Metadata • Packet lengths • TLS • DNS • HTTP Benign Records Malware Records Classifier/Rules BRKSEC-2809 9BRKSEC-2809 9
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Malware Benign • ThreatGRID pcaps • 5-minute sandbox runs • Threat Score = 100/100 • Millions of pcap’s • ~5,000-15,000 new pcap’s a day • Hundreds of millions of flows • Enterprise DMZ • ~10-15 million flows per day • ~500 user site • IP addresses are anonymized BRKSEC-2809 10
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Exploring Threat Data Features at Scale joy pcap2flowpcap json pcap2flow json Offline Online exporter jsoncollector https://github.com/cisco/joy Bill Hudson Philip Perricone 11BRKSEC-2809
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public src dst • SPLT – Sequence of Packet Lengths and Arrival Times • Byte Distribution • Byte Entropy Enhanced Telemetry Data Types 12BRKSEC-2809
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Sequence of Packet Lengths and Times src dst ClientpacketsServerpackets Time BRKSEC-2809 13
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Byte Distribution 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b H T T P / 1 . 1 2 0 0 O K BRKSEC-2809 14
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Byte Distribution 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b H T T P / 1 . 1 2 0 0 O K 1 BRKSEC-2809 15
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Byte Distribution 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b H T T P / 1 . 1 2 0 0 O K 1 1 BRKSEC-2809 16
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Byte Distribution 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b H T T P / 1 . 1 2 0 0 O K 1 2 BRKSEC-2809 17
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Byte Distribution 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b H T T P / 1 . 1 2 0 0 O K 1 1 2 BRKSEC-2809 18
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public TLS Handshake Protocol Client Server ClientHello ServerHello / Certificate ClientKeyExchange / ChangeCipherSpec Application Data ChangeCipherSpec BRKSEC-2809 19
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Most popular TLS clients: • IE 8/11*, Tor, Opera • Wide variety in the number of distinct ciphersuite offer vectors • Some malware families only used one while others used hundreds • 2048-bit DHE_RSA was by far the most popular public key algorithm / size TLS Clients BRKSEC-2809 20
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Most popular servers (taken from the certificate subject): • Bitcoin wallet (e.g., block.io) • File sharing sites (e.g., dropbox.com) • Advertising (e.g., criteo.com) • Search engines (e.g., google.com, baidu.com) • DGA-like certificate subjects were very common • .7% (as opposed to .09% on an enterprise network) used self-signed certificates • TLS_RSA_WITH_3DES_EDE_CBC_SHA was the most popular selected ciphersuite • These features are heavily dependent on the malware family TLS Servers BRKSEC-2809 21
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Retain original capitalization • User-Agent vs user-agent vs User-agent vs USER-AGENT vs User-AgEnt • Retain original ordering of header fields • Absence or presence of HTTP fields gives information about environment • via, x-imforwards • Common User-Agent values: • Opera/9.50(WindowsNT6.0;U;en) • Mozilla/5.0(Windows;U;WindowsNT5.1;en- US;rv:1.9.2.3)Gecko/20100401Firefox/3.6.1(.NETCLR3.5.30731) • Mozilla/5.0(WindowsNT6.3;WOW64;Trident/7.0;Touch;rv:11.0)likeGecko HTTP Fields BRKSEC-2809 22
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Common TTL values: • 100 > 300 > 60 > 3600 • Number of IPs per request: • 1 > 4 > 11 > 2 > 6 • Most common suffixes: • com > net > pl > eu > org • ~95% not found in the Alexa top-1,000,000 list DNS Information BRKSEC-2809 23
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Server Name Indication • Extension type: server_name (0x0000) • Indication from the client about the hostname of the server Record Headers ClientHello Random Nonce [Session ID] Cipher suites Compression Methods Extensions Single Extension BRKSEC-2809 24
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Certificate Information • Check for self-signed certificates • Issuer == Subject • Check for certificates not within validity period • Check for discrepancies in the SubjectAltName (optional certificate extension and the server_name extension Record Headers Certificate … Cert Headers Cert Signature Algorithm Issuer Validity Period Subject Subject Public Key Optional Info Cert Sig Alg Cert Signature BRKSEC-2809 25
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public TLS Client Fingerprinting Record Headers ClientHello Random Nonce [Session ID] Cipher suites Compression Methods Extensions Used for fingerprinting 0.9.8 1.0.0 1.0.1 1.0.2 OpenSSL Versions BRKSEC-2809 26
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Classification Model on SPLT and BD Length transition bins Time transition bins Classifier Feature Selection [0,1] BRKSEC-2809 28
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Evaluating Algorithms BRKSEC-2809 29
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Malware • August 2015 to May 2016 pcaps from ThreatGRID • TLS (443) traffic, > 100 in and out bytes • 225,740 flows, Telemetry enhanced with TLS extensions, ciphersuites, and public key lengths • Benign • traffic taken from a large enterprise DMZ • TLS (443) traffic, > 100 in and out bytes • 225,000 flows, Telemetry enhanced with TLS extensions, ciphersuites, and public key lengths • 10-fold cross-validation Test Setup BRKSEC-2809 30
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public src dst • Packet Lengths and Inter-arrival Times Modeled as 1st Order Markov Chains • Probabilities of Byte Values in Payload • Binary Vector of Offered Ciphersuites and Extensions, and Client’s Public Key Size Intraflow Features BRKSEC-2809 31
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Results • L1-logistic regression • Meta + SPLT + BD • 0.01% FDR: 1.3% • Total Accuracy: 98.9% • L1-logistic regression • Meta + SPLT + BD + TLS • 0.01% FDR: 92.8% • Total Accuracy: 99.6% BRKSEC-2809 32
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Results (without Schannel) • L1-logistic regression • Meta + SPLT + BD • 0.01 FDR: 0.9% • Total Accuracy: 98.5% • L1-logistic regression • Meta + SPLT + BD + TLS • 0.01 FDR: 87.2% • Total Accuracy: 99.6% BRKSEC-2809 33
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Per-Family Classification Results Malware Family Meta+SPLT+BD Meta+SPLT+BD+TLS Bergat* 100.0% 100.0% Sality* 95.0% 97.7% Dridex 16.5% 78.5% Skeeyah 95.9% 98.6% Virlock 100.0% 100.0% BRKSEC-2809 34
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Malware • August 2015 to May 2016 pcaps from ThreatGRID • TLS (443) traffic, > 100 in and out bytes • 13,542 flows with all available data (~63.2% of malicious TLS flows) • Benign • traffic taken from a large enterprise DMZ • TLS (443) traffic, > 100 in and out bytes • 42,927 flows with all available data (~3.8% of benign TLS flows) • 10-fold cross-validation Test Setup BRKSEC-2809 35
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public src dst • Packet Lengths and Inter-arrival Times Modeled as 1st Order Markov Chains • Probabilities of Byte Values in Payload • Binary Vector of Offered Ciphersuites and Extensions, and Client’s Public Key Size Intraflow Features BRKSEC-2809 36
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • DNS • Alexa Lists • Lengths of DN and FQDN • Suffix • TTL • % Numerical Characters • % Non-alphanumeric Chars • HTTP • Outbound/inbound header fields • Content-Type • User-Agent • Accept-Language • Server • code Contextual Flow Features BRKSEC-2809 37
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • L1-logistic regression • Traditional Side Channel Features • 0.00% FDR: 0.00% • Total Accuracy: 93.1% • L1-logistic regression • All Available Features • 0.00% FDR: 99.9% • Total Accuracy: 99.9% Results (10-fold cross-validation) BRKSEC-2809 38
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Detecting Encrypted Malware Acc. 0.00% FDR SPLT+BD+TLS+HTTP+DNS 99.993% 99.978% TLS 94.836% 50.406% DNS 99.496% 94.654% HTTP 99.945% 98.996% TLS+DNS 99.883% 96.551% TLS+HTTP 99.955% 99.660% HTTP+DNS 99.985% 99.956% SPLT+BD+TLS 99.933% 70.351% SPLT+BD+TLS+DNS 99.968% 98.043% SPLT+BD+TLS+HTTP 99.983% 99.956% TLS DNS HTTP SPLT+BD BRKSEC-2809 39
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Interpretability • Malware Features • DNS Suffix: org • DNS TTL: 3600 • TLS_RSA_WITH_RC4_128_SHA • HTTP Field: location • DNS Alexa: Not Found • HTTP Server: nginx • HTTP Code: 404 • Benign Features • TLS Ext: extended_master_secret • Content type: application/octet-stream • TLS_DHE_RSA_WITH_DES_CBC_SHA • HTTP Server: Microsoft-IIS/8.5 • DNS Alexa: top-1,000,000 • HTTP User-Agent: Microsoft-CryptoAPI/6.1 BRKSEC-2809 40
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Datasets are relatively limited • Evasion is possible • Not impossible to mimic popular TLS/HTTP/DNS clients/servers/responses • But, mimicking these features requires an on-going and non-trivial software engineering effort • Can (hopefully) limit evasion attacks • Identify most robust network features (several good existing algorithms) • Include higher order interactions: • TLS client / HTTP user agent(s) • Ordering of offered ciphersuites and HTTP fields Caveats / Biases BRKSEC-2809 41
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Conclusions • Malware’s use of TLS is increasing • Our research complements current solutions • Machine learning/rules applied to passively obtained network data features can detect malware communication • https://github.com/cisco/joy • Note: contact authors to obtain well-trained classifier parameters 0.00% 5.00% 10.00% 15.00% 20.00% 25.00% Percentage of malware traffic using TLS BRKSEC-2809 42
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public https://arxiv.org/abs/1607.01639 Название: «Deciphering Malware's use of TLS (without Decryption)» Авторы: Blake Anderson, Subharthi Paul, David McGrew Препринт статьи, на основе которой сделана данная презентация, доступен по адресу: 43
Q & A

Recommended

Csa summit la transformación digital y el nuevo rol del ciso
Csa summit la transformación digital y el nuevo rol del cisoCsa summit la transformación digital y el nuevo rol del ciso
Csa summit la transformación digital y el nuevo rol del ciso
CSA Argentina
 
Csa summit who can protect us education for cloud security professionals
Csa summit who can protect us education for cloud security professionalsCsa summit who can protect us education for cloud security professionals
Csa summit who can protect us education for cloud security professionals
CSA Argentina
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud Crossover
Armor
 
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALDefending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Michael Bunn
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public Cloud
CloudHesive
 
Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)
Pöyry
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Scalar Decisions
 
DTS Solution - Cyber Security Services Portfolio
DTS Solution - Cyber Security Services PortfolioDTS Solution - Cyber Security Services Portfolio
DTS Solution - Cyber Security Services Portfolio
Shah Sheikh
 

Recommended

Csa summit la transformación digital y el nuevo rol del ciso
Csa summit la transformación digital y el nuevo rol del cisoCsa summit la transformación digital y el nuevo rol del ciso
Csa summit la transformación digital y el nuevo rol del ciso
CSA Argentina
 
Csa summit who can protect us education for cloud security professionals
Csa summit who can protect us education for cloud security professionalsCsa summit who can protect us education for cloud security professionals
Csa summit who can protect us education for cloud security professionals
CSA Argentina
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud Crossover
Armor
 
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALDefending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Michael Bunn
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public Cloud
CloudHesive
 
Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)
Pöyry
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Scalar Decisions
 
DTS Solution - Cyber Security Services Portfolio
DTS Solution - Cyber Security Services PortfolioDTS Solution - Cyber Security Services Portfolio
DTS Solution - Cyber Security Services Portfolio
Shah Sheikh
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Ulf Mattsson
 
How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016
Ulf Mattsson
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Shah Sheikh
 
Csa summit argentina-reavis
Csa summit argentina-reavisCsa summit argentina-reavis
Csa summit argentina-reavis
CSA Argentina
 
Symantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security SimulationSymantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security Simulation
Symantec
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
EnterpriseGRC Solutions, Inc.
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?
manoharparakh
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
Sirius
 
How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016
Ulf Mattsson
 
RETOS ACTUALES E INNOVACIÓN SOBRE EL CONTROL DE ACCESOS PRIVILEGIADOS.
RETOS ACTUALES E INNOVACIÓN SOBRE EL CONTROL DE ACCESOS PRIVILEGIADOS.RETOS ACTUALES E INNOVACIÓN SOBRE EL CONTROL DE ACCESOS PRIVILEGIADOS.
RETOS ACTUALES E INNOVACIÓN SOBRE EL CONTROL DE ACCESOS PRIVILEGIADOS.
Cristian Garcia G.
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
Virginia Fernandez
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
EnterpriseGRC Solutions, Inc.
 
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber ResilienceISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
Shah Sheikh
 
how to secure web applications with owasp - isaca sep 2009 - for distribution
how to secure web applications with owasp - isaca sep 2009 - for distributionhow to secure web applications with owasp - isaca sep 2009 - for distribution
how to secure web applications with owasp - isaca sep 2009 - for distribution
Santosh Satam
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEye
Prime Infoserv
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
Nicolas Beyer
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You Buy
Fidelis Cybersecurity
 
DTS Solution - Company Presentation
DTS Solution - Company PresentationDTS Solution - Company Presentation
DTS Solution - Company Presentation
Shah Sheikh
 
Scalar_Managed_Security_Services_2016
Scalar_Managed_Security_Services_2016Scalar_Managed_Security_Services_2016
Scalar_Managed_Security_Services_2016
patmisasi
 
MUM Middle East 2016 - System Integration Analyst
MUM Middle East 2016 - System Integration AnalystMUM Middle East 2016 - System Integration Analyst
MUM Middle East 2016 - System Integration Analyst
Fajar Nugroho
 
Fiware - communicating with ROS robots using Fast RTPS
Fiware - communicating with ROS robots using Fast RTPSFiware - communicating with ROS robots using Fast RTPS
Fiware - communicating with ROS robots using Fast RTPS
Jaime Martin Losa
 

More Related Content

What's hot

Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Ulf Mattsson
 
Symantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security SimulationSymantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security Simulation
Symantec
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
Sirius
 
How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016
Ulf Mattsson
 
how to secure web applications with owasp - isaca sep 2009 - for distribution
how to secure web applications with owasp - isaca sep 2009 - for distributionhow to secure web applications with owasp - isaca sep 2009 - for distribution
how to secure web applications with owasp - isaca sep 2009 - for distribution
Santosh Satam
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEye
Prime Infoserv
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
Nicolas Beyer
 
Scalar_Managed_Security_Services_2016
Scalar_Managed_Security_Services_2016Scalar_Managed_Security_Services_2016
Scalar_Managed_Security_Services_2016
patmisasi
 

What's hot (20)

Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
 
How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
 
Csa summit argentina-reavis
Csa summit argentina-reavisCsa summit argentina-reavis
Csa summit argentina-reavis
 
Symantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security SimulationSymantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security Simulation
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016
 
RETOS ACTUALES E INNOVACIÓN SOBRE EL CONTROL DE ACCESOS PRIVILEGIADOS.
RETOS ACTUALES E INNOVACIÓN SOBRE EL CONTROL DE ACCESOS PRIVILEGIADOS.RETOS ACTUALES E INNOVACIÓN SOBRE EL CONTROL DE ACCESOS PRIVILEGIADOS.
RETOS ACTUALES E INNOVACIÓN SOBRE EL CONTROL DE ACCESOS PRIVILEGIADOS.
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
 
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber ResilienceISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
 
how to secure web applications with owasp - isaca sep 2009 - for distribution
how to secure web applications with owasp - isaca sep 2009 - for distributionhow to secure web applications with owasp - isaca sep 2009 - for distribution
how to secure web applications with owasp - isaca sep 2009 - for distribution
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEye
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You Buy
 
DTS Solution - Company Presentation
DTS Solution - Company PresentationDTS Solution - Company Presentation
DTS Solution - Company Presentation
 
Scalar_Managed_Security_Services_2016
Scalar_Managed_Security_Services_2016Scalar_Managed_Security_Services_2016
Scalar_Managed_Security_Services_2016
 

Similar to Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без дешифровки)

tHE GENERATION AND USE OF TLS FINGERPRINGTS
tHE GENERATION AND USE OF TLS FINGERPRINGTStHE GENERATION AND USE OF TLS FINGERPRINGTS
tHE GENERATION AND USE OF TLS FINGERPRINGTS
ortdx
 
Next-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAMNext-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAM
Open Networking Summit
 
Leverage the Network
Leverage the NetworkLeverage the Network
Leverage the Network
Cisco Canada
 

Similar to Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без дешифровки) (20)

MUM Middle East 2016 - System Integration Analyst
MUM Middle East 2016 - System Integration AnalystMUM Middle East 2016 - System Integration Analyst
MUM Middle East 2016 - System Integration Analyst
 
Fiware - communicating with ROS robots using Fast RTPS
Fiware - communicating with ROS robots using Fast RTPSFiware - communicating with ROS robots using Fast RTPS
Fiware - communicating with ROS robots using Fast RTPS
 
Fast RTPS Workshop at FIWARE Summit 2018
Fast RTPS Workshop at FIWARE Summit 2018Fast RTPS Workshop at FIWARE Summit 2018
Fast RTPS Workshop at FIWARE Summit 2018
 
FIWARE Global Summit - Fast RTPS: Programming with the Default middleware for...
FIWARE Global Summit - Fast RTPS: Programming with the Default middleware for...FIWARE Global Summit - Fast RTPS: Programming with the Default middleware for...
FIWARE Global Summit - Fast RTPS: Programming with the Default middleware for...
 
Fast RTPS
Fast RTPSFast RTPS
Fast RTPS
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 
Fiware: Connecting to robots
Fiware: Connecting to robotsFiware: Connecting to robots
Fiware: Connecting to robots
 
Fast RTPS: Programming with the Default Middleware for Robotics Adopted in ROS2
Fast RTPS: Programming with the Default Middleware for Robotics Adopted in ROS2Fast RTPS: Programming with the Default Middleware for Robotics Adopted in ROS2
Fast RTPS: Programming with the Default Middleware for Robotics Adopted in ROS2
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
tHE GENERATION AND USE OF TLS FINGERPRINGTS
tHE GENERATION AND USE OF TLS FINGERPRINGTStHE GENERATION AND USE OF TLS FINGERPRINGTS
tHE GENERATION AND USE OF TLS FINGERPRINGTS
 
Gain Insight and Programmability with Cisco DC Networking
Gain Insight and Programmability with Cisco DC NetworkingGain Insight and Programmability with Cisco DC Networking
Gain Insight and Programmability with Cisco DC Networking
 
Cisco DC Networking: Gain Insight and Programmability with
Cisco DC Networking: Gain Insight and Programmability with Cisco DC Networking: Gain Insight and Programmability with
Cisco DC Networking: Gain Insight and Programmability with
 
Gain Insight and Programmability with Cisco DC Networking
Gain Insight and Programmability with Cisco DC NetworkingGain Insight and Programmability with Cisco DC Networking
Gain Insight and Programmability with Cisco DC Networking
 
BRKSEC-3771 - WSA with wccp.pdf
BRKSEC-3771 - WSA with wccp.pdfBRKSEC-3771 - WSA with wccp.pdf
BRKSEC-3771 - WSA with wccp.pdf
 
Next-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAMNext-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAM
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideas
 
SDN and metrics from the SDOs
SDN and metrics from the SDOsSDN and metrics from the SDOs
SDN and metrics from the SDOs
 
Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019
 
Leverage the Network
Leverage the NetworkLeverage the Network
Leverage the Network
 
TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics
 

More from Positive Hack Days

Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
Positive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
Positive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
Positive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Positive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
Positive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
Positive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
Positive Hack Days
 

More from Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Recently uploaded

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 

Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без дешифровки)

  • 1. Deciphering Malware’s Use of TLS (without Decryption) Ruslan Ivanov Consulting Systems Engineer, Cisco ruivanov@cisco.com
  • 2. В докладе рассматривается работа группы исследователей компании Cisco, доказывающая применимость традиционных методов статистического и поведенческого анализа для обнаружения и атрибуции вредоносного ПО, использующего TLS в качестве метода шифрования каналов взаимодействия, без дешифровки или компрометации TLS-сессии. О чём этот доклад?
  • 3. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public People Blake Anderson – Technical Leader PhD in Computer Science (Machine Learning) Started at Cisco in 2015 David McGrew – Cisco Fellow PhD in Physics (Chaos Theory) Started at Cisco in 1998 BRKSEC-2809 3
  • 4. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Problem: Encrypted Malware Traffic • TLS usage increasing (this is not bad!) • String-matching solutions less ineffective • MITM problems • Privacy, legal, deployment, expense, non-cooperating clients InternetPremises BRKSEC-2809 4
  • 5. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Our Approach: Leverage All Data Features InternetPremises Netflow data: SrcIP, DstIP, SrcPort, DstPort, Proto, #Bytes, #Packets Intraflow data: Packet Lengths & Inter-arrival Times, Byte Distribution, … TLS metadata: Extensions, Ciphersuites, SNI, Certificate Strings, … DNS data: Names and TTLs of linked responses HTTP data: Headers and File Magic for other flows from target 5BRKSEC-2809
  • 6. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Flow Monitoring Export Collection Analysis StorageObservation Observation Observation srcIP, dstIP, srcPort, dstPort, prot, startTime, stopTime, numBytes, numPackets BRKSEC-2809 6
  • 7. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Enhanced Telemetry Export Collection Analysis StorageObservation Observation Observation srcIP, dstIP, srcPort, dstPort, prot, startTime, stopTime, numBytes, numPackets New Data Features BRKSEC-2809 7
  • 8. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Solution Overview OS inference Endpoint Context OS, Applications, PMTU, RTT, Infection, … ETTA data flow record labels flow record fingerprint rules classifier description Cisco Products ETTA data Application inference Malware Detection Malware Family Crypto Audit BRKSEC-2809 8
  • 9. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Data Collection Training/Storage • Metadata • Packet lengths • TLS • DNS • HTTP Benign Records Malware Records Classifier/Rules BRKSEC-2809 9BRKSEC-2809 9
  • 10. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Malware Benign • ThreatGRID pcaps • 5-minute sandbox runs • Threat Score = 100/100 • Millions of pcap’s • ~5,000-15,000 new pcap’s a day • Hundreds of millions of flows • Enterprise DMZ • ~10-15 million flows per day • ~500 user site • IP addresses are anonymized BRKSEC-2809 10
  • 11. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Exploring Threat Data Features at Scale joy pcap2flowpcap json pcap2flow json Offline Online exporter jsoncollector https://github.com/cisco/joy Bill Hudson Philip Perricone 11BRKSEC-2809
  • 12. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public src dst • SPLT – Sequence of Packet Lengths and Arrival Times • Byte Distribution • Byte Entropy Enhanced Telemetry Data Types 12BRKSEC-2809
  • 13. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Sequence of Packet Lengths and Times src dst ClientpacketsServerpackets Time BRKSEC-2809 13
  • 14. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Byte Distribution 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b H T T P / 1 . 1 2 0 0 O K BRKSEC-2809 14
  • 15. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Byte Distribution 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b H T T P / 1 . 1 2 0 0 O K 1 BRKSEC-2809 15
  • 16. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Byte Distribution 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b H T T P / 1 . 1 2 0 0 O K 1 1 BRKSEC-2809 16
  • 17. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Byte Distribution 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b H T T P / 1 . 1 2 0 0 O K 1 2 BRKSEC-2809 17
  • 18. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Byte Distribution 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b H T T P / 1 . 1 2 0 0 O K 1 1 2 BRKSEC-2809 18
  • 19. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public TLS Handshake Protocol Client Server ClientHello ServerHello / Certificate ClientKeyExchange / ChangeCipherSpec Application Data ChangeCipherSpec BRKSEC-2809 19
  • 20. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Most popular TLS clients: • IE 8/11*, Tor, Opera • Wide variety in the number of distinct ciphersuite offer vectors • Some malware families only used one while others used hundreds • 2048-bit DHE_RSA was by far the most popular public key algorithm / size TLS Clients BRKSEC-2809 20
  • 21. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Most popular servers (taken from the certificate subject): • Bitcoin wallet (e.g., block.io) • File sharing sites (e.g., dropbox.com) • Advertising (e.g., criteo.com) • Search engines (e.g., google.com, baidu.com) • DGA-like certificate subjects were very common • .7% (as opposed to .09% on an enterprise network) used self-signed certificates • TLS_RSA_WITH_3DES_EDE_CBC_SHA was the most popular selected ciphersuite • These features are heavily dependent on the malware family TLS Servers BRKSEC-2809 21
  • 22. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Retain original capitalization • User-Agent vs user-agent vs User-agent vs USER-AGENT vs User-AgEnt • Retain original ordering of header fields • Absence or presence of HTTP fields gives information about environment • via, x-imforwards • Common User-Agent values: • Opera/9.50(WindowsNT6.0;U;en) • Mozilla/5.0(Windows;U;WindowsNT5.1;en- US;rv:1.9.2.3)Gecko/20100401Firefox/3.6.1(.NETCLR3.5.30731) • Mozilla/5.0(WindowsNT6.3;WOW64;Trident/7.0;Touch;rv:11.0)likeGecko HTTP Fields BRKSEC-2809 22
  • 23. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Common TTL values: • 100 > 300 > 60 > 3600 • Number of IPs per request: • 1 > 4 > 11 > 2 > 6 • Most common suffixes: • com > net > pl > eu > org • ~95% not found in the Alexa top-1,000,000 list DNS Information BRKSEC-2809 23
  • 24. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Server Name Indication • Extension type: server_name (0x0000) • Indication from the client about the hostname of the server Record Headers ClientHello Random Nonce [Session ID] Cipher suites Compression Methods Extensions Single Extension BRKSEC-2809 24
  • 25. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Certificate Information • Check for self-signed certificates • Issuer == Subject • Check for certificates not within validity period • Check for discrepancies in the SubjectAltName (optional certificate extension and the server_name extension Record Headers Certificate … Cert Headers Cert Signature Algorithm Issuer Validity Period Subject Subject Public Key Optional Info Cert Sig Alg Cert Signature BRKSEC-2809 25
  • 26. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public TLS Client Fingerprinting Record Headers ClientHello Random Nonce [Session ID] Cipher suites Compression Methods Extensions Used for fingerprinting 0.9.8 1.0.0 1.0.1 1.0.2 OpenSSL Versions BRKSEC-2809 26
  • 27. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Classification Model on SPLT and BD Length transition bins Time transition bins Classifier Feature Selection [0,1] BRKSEC-2809 28
  • 28. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Evaluating Algorithms BRKSEC-2809 29
  • 29. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Malware • August 2015 to May 2016 pcaps from ThreatGRID • TLS (443) traffic, > 100 in and out bytes • 225,740 flows, Telemetry enhanced with TLS extensions, ciphersuites, and public key lengths • Benign • traffic taken from a large enterprise DMZ • TLS (443) traffic, > 100 in and out bytes • 225,000 flows, Telemetry enhanced with TLS extensions, ciphersuites, and public key lengths • 10-fold cross-validation Test Setup BRKSEC-2809 30
  • 30. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public src dst • Packet Lengths and Inter-arrival Times Modeled as 1st Order Markov Chains • Probabilities of Byte Values in Payload • Binary Vector of Offered Ciphersuites and Extensions, and Client’s Public Key Size Intraflow Features BRKSEC-2809 31
  • 31. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Results • L1-logistic regression • Meta + SPLT + BD • 0.01% FDR: 1.3% • Total Accuracy: 98.9% • L1-logistic regression • Meta + SPLT + BD + TLS • 0.01% FDR: 92.8% • Total Accuracy: 99.6% BRKSEC-2809 32
  • 32. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Results (without Schannel) • L1-logistic regression • Meta + SPLT + BD • 0.01 FDR: 0.9% • Total Accuracy: 98.5% • L1-logistic regression • Meta + SPLT + BD + TLS • 0.01 FDR: 87.2% • Total Accuracy: 99.6% BRKSEC-2809 33
  • 33. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Per-Family Classification Results Malware Family Meta+SPLT+BD Meta+SPLT+BD+TLS Bergat* 100.0% 100.0% Sality* 95.0% 97.7% Dridex 16.5% 78.5% Skeeyah 95.9% 98.6% Virlock 100.0% 100.0% BRKSEC-2809 34
  • 34. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Malware • August 2015 to May 2016 pcaps from ThreatGRID • TLS (443) traffic, > 100 in and out bytes • 13,542 flows with all available data (~63.2% of malicious TLS flows) • Benign • traffic taken from a large enterprise DMZ • TLS (443) traffic, > 100 in and out bytes • 42,927 flows with all available data (~3.8% of benign TLS flows) • 10-fold cross-validation Test Setup BRKSEC-2809 35
  • 35. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public src dst • Packet Lengths and Inter-arrival Times Modeled as 1st Order Markov Chains • Probabilities of Byte Values in Payload • Binary Vector of Offered Ciphersuites and Extensions, and Client’s Public Key Size Intraflow Features BRKSEC-2809 36
  • 36. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • DNS • Alexa Lists • Lengths of DN and FQDN • Suffix • TTL • % Numerical Characters • % Non-alphanumeric Chars • HTTP • Outbound/inbound header fields • Content-Type • User-Agent • Accept-Language • Server • code Contextual Flow Features BRKSEC-2809 37
  • 37. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • L1-logistic regression • Traditional Side Channel Features • 0.00% FDR: 0.00% • Total Accuracy: 93.1% • L1-logistic regression • All Available Features • 0.00% FDR: 99.9% • Total Accuracy: 99.9% Results (10-fold cross-validation) BRKSEC-2809 38
  • 38. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Detecting Encrypted Malware Acc. 0.00% FDR SPLT+BD+TLS+HTTP+DNS 99.993% 99.978% TLS 94.836% 50.406% DNS 99.496% 94.654% HTTP 99.945% 98.996% TLS+DNS 99.883% 96.551% TLS+HTTP 99.955% 99.660% HTTP+DNS 99.985% 99.956% SPLT+BD+TLS 99.933% 70.351% SPLT+BD+TLS+DNS 99.968% 98.043% SPLT+BD+TLS+HTTP 99.983% 99.956% TLS DNS HTTP SPLT+BD BRKSEC-2809 39
  • 39. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Interpretability • Malware Features • DNS Suffix: org • DNS TTL: 3600 • TLS_RSA_WITH_RC4_128_SHA • HTTP Field: location • DNS Alexa: Not Found • HTTP Server: nginx • HTTP Code: 404 • Benign Features • TLS Ext: extended_master_secret • Content type: application/octet-stream • TLS_DHE_RSA_WITH_DES_CBC_SHA • HTTP Server: Microsoft-IIS/8.5 • DNS Alexa: top-1,000,000 • HTTP User-Agent: Microsoft-CryptoAPI/6.1 BRKSEC-2809 40
  • 40. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Datasets are relatively limited • Evasion is possible • Not impossible to mimic popular TLS/HTTP/DNS clients/servers/responses • But, mimicking these features requires an on-going and non-trivial software engineering effort • Can (hopefully) limit evasion attacks • Identify most robust network features (several good existing algorithms) • Include higher order interactions: • TLS client / HTTP user agent(s) • Ordering of offered ciphersuites and HTTP fields Caveats / Biases BRKSEC-2809 41
  • 41. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Conclusions • Malware’s use of TLS is increasing • Our research complements current solutions • Machine learning/rules applied to passively obtained network data features can detect malware communication • https://github.com/cisco/joy • Note: contact authors to obtain well-trained classifier parameters 0.00% 5.00% 10.00% 15.00% 20.00% 25.00% Percentage of malware traffic using TLS BRKSEC-2809 42
  • 42. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public https://arxiv.org/abs/1607.01639 Название: «Deciphering Malware's use of TLS (without Decryption)» Авторы: Blake Anderson, Subharthi Paul, David McGrew Препринт статьи, на основе которой сделана данная презентация, доступен по адресу: 43
  • 43. Q & A

Editor's Notes

  1. (Currently Implemented in a Switch and/or NGA)
  2. (Currently Implemented in a Switch and/or NGA)
  3. (Currently Implemented in a Switch and/or NGA)
  4. (Currently Implemented in a Switch and/or NGA)