Applying Machine Learning to Encrypted Network Traffic for Malware Detection

The landscape of network analysis is ever-evolving as the fields of technology and business progress. While the landscape of the analysis may change, at the core of network analysis is the detection of malicious activity. In real-time traffic flow, it is non-trivial to determine whether a particular flow is malicious in nature. Most malicious software (malware) analysis is done after the flow has already reached its end target, and is analyzed in the form of network traffic captures. For any network analysis system, it is important that the privacy of the data being transmitted it not compromised in the process. Using network contextual flow data, it is possible to analyze and classify network traffic without compromising the encrypted data being transported. In this project, we analyzed the impact of using the Intel Data Analytics Acceleration Library (DAAL) to expedite the analysis and inference of encrypted network traffic for the presence of malware. The DAAL package enables the acceleration of analytics through its design to target Intel hardware, being developed in a combination of C and assembly language for their architecture. With its streamlined design, using the library allows for analysis to take place many times faster than using the typical python framework and data analysis libraries, such as scikit-learn. Using these tools developed by Intel, our team designed an inference system that is capable of performing real-time analysis of network flows to detect malicious activity

Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences

In this survey, we first briefly review the current state of cyber attacks, highlighting significant recent changes in how and why such attacks are performed. We then investigate the mechanics of malware command and control (C2) establishment: we provide a comprehensive review of the techniques used by attackers to set up such a channel and to hide its presence from the attacked parties and the security tools they use. We then switch to the defensive side of the problem, and review approaches that have been proposed for the detection and disruption of C2 channels. We also map such techniques to widely-adopted security controls, emphasizing gaps or limitations (and success stories) in current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages. Listing abstract compressed from version appearing in repor

An overview of ADSL homed nepenthes honeypots in Western Australia

This paper outlines initial analysis from research in progress into ADSL homed Nepenthes honeypots. One of the Nepenthes honeypots prime objective in this research was the collection of malware for analysis and dissection. A further objective is the analysis of risks that are circulating within ISP networks in Western Australian. What differentiates Nepenthes from many traditional honeypot designs it that is has been engineered from a distributed network philosophy. The program allows distribution of results across a network of sensors and subsequent aggregation of malware statistics readily within a large network environment