SlideShare ist ein Scribd-Unternehmen logo

Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без дешифровки)

Positive Hack Days
Positive Hack Days

В рамках секции: Безопасность в динамике: анализ трафика и защита сети

Technologie
1 von 43
Deciphering Malware’s Use of TLS (without Decryption) Ruslan Ivanov Consulting Systems Engineer, Cisco ruivanov@cisco.com
В докладе рассматривается работа группы исследователей компании Cisco, доказывающая применимость традиционных методов статистического и поведенческого анализа для обнаружения и атрибуции вредоносного ПО, использующего TLS в качестве метода шифрования каналов взаимодействия, без дешифровки или компрометации TLS-сессии. О чём этот доклад?
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public People Blake Anderson – Technical Leader PhD in Computer Science (Machine Learning) Started at Cisco in 2015 David McGrew – Cisco Fellow PhD in Physics (Chaos Theory) Started at Cisco in 1998 BRKSEC-2809 3
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Problem: Encrypted Malware Traffic • TLS usage increasing (this is not bad!) • String-matching solutions less ineffective • MITM problems • Privacy, legal, deployment, expense, non-cooperating clients InternetPremises BRKSEC-2809 4
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Our Approach: Leverage All Data Features InternetPremises Netflow data: SrcIP, DstIP, SrcPort, DstPort, Proto, #Bytes, #Packets Intraflow data: Packet Lengths & Inter-arrival Times, Byte Distribution, … TLS metadata: Extensions, Ciphersuites, SNI, Certificate Strings, … DNS data: Names and TTLs of linked responses HTTP data: Headers and File Magic for other flows from target 5BRKSEC-2809
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Flow Monitoring Export Collection Analysis StorageObservation Observation Observation srcIP, dstIP, srcPort, dstPort, prot, startTime, stopTime, numBytes, numPackets BRKSEC-2809 6
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Enhanced Telemetry Export Collection Analysis StorageObservation Observation Observation srcIP, dstIP, srcPort, dstPort, prot, startTime, stopTime, numBytes, numPackets New Data Features BRKSEC-2809 7
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Solution Overview OS inference Endpoint Context OS, Applications, PMTU, RTT, Infection, … ETTA data flow record labels flow record fingerprint rules classifier description Cisco Products ETTA data Application inference Malware Detection Malware Family Crypto Audit BRKSEC-2809 8
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Data Collection Training/Storage • Metadata • Packet lengths • TLS • DNS • HTTP Benign Records Malware Records Classifier/Rules BRKSEC-2809 9BRKSEC-2809 9
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Malware Benign • ThreatGRID pcaps • 5-minute sandbox runs • Threat Score = 100/100 • Millions of pcap’s • ~5,000-15,000 new pcap’s a day • Hundreds of millions of flows • Enterprise DMZ • ~10-15 million flows per day • ~500 user site • IP addresses are anonymized BRKSEC-2809 10
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Exploring Threat Data Features at Scale joy pcap2flowpcap json pcap2flow json Offline Online exporter jsoncollector https://github.com/cisco/joy Bill Hudson Philip Perricone 11BRKSEC-2809
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public src dst • SPLT – Sequence of Packet Lengths and Arrival Times • Byte Distribution • Byte Entropy Enhanced Telemetry Data Types 12BRKSEC-2809
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Sequence of Packet Lengths and Times src dst ClientpacketsServerpackets Time BRKSEC-2809 13
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Byte Distribution 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b H T T P / 1 . 1 2 0 0 O K BRKSEC-2809 14
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Byte Distribution 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b H T T P / 1 . 1 2 0 0 O K 1 BRKSEC-2809 15
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Byte Distribution 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b H T T P / 1 . 1 2 0 0 O K 1 1 BRKSEC-2809 16
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Byte Distribution 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b H T T P / 1 . 1 2 0 0 O K 1 2 BRKSEC-2809 17
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Byte Distribution 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b H T T P / 1 . 1 2 0 0 O K 1 1 2 BRKSEC-2809 18
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public TLS Handshake Protocol Client Server ClientHello ServerHello / Certificate ClientKeyExchange / ChangeCipherSpec Application Data ChangeCipherSpec BRKSEC-2809 19
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Most popular TLS clients: • IE 8/11*, Tor, Opera • Wide variety in the number of distinct ciphersuite offer vectors • Some malware families only used one while others used hundreds • 2048-bit DHE_RSA was by far the most popular public key algorithm / size TLS Clients BRKSEC-2809 20
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Most popular servers (taken from the certificate subject): • Bitcoin wallet (e.g., block.io) • File sharing sites (e.g., dropbox.com) • Advertising (e.g., criteo.com) • Search engines (e.g., google.com, baidu.com) • DGA-like certificate subjects were very common • .7% (as opposed to .09% on an enterprise network) used self-signed certificates • TLS_RSA_WITH_3DES_EDE_CBC_SHA was the most popular selected ciphersuite • These features are heavily dependent on the malware family TLS Servers BRKSEC-2809 21
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Retain original capitalization • User-Agent vs user-agent vs User-agent vs USER-AGENT vs User-AgEnt • Retain original ordering of header fields • Absence or presence of HTTP fields gives information about environment • via, x-imforwards • Common User-Agent values: • Opera/9.50(WindowsNT6.0;U;en) • Mozilla/5.0(Windows;U;WindowsNT5.1;en- US;rv:1.9.2.3)Gecko/20100401Firefox/3.6.1(.NETCLR3.5.30731) • Mozilla/5.0(WindowsNT6.3;WOW64;Trident/7.0;Touch;rv:11.0)likeGecko HTTP Fields BRKSEC-2809 22
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Common TTL values: • 100 > 300 > 60 > 3600 • Number of IPs per request: • 1 > 4 > 11 > 2 > 6 • Most common suffixes: • com > net > pl > eu > org • ~95% not found in the Alexa top-1,000,000 list DNS Information BRKSEC-2809 23
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Server Name Indication • Extension type: server_name (0x0000) • Indication from the client about the hostname of the server Record Headers ClientHello Random Nonce [Session ID] Cipher suites Compression Methods Extensions Single Extension BRKSEC-2809 24
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Certificate Information • Check for self-signed certificates • Issuer == Subject • Check for certificates not within validity period • Check for discrepancies in the SubjectAltName (optional certificate extension and the server_name extension Record Headers Certificate … Cert Headers Cert Signature Algorithm Issuer Validity Period Subject Subject Public Key Optional Info Cert Sig Alg Cert Signature BRKSEC-2809 25
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public TLS Client Fingerprinting Record Headers ClientHello Random Nonce [Session ID] Cipher suites Compression Methods Extensions Used for fingerprinting 0.9.8 1.0.0 1.0.1 1.0.2 OpenSSL Versions BRKSEC-2809 26
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Classification Model on SPLT and BD Length transition bins Time transition bins Classifier Feature Selection [0,1] BRKSEC-2809 28
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Evaluating Algorithms BRKSEC-2809 29
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Malware • August 2015 to May 2016 pcaps from ThreatGRID • TLS (443) traffic, > 100 in and out bytes • 225,740 flows, Telemetry enhanced with TLS extensions, ciphersuites, and public key lengths • Benign • traffic taken from a large enterprise DMZ • TLS (443) traffic, > 100 in and out bytes • 225,000 flows, Telemetry enhanced with TLS extensions, ciphersuites, and public key lengths • 10-fold cross-validation Test Setup BRKSEC-2809 30
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public src dst • Packet Lengths and Inter-arrival Times Modeled as 1st Order Markov Chains • Probabilities of Byte Values in Payload • Binary Vector of Offered Ciphersuites and Extensions, and Client’s Public Key Size Intraflow Features BRKSEC-2809 31
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Results • L1-logistic regression • Meta + SPLT + BD • 0.01% FDR: 1.3% • Total Accuracy: 98.9% • L1-logistic regression • Meta + SPLT + BD + TLS • 0.01% FDR: 92.8% • Total Accuracy: 99.6% BRKSEC-2809 32
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Results (without Schannel) • L1-logistic regression • Meta + SPLT + BD • 0.01 FDR: 0.9% • Total Accuracy: 98.5% • L1-logistic regression • Meta + SPLT + BD + TLS • 0.01 FDR: 87.2% • Total Accuracy: 99.6% BRKSEC-2809 33
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Per-Family Classification Results Malware Family Meta+SPLT+BD Meta+SPLT+BD+TLS Bergat* 100.0% 100.0% Sality* 95.0% 97.7% Dridex 16.5% 78.5% Skeeyah 95.9% 98.6% Virlock 100.0% 100.0% BRKSEC-2809 34
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Malware • August 2015 to May 2016 pcaps from ThreatGRID • TLS (443) traffic, > 100 in and out bytes • 13,542 flows with all available data (~63.2% of malicious TLS flows) • Benign • traffic taken from a large enterprise DMZ • TLS (443) traffic, > 100 in and out bytes • 42,927 flows with all available data (~3.8% of benign TLS flows) • 10-fold cross-validation Test Setup BRKSEC-2809 35
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public src dst • Packet Lengths and Inter-arrival Times Modeled as 1st Order Markov Chains • Probabilities of Byte Values in Payload • Binary Vector of Offered Ciphersuites and Extensions, and Client’s Public Key Size Intraflow Features BRKSEC-2809 36
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • DNS • Alexa Lists • Lengths of DN and FQDN • Suffix • TTL • % Numerical Characters • % Non-alphanumeric Chars • HTTP • Outbound/inbound header fields • Content-Type • User-Agent • Accept-Language • Server • code Contextual Flow Features BRKSEC-2809 37
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • L1-logistic regression • Traditional Side Channel Features • 0.00% FDR: 0.00% • Total Accuracy: 93.1% • L1-logistic regression • All Available Features • 0.00% FDR: 99.9% • Total Accuracy: 99.9% Results (10-fold cross-validation) BRKSEC-2809 38
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Detecting Encrypted Malware Acc. 0.00% FDR SPLT+BD+TLS+HTTP+DNS 99.993% 99.978% TLS 94.836% 50.406% DNS 99.496% 94.654% HTTP 99.945% 98.996% TLS+DNS 99.883% 96.551% TLS+HTTP 99.955% 99.660% HTTP+DNS 99.985% 99.956% SPLT+BD+TLS 99.933% 70.351% SPLT+BD+TLS+DNS 99.968% 98.043% SPLT+BD+TLS+HTTP 99.983% 99.956% TLS DNS HTTP SPLT+BD BRKSEC-2809 39
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Interpretability • Malware Features • DNS Suffix: org • DNS TTL: 3600 • TLS_RSA_WITH_RC4_128_SHA • HTTP Field: location • DNS Alexa: Not Found • HTTP Server: nginx • HTTP Code: 404 • Benign Features • TLS Ext: extended_master_secret • Content type: application/octet-stream • TLS_DHE_RSA_WITH_DES_CBC_SHA • HTTP Server: Microsoft-IIS/8.5 • DNS Alexa: top-1,000,000 • HTTP User-Agent: Microsoft-CryptoAPI/6.1 BRKSEC-2809 40
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Datasets are relatively limited • Evasion is possible • Not impossible to mimic popular TLS/HTTP/DNS clients/servers/responses • But, mimicking these features requires an on-going and non-trivial software engineering effort • Can (hopefully) limit evasion attacks • Identify most robust network features (several good existing algorithms) • Include higher order interactions: • TLS client / HTTP user agent(s) • Ordering of offered ciphersuites and HTTP fields Caveats / Biases BRKSEC-2809 41
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Conclusions • Malware’s use of TLS is increasing • Our research complements current solutions • Machine learning/rules applied to passively obtained network data features can detect malware communication • https://github.com/cisco/joy • Note: contact authors to obtain well-trained classifier parameters 0.00% 5.00% 10.00% 15.00% 20.00% 25.00% Percentage of malware traffic using TLS BRKSEC-2809 42
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public https://arxiv.org/abs/1607.01639 Название: «Deciphering Malware's use of TLS (without Decryption)» Авторы: Blake Anderson, Subharthi Paul, David McGrew Препринт статьи, на основе которой сделана данная презентация, доступен по адресу: 43
Q & A

Empfohlen

Csa summit la transformación digital y el nuevo rol del ciso
Csa summit la transformación digital y el nuevo rol del cisoCsa summit la transformación digital y el nuevo rol del ciso
Csa summit la transformación digital y el nuevo rol del cisoCSA Argentina
 
Csa summit who can protect us education for cloud security professionals
Csa summit who can protect us education for cloud security professionalsCsa summit who can protect us education for cloud security professionals
Csa summit who can protect us education for cloud security professionalsCSA Argentina
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud CrossoverArmor
 
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALDefending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALMichael Bunn
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudCloudHesive
 
Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)Pöyry
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Scalar Decisions
 
DTS Solution - Cyber Security Services Portfolio
DTS Solution - Cyber Security Services PortfolioDTS Solution - Cyber Security Services Portfolio
DTS Solution - Cyber Security Services PortfolioShah Sheikh
 

Empfohlen

Csa summit la transformación digital y el nuevo rol del ciso
Csa summit la transformación digital y el nuevo rol del cisoCsa summit la transformación digital y el nuevo rol del ciso
Csa summit la transformación digital y el nuevo rol del cisoCSA Argentina
 
Csa summit who can protect us education for cloud security professionals
Csa summit who can protect us education for cloud security professionalsCsa summit who can protect us education for cloud security professionals
Csa summit who can protect us education for cloud security professionalsCSA Argentina
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud CrossoverArmor
 
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALDefending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALMichael Bunn
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudCloudHesive
 
Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)Pöyry
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Scalar Decisions
 
DTS Solution - Cyber Security Services Portfolio
DTS Solution - Cyber Security Services PortfolioDTS Solution - Cyber Security Services Portfolio
DTS Solution - Cyber Security Services PortfolioShah Sheikh
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Ulf Mattsson
 
How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016Ulf Mattsson
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Shah Sheikh
 
Csa summit argentina-reavis
Csa summit argentina-reavisCsa summit argentina-reavis
Csa summit argentina-reavisCSA Argentina
 
Symantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security SimulationSymantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security SimulationSymantec
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepEnterpriseGRC Solutions, Inc.
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?manoharparakh
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016Ulf Mattsson
 
RETOS ACTUALES E INNOVACIÓN SOBRE EL CONTROL DE ACCESOS PRIVILEGIADOS.
RETOS ACTUALES E INNOVACIÓN SOBRE EL CONTROL DE ACCESOS PRIVILEGIADOS.RETOS ACTUALES E INNOVACIÓN SOBRE EL CONTROL DE ACCESOS PRIVILEGIADOS.
RETOS ACTUALES E INNOVACIÓN SOBRE EL CONTROL DE ACCESOS PRIVILEGIADOS.Cristian Garcia G.
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadarVirginia Fernandez
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3EnterpriseGRC Solutions, Inc.
 
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber ResilienceISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber ResilienceShah Sheikh
 
how to secure web applications with owasp - isaca sep 2009 - for distribution
how to secure web applications with owasp - isaca sep 2009 - for distributionhow to secure web applications with owasp - isaca sep 2009 - for distribution
how to secure web applications with owasp - isaca sep 2009 - for distributionSantosh Satam
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyePrime Infoserv
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...Nicolas Beyer
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyFidelis Cybersecurity
 
DTS Solution - Company Presentation
DTS Solution - Company PresentationDTS Solution - Company Presentation
DTS Solution - Company PresentationShah Sheikh
 
Scalar_Managed_Security_Services_2016
Scalar_Managed_Security_Services_2016Scalar_Managed_Security_Services_2016
Scalar_Managed_Security_Services_2016patmisasi
 
MUM Middle East 2016 - System Integration Analyst
MUM Middle East 2016 - System Integration AnalystMUM Middle East 2016 - System Integration Analyst
MUM Middle East 2016 - System Integration AnalystFajar Nugroho
 
Fiware - communicating with ROS robots using Fast RTPS
Fiware - communicating with ROS robots using Fast RTPSFiware - communicating with ROS robots using Fast RTPS
Fiware - communicating with ROS robots using Fast RTPSJaime Martin Losa
 

Weitere ähnliche Inhalte

Was ist angesagt?

Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Ulf Mattsson
 
How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016Ulf Mattsson
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Shah Sheikh
 
Csa summit argentina-reavis
Csa summit argentina-reavisCsa summit argentina-reavis
Csa summit argentina-reavisCSA Argentina
 
Symantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security SimulationSymantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security SimulationSymantec
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?manoharparakh
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016Ulf Mattsson
 
RETOS ACTUALES E INNOVACIÓN SOBRE EL CONTROL DE ACCESOS PRIVILEGIADOS.
RETOS ACTUALES E INNOVACIÓN SOBRE EL CONTROL DE ACCESOS PRIVILEGIADOS.RETOS ACTUALES E INNOVACIÓN SOBRE EL CONTROL DE ACCESOS PRIVILEGIADOS.
RETOS ACTUALES E INNOVACIÓN SOBRE EL CONTROL DE ACCESOS PRIVILEGIADOS.Cristian Garcia G.
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3EnterpriseGRC Solutions, Inc.
 
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber ResilienceISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber ResilienceShah Sheikh
 
how to secure web applications with owasp - isaca sep 2009 - for distribution
how to secure web applications with owasp - isaca sep 2009 - for distributionhow to secure web applications with owasp - isaca sep 2009 - for distribution
how to secure web applications with owasp - isaca sep 2009 - for distributionSantosh Satam
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyePrime Infoserv
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...Nicolas Beyer
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyFidelis Cybersecurity
 
DTS Solution - Company Presentation
DTS Solution - Company PresentationDTS Solution - Company Presentation
DTS Solution - Company PresentationShah Sheikh
 
Scalar_Managed_Security_Services_2016
Scalar_Managed_Security_Services_2016Scalar_Managed_Security_Services_2016
Scalar_Managed_Security_Services_2016patmisasi
 

Was ist angesagt? (20)

Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
 
How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
 
Csa summit argentina-reavis
Csa summit argentina-reavisCsa summit argentina-reavis
Csa summit argentina-reavis
 
Symantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security SimulationSymantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security Simulation
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016
 
RETOS ACTUALES E INNOVACIÓN SOBRE EL CONTROL DE ACCESOS PRIVILEGIADOS.
RETOS ACTUALES E INNOVACIÓN SOBRE EL CONTROL DE ACCESOS PRIVILEGIADOS.RETOS ACTUALES E INNOVACIÓN SOBRE EL CONTROL DE ACCESOS PRIVILEGIADOS.
RETOS ACTUALES E INNOVACIÓN SOBRE EL CONTROL DE ACCESOS PRIVILEGIADOS.
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
 
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber ResilienceISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
 
how to secure web applications with owasp - isaca sep 2009 - for distribution
how to secure web applications with owasp - isaca sep 2009 - for distributionhow to secure web applications with owasp - isaca sep 2009 - for distribution
how to secure web applications with owasp - isaca sep 2009 - for distribution
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEye
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You Buy
 
DTS Solution - Company Presentation
DTS Solution - Company PresentationDTS Solution - Company Presentation
DTS Solution - Company Presentation
 
Scalar_Managed_Security_Services_2016
Scalar_Managed_Security_Services_2016Scalar_Managed_Security_Services_2016
Scalar_Managed_Security_Services_2016
 

Ähnlich wie Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без дешифровки)

MUM Middle East 2016 - System Integration Analyst
MUM Middle East 2016 - System Integration AnalystMUM Middle East 2016 - System Integration Analyst
MUM Middle East 2016 - System Integration AnalystFajar Nugroho
 
Fiware - communicating with ROS robots using Fast RTPS
Fiware - communicating with ROS robots using Fast RTPSFiware - communicating with ROS robots using Fast RTPS
Fiware - communicating with ROS robots using Fast RTPSJaime Martin Losa
 
Fast RTPS Workshop at FIWARE Summit 2018
Fast RTPS Workshop at FIWARE Summit 2018Fast RTPS Workshop at FIWARE Summit 2018
Fast RTPS Workshop at FIWARE Summit 2018Jaime Martin Losa
 
FIWARE Global Summit - Fast RTPS: Programming with the Default middleware for...
FIWARE Global Summit - Fast RTPS: Programming with the Default middleware for...FIWARE Global Summit - Fast RTPS: Programming with the Default middleware for...
FIWARE Global Summit - Fast RTPS: Programming with the Default middleware for...FIWARE
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 
Fiware: Connecting to robots
Fiware: Connecting to robotsFiware: Connecting to robots
Fiware: Connecting to robotsJaime Martin Losa
 
Fast RTPS: Programming with the Default Middleware for Robotics Adopted in ROS2
Fast RTPS: Programming with the Default Middleware for Robotics Adopted in ROS2Fast RTPS: Programming with the Default Middleware for Robotics Adopted in ROS2
Fast RTPS: Programming with the Default Middleware for Robotics Adopted in ROS2Jaime Martin Losa
 
tHE GENERATION AND USE OF TLS FINGERPRINGTS
tHE GENERATION AND USE OF TLS FINGERPRINGTStHE GENERATION AND USE OF TLS FINGERPRINGTS
tHE GENERATION AND USE OF TLS FINGERPRINGTSortdx
 
Gain Insight and Programmability with Cisco DC Networking
Gain Insight and Programmability with Cisco DC NetworkingGain Insight and Programmability with Cisco DC Networking
Gain Insight and Programmability with Cisco DC NetworkingCisco Canada
 
Cisco DC Networking: Gain Insight and Programmability with
Cisco DC Networking: Gain Insight and Programmability with Cisco DC Networking: Gain Insight and Programmability with
Cisco DC Networking: Gain Insight and Programmability with Cisco Canada
 
Gain Insight and Programmability with Cisco DC Networking
Gain Insight and Programmability with Cisco DC NetworkingGain Insight and Programmability with Cisco DC Networking
Gain Insight and Programmability with Cisco DC NetworkingCisco Canada
 
BRKSEC-3771 - WSA with wccp.pdf
BRKSEC-3771 - WSA with wccp.pdfBRKSEC-3771 - WSA with wccp.pdf
BRKSEC-3771 - WSA with wccp.pdfMenakaDevi14
 
Next-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAMNext-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAMOpen Networking Summit
 
Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019James Bromberger
 
Leverage the Network
Leverage the NetworkLeverage the Network
Leverage the NetworkCisco Canada
 
TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics Robb Boyd
 

Ähnlich wie Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без дешифровки) (20)

MUM Middle East 2016 - System Integration Analyst
MUM Middle East 2016 - System Integration AnalystMUM Middle East 2016 - System Integration Analyst
MUM Middle East 2016 - System Integration Analyst
 
Fiware - communicating with ROS robots using Fast RTPS
Fiware - communicating with ROS robots using Fast RTPSFiware - communicating with ROS robots using Fast RTPS
Fiware - communicating with ROS robots using Fast RTPS
 
Fast RTPS Workshop at FIWARE Summit 2018
Fast RTPS Workshop at FIWARE Summit 2018Fast RTPS Workshop at FIWARE Summit 2018
Fast RTPS Workshop at FIWARE Summit 2018
 
FIWARE Global Summit - Fast RTPS: Programming with the Default middleware for...
FIWARE Global Summit - Fast RTPS: Programming with the Default middleware for...FIWARE Global Summit - Fast RTPS: Programming with the Default middleware for...
FIWARE Global Summit - Fast RTPS: Programming with the Default middleware for...
 
Fast RTPS
Fast RTPSFast RTPS
Fast RTPS
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 
Fiware: Connecting to robots
Fiware: Connecting to robotsFiware: Connecting to robots
Fiware: Connecting to robots
 
Fast RTPS: Programming with the Default Middleware for Robotics Adopted in ROS2
Fast RTPS: Programming with the Default Middleware for Robotics Adopted in ROS2Fast RTPS: Programming with the Default Middleware for Robotics Adopted in ROS2
Fast RTPS: Programming with the Default Middleware for Robotics Adopted in ROS2
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
tHE GENERATION AND USE OF TLS FINGERPRINGTS
tHE GENERATION AND USE OF TLS FINGERPRINGTStHE GENERATION AND USE OF TLS FINGERPRINGTS
tHE GENERATION AND USE OF TLS FINGERPRINGTS
 
Gain Insight and Programmability with Cisco DC Networking
Gain Insight and Programmability with Cisco DC NetworkingGain Insight and Programmability with Cisco DC Networking
Gain Insight and Programmability with Cisco DC Networking
 
Cisco DC Networking: Gain Insight and Programmability with
Cisco DC Networking: Gain Insight and Programmability with Cisco DC Networking: Gain Insight and Programmability with
Cisco DC Networking: Gain Insight and Programmability with
 
Gain Insight and Programmability with Cisco DC Networking
Gain Insight and Programmability with Cisco DC NetworkingGain Insight and Programmability with Cisco DC Networking
Gain Insight and Programmability with Cisco DC Networking
 
BRKSEC-3771 - WSA with wccp.pdf
BRKSEC-3771 - WSA with wccp.pdfBRKSEC-3771 - WSA with wccp.pdf
BRKSEC-3771 - WSA with wccp.pdf
 
Next-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAMNext-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAM
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideas
 
SDN and metrics from the SDOs
SDN and metrics from the SDOsSDN and metrics from the SDOs
SDN and metrics from the SDOs
 
Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019
 
Leverage the Network
Leverage the NetworkLeverage the Network
Leverage the Network
 
TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics
 

Mehr von Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

Mehr von Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Kürzlich hochgeladen

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 

Kürzlich hochgeladen (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 

Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без дешифровки)

  • 1. Deciphering Malware’s Use of TLS (without Decryption) Ruslan Ivanov Consulting Systems Engineer, Cisco ruivanov@cisco.com
  • 2. В докладе рассматривается работа группы исследователей компании Cisco, доказывающая применимость традиционных методов статистического и поведенческого анализа для обнаружения и атрибуции вредоносного ПО, использующего TLS в качестве метода шифрования каналов взаимодействия, без дешифровки или компрометации TLS-сессии. О чём этот доклад?
  • 3. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public People Blake Anderson – Technical Leader PhD in Computer Science (Machine Learning) Started at Cisco in 2015 David McGrew – Cisco Fellow PhD in Physics (Chaos Theory) Started at Cisco in 1998 BRKSEC-2809 3
  • 4. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Problem: Encrypted Malware Traffic • TLS usage increasing (this is not bad!) • String-matching solutions less ineffective • MITM problems • Privacy, legal, deployment, expense, non-cooperating clients InternetPremises BRKSEC-2809 4
  • 5. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Our Approach: Leverage All Data Features InternetPremises Netflow data: SrcIP, DstIP, SrcPort, DstPort, Proto, #Bytes, #Packets Intraflow data: Packet Lengths & Inter-arrival Times, Byte Distribution, … TLS metadata: Extensions, Ciphersuites, SNI, Certificate Strings, … DNS data: Names and TTLs of linked responses HTTP data: Headers and File Magic for other flows from target 5BRKSEC-2809
  • 6. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Flow Monitoring Export Collection Analysis StorageObservation Observation Observation srcIP, dstIP, srcPort, dstPort, prot, startTime, stopTime, numBytes, numPackets BRKSEC-2809 6
  • 7. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Enhanced Telemetry Export Collection Analysis StorageObservation Observation Observation srcIP, dstIP, srcPort, dstPort, prot, startTime, stopTime, numBytes, numPackets New Data Features BRKSEC-2809 7
  • 8. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Solution Overview OS inference Endpoint Context OS, Applications, PMTU, RTT, Infection, … ETTA data flow record labels flow record fingerprint rules classifier description Cisco Products ETTA data Application inference Malware Detection Malware Family Crypto Audit BRKSEC-2809 8
  • 9. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Data Collection Training/Storage • Metadata • Packet lengths • TLS • DNS • HTTP Benign Records Malware Records Classifier/Rules BRKSEC-2809 9BRKSEC-2809 9
  • 10. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Malware Benign • ThreatGRID pcaps • 5-minute sandbox runs • Threat Score = 100/100 • Millions of pcap’s • ~5,000-15,000 new pcap’s a day • Hundreds of millions of flows • Enterprise DMZ • ~10-15 million flows per day • ~500 user site • IP addresses are anonymized BRKSEC-2809 10
  • 11. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Exploring Threat Data Features at Scale joy pcap2flowpcap json pcap2flow json Offline Online exporter jsoncollector https://github.com/cisco/joy Bill Hudson Philip Perricone 11BRKSEC-2809
  • 12. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public src dst • SPLT – Sequence of Packet Lengths and Arrival Times • Byte Distribution • Byte Entropy Enhanced Telemetry Data Types 12BRKSEC-2809
  • 13. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Sequence of Packet Lengths and Times src dst ClientpacketsServerpackets Time BRKSEC-2809 13
  • 14. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Byte Distribution 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b H T T P / 1 . 1 2 0 0 O K BRKSEC-2809 14
  • 15. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Byte Distribution 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b H T T P / 1 . 1 2 0 0 O K 1 BRKSEC-2809 15
  • 16. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Byte Distribution 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b H T T P / 1 . 1 2 0 0 O K 1 1 BRKSEC-2809 16
  • 17. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Byte Distribution 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b H T T P / 1 . 1 2 0 0 O K 1 2 BRKSEC-2809 17
  • 18. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Byte Distribution 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b H T T P / 1 . 1 2 0 0 O K 1 1 2 BRKSEC-2809 18
  • 19. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public TLS Handshake Protocol Client Server ClientHello ServerHello / Certificate ClientKeyExchange / ChangeCipherSpec Application Data ChangeCipherSpec BRKSEC-2809 19
  • 20. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Most popular TLS clients: • IE 8/11*, Tor, Opera • Wide variety in the number of distinct ciphersuite offer vectors • Some malware families only used one while others used hundreds • 2048-bit DHE_RSA was by far the most popular public key algorithm / size TLS Clients BRKSEC-2809 20
  • 21. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Most popular servers (taken from the certificate subject): • Bitcoin wallet (e.g., block.io) • File sharing sites (e.g., dropbox.com) • Advertising (e.g., criteo.com) • Search engines (e.g., google.com, baidu.com) • DGA-like certificate subjects were very common • .7% (as opposed to .09% on an enterprise network) used self-signed certificates • TLS_RSA_WITH_3DES_EDE_CBC_SHA was the most popular selected ciphersuite • These features are heavily dependent on the malware family TLS Servers BRKSEC-2809 21
  • 22. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Retain original capitalization • User-Agent vs user-agent vs User-agent vs USER-AGENT vs User-AgEnt • Retain original ordering of header fields • Absence or presence of HTTP fields gives information about environment • via, x-imforwards • Common User-Agent values: • Opera/9.50(WindowsNT6.0;U;en) • Mozilla/5.0(Windows;U;WindowsNT5.1;en- US;rv:1.9.2.3)Gecko/20100401Firefox/3.6.1(.NETCLR3.5.30731) • Mozilla/5.0(WindowsNT6.3;WOW64;Trident/7.0;Touch;rv:11.0)likeGecko HTTP Fields BRKSEC-2809 22
  • 23. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Common TTL values: • 100 > 300 > 60 > 3600 • Number of IPs per request: • 1 > 4 > 11 > 2 > 6 • Most common suffixes: • com > net > pl > eu > org • ~95% not found in the Alexa top-1,000,000 list DNS Information BRKSEC-2809 23
  • 24. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Server Name Indication • Extension type: server_name (0x0000) • Indication from the client about the hostname of the server Record Headers ClientHello Random Nonce [Session ID] Cipher suites Compression Methods Extensions Single Extension BRKSEC-2809 24
  • 25. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Certificate Information • Check for self-signed certificates • Issuer == Subject • Check for certificates not within validity period • Check for discrepancies in the SubjectAltName (optional certificate extension and the server_name extension Record Headers Certificate … Cert Headers Cert Signature Algorithm Issuer Validity Period Subject Subject Public Key Optional Info Cert Sig Alg Cert Signature BRKSEC-2809 25
  • 26. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public TLS Client Fingerprinting Record Headers ClientHello Random Nonce [Session ID] Cipher suites Compression Methods Extensions Used for fingerprinting 0.9.8 1.0.0 1.0.1 1.0.2 OpenSSL Versions BRKSEC-2809 26
  • 27. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Classification Model on SPLT and BD Length transition bins Time transition bins Classifier Feature Selection [0,1] BRKSEC-2809 28
  • 28. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Evaluating Algorithms BRKSEC-2809 29
  • 29. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Malware • August 2015 to May 2016 pcaps from ThreatGRID • TLS (443) traffic, > 100 in and out bytes • 225,740 flows, Telemetry enhanced with TLS extensions, ciphersuites, and public key lengths • Benign • traffic taken from a large enterprise DMZ • TLS (443) traffic, > 100 in and out bytes • 225,000 flows, Telemetry enhanced with TLS extensions, ciphersuites, and public key lengths • 10-fold cross-validation Test Setup BRKSEC-2809 30
  • 30. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public src dst • Packet Lengths and Inter-arrival Times Modeled as 1st Order Markov Chains • Probabilities of Byte Values in Payload • Binary Vector of Offered Ciphersuites and Extensions, and Client’s Public Key Size Intraflow Features BRKSEC-2809 31
  • 31. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Results • L1-logistic regression • Meta + SPLT + BD • 0.01% FDR: 1.3% • Total Accuracy: 98.9% • L1-logistic regression • Meta + SPLT + BD + TLS • 0.01% FDR: 92.8% • Total Accuracy: 99.6% BRKSEC-2809 32
  • 32. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Results (without Schannel) • L1-logistic regression • Meta + SPLT + BD • 0.01 FDR: 0.9% • Total Accuracy: 98.5% • L1-logistic regression • Meta + SPLT + BD + TLS • 0.01 FDR: 87.2% • Total Accuracy: 99.6% BRKSEC-2809 33
  • 33. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Per-Family Classification Results Malware Family Meta+SPLT+BD Meta+SPLT+BD+TLS Bergat* 100.0% 100.0% Sality* 95.0% 97.7% Dridex 16.5% 78.5% Skeeyah 95.9% 98.6% Virlock 100.0% 100.0% BRKSEC-2809 34
  • 34. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Malware • August 2015 to May 2016 pcaps from ThreatGRID • TLS (443) traffic, > 100 in and out bytes • 13,542 flows with all available data (~63.2% of malicious TLS flows) • Benign • traffic taken from a large enterprise DMZ • TLS (443) traffic, > 100 in and out bytes • 42,927 flows with all available data (~3.8% of benign TLS flows) • 10-fold cross-validation Test Setup BRKSEC-2809 35
  • 35. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public src dst • Packet Lengths and Inter-arrival Times Modeled as 1st Order Markov Chains • Probabilities of Byte Values in Payload • Binary Vector of Offered Ciphersuites and Extensions, and Client’s Public Key Size Intraflow Features BRKSEC-2809 36
  • 36. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • DNS • Alexa Lists • Lengths of DN and FQDN • Suffix • TTL • % Numerical Characters • % Non-alphanumeric Chars • HTTP • Outbound/inbound header fields • Content-Type • User-Agent • Accept-Language • Server • code Contextual Flow Features BRKSEC-2809 37
  • 37. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • L1-logistic regression • Traditional Side Channel Features • 0.00% FDR: 0.00% • Total Accuracy: 93.1% • L1-logistic regression • All Available Features • 0.00% FDR: 99.9% • Total Accuracy: 99.9% Results (10-fold cross-validation) BRKSEC-2809 38
  • 38. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Detecting Encrypted Malware Acc. 0.00% FDR SPLT+BD+TLS+HTTP+DNS 99.993% 99.978% TLS 94.836% 50.406% DNS 99.496% 94.654% HTTP 99.945% 98.996% TLS+DNS 99.883% 96.551% TLS+HTTP 99.955% 99.660% HTTP+DNS 99.985% 99.956% SPLT+BD+TLS 99.933% 70.351% SPLT+BD+TLS+DNS 99.968% 98.043% SPLT+BD+TLS+HTTP 99.983% 99.956% TLS DNS HTTP SPLT+BD BRKSEC-2809 39
  • 39. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Interpretability • Malware Features • DNS Suffix: org • DNS TTL: 3600 • TLS_RSA_WITH_RC4_128_SHA • HTTP Field: location • DNS Alexa: Not Found • HTTP Server: nginx • HTTP Code: 404 • Benign Features • TLS Ext: extended_master_secret • Content type: application/octet-stream • TLS_DHE_RSA_WITH_DES_CBC_SHA • HTTP Server: Microsoft-IIS/8.5 • DNS Alexa: top-1,000,000 • HTTP User-Agent: Microsoft-CryptoAPI/6.1 BRKSEC-2809 40
  • 40. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Datasets are relatively limited • Evasion is possible • Not impossible to mimic popular TLS/HTTP/DNS clients/servers/responses • But, mimicking these features requires an on-going and non-trivial software engineering effort • Can (hopefully) limit evasion attacks • Identify most robust network features (several good existing algorithms) • Include higher order interactions: • TLS client / HTTP user agent(s) • Ordering of offered ciphersuites and HTTP fields Caveats / Biases BRKSEC-2809 41
  • 41. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Conclusions • Malware’s use of TLS is increasing • Our research complements current solutions • Machine learning/rules applied to passively obtained network data features can detect malware communication • https://github.com/cisco/joy • Note: contact authors to obtain well-trained classifier parameters 0.00% 5.00% 10.00% 15.00% 20.00% 25.00% Percentage of malware traffic using TLS BRKSEC-2809 42
  • 42. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public https://arxiv.org/abs/1607.01639 Название: «Deciphering Malware's use of TLS (without Decryption)» Авторы: Blake Anderson, Subharthi Paul, David McGrew Препринт статьи, на основе которой сделана данная презентация, доступен по адресу: 43
  • 43. Q & A

Hinweis der Redaktion

  1. (Currently Implemented in a Switch and/or NGA)
  2. (Currently Implemented in a Switch and/or NGA)
  3. (Currently Implemented in a Switch and/or NGA)
  4. (Currently Implemented in a Switch and/or NGA)