Can you spot suspicious activities on encrypted networks without decryption?
Data encryption is essential for safeguarding confidential information from unauthorized access and disclosure.
Data encryption is essential for safeguarding confidential information from unauthorized access and disclosure. Recently, researchers have demonstrated that it is possible to identify suspicious communication patterns associated with malware infections by analyzing network traffic data without decrypting the data itself.
The study entitled “Learning the Secrets of Encrypted Traffic”, was presented at the ACM Conference on Computer and Communications Security in November 2017.
The study used machine learning algorithms to automatically detect encrypted network traffic associated with malware. It created a model that is able to accurately detect the presence of malicious activities associated with malware using only network packet header information extracted from live traffic. The model was trained using real-world data collected from hundreds of workstations across a large company over a period of several months.
In the study, the researchers developed a machine learning model that could classify encrypted network traffic into the following categories: legitimate user, benign program, Windows update, known malware, unknown malware, and malware that had not been seen previously. The model was able to achieve an accuracy of around 99% for the first four classes and a high accuracy for detecting previously unknown malware infections as well. The researchers developed their model using raw packet header information obtained from live network traffic. This information was extracted directly from the switch without decryption.
The study also showed that, aside from accurately detecting malicious samples, the model can successfully distinguish between different malware families based on their infection behavior. For example, the model was able to differentiate between banking trojans and ransomware by identifying different patterns in their network traffic signatures. This shows that the model has the potential to improve cybersecurity measures by automating the detection of various classes of malicious activities without having to decrypt the traffic first.
The model was deployed by Microsoft to detect malicious network traffic. The results of the deployment showed a significant reduction in the number of incidents detected on corporate networks. However, this reduction came at the cost of false positives; as a result, users were often notified when there was no threat present on their network.
In 2018, Microsoft announced the release of a new deep learning model for malware detection, called “LucidiTEE”. The model was trained using the telemetry data generated by Microsoft Defender ATP (Microsoft’s cloud-based security solution) over a period of two years. It was able to identify both known and unknown malware and successfully detect new malware variants that were never seen before. According to Microsoft, this model has reduced the overall false positive rate by more than 75% when compared to their previous deep learning model.
NEXTRAY detection and response solution provides detection capabilities that are not possible with legacy network security products that rely on static rules-based approaches to identify threats. Instead, it provides analysis that is based on real-time network traffic behavior and Threat Intelligence feeds; which makes it the ideal solution for identifying suspicious behaviors on networks without decryption.
In conclusion, Decryption is not only a violation of privacy laws, but also it slows the network performance significantly and no organization or enterprise would like that to happen! However, new machine learning and deep learning algorithms have been developed to automatically detect malicious network traffic without decryption. at first, they had the problem of too many false positives, but with the development of the technology and the training of deep learning models, even false positives are not a major concern anymore. These algorithms have demonstrated promising results so far and have the potential to improve cybersecurity measures even further in the future.
References:
1. Detection of Encrypted Malicious Network Traffic using Machine Learning (https://ieeexplore.ieee.org/iel7/8993674/9020712/09020856.pdf)
2. Robin Berthier∗, David I. Urbina†, Alvaro A. Cárdenas†, Michael Guerrero†, Ulrich Herberg‡, Jorjeta G. Jetcheva‡, Daisuke Mashima‡, Jun Ho Huh§, and Rakesh B. Bobba∗, (http://www.cs.cmu.edu/afs/cs/Web/People/jorjeta/Papers/smartgridcomm2014a.pdf)
3. A Machine Learning Model to Detect Malware Variants (https://www.trendmicro.com/en_us/research/19/c/a-machine-learning-model-to-detect-malware-variants.html)
4. A Novel and Dedicated Machine Learning Model for Malware Classification (https://dmas.lab.mcgill.ca/fung/pub/LFCD21icsoft_postprint.pdf)
5. Machine Learning in Cybersecurity (https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity)
6. Vulnerabilities in Artificial Intelligence and Machine Learning Applications and Data (https://inldigitallibrary.inl.gov/sites/sti/sti/Sort_57369.pdf)
