Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
taskdoer.com Final Presentation V2
Next
Download to read offline and view in fullscreen.

3

Share

Download to read offline

Modeling the network behavior of malware to block malicious patterns. the stratosphere project: a behavioral ips presentation

Download to read offline

An insight of how machine learning behavioral models can help detect new malware and botnet traffic. Show how the Stratosphere IPS project implements traffic models and detection models. Talk given in Virus Bulletin conference 2015.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Modeling the network behavior of malware to block malicious patterns. the stratosphere project: a behavioral ips presentation

  1. 1. MODELLING THE NETWORK BEHAVIOR OF MALWARE TO BLOCK MALICIOUS PATTERNS. THE STRATOSPHERE PROJECT Gare‘ bastian, PhD. CTUUnive ' , Prague. e stian. garcia@ag . e. . cz @e| draco
  2. 2. Current Network Solutions G | oC I3] rruoenenrnrs (9 BEHAVIORS - Domains . Pay| oads o Anomaly Detection - URLs
  3. 3. CurrentNetwork Solutions , é I9 | oC 0&4; FINGERPRINTS BEHAVIORS o Domains . payloads o Anomaly Detection o URLs o IPs ISSUES - Lifetime o Static o Verification and Errors o Easy adaptation o Huge Amount from attackers
  4. 4. CurrentNetwork Solutions " m‘ (9 BEHAVIORS I | oC J rrnernenrnrs 0 Domains . Payyoads o Anomaly Detection ' URL5 0 Behavioral Models o IPs $8: ISSUES o Lifetime o Static - Verification and Errors o Easy adaptation o Huge Amount from attackers
  5. 5. Free Software @ gay Machine Learning C54 Behavioral Patterns STRATOSPHERE IPS PROJECT NGOs & CSOs 2 I-Fl Verified F‘. A 4 A
  6. 6. STRATOSPHERE TECHNICAL PILLARS / / HJ LESS Is MORE DISASSOCIATE VERIFY
  7. 7. STRATOSPHERE PILLARS LESS IS MORE Analyze the behavior of connections, not host or networks. DISASSOCIATE O "Represent the behavior" from "Detect the behavior". VERIFY Verify the models with real and labeled data.
  8. 8. LESS IS MORE Q) Your behavior is usually the same when connecting with the same service. G) Group the flows going to a specific service by ignoring the source port. We have a connection. G) The connection, composed of several flows, now shows a behavior.
  9. 9. LESS IS MORE @ When using a service, you go from a specific state to the next state. @ Each flow inside the connection gets its own state. (9 We model the states based on four features. (9 Size of the flow. (9 Duration of the flow. G) Periodicity of the flow. G) Time between consecutive flows.
  10. 10. BEHAVIORAL STATES Strong Periodicity Weak Periodicity Weak Non-Periodicity Strong Non-Periodicity Symbols for time difference: Between 0 and 5 seconds: Between 5 and 60 seconds: Between 60 secs and 5 mins: - - Between 5 mins and 1 hour: Timeout of 1 hour
  11. 11. BEHAVIORAL STATES
  12. 12. BEHAVIORS ARE MORE STABLE . . Malware generate the same behavlor over and over agaln. Changing the behavior is costly forthe attacker. Behaviors do not expire quickly. Infections go unnoticed for hours. There is time. We collect normal and malware behaviors.
  13. 13. DETECTION MODELS Q Several models can be implemented. Currently two working and two under development. 6) Interpret the transition from one state to the other as a Markov Chain.
  14. 14. DETECTION MODELS Q) Interpret the transition from one state to the other as a Markov Chain. a, a,c+d+d+ K/ /M/ K/K/ K/K. /K. /K2’ IV: +=0.2 , =0.2 a=0.2 c=0.11d= O.2Z
  15. 15. DETECTION MODELS Train Markov Models with known behaviors. Compare the unknown traffic to each Markov Model of the trained behaviors. it-%3:: ;: nr ¢ Ian I I u u : II M2 - j ‘ n, n,t, t+z+z+Z+Z+ I
  16. 16. DETECTION MODEL Detect similar behavior in unknown networks by generalizing the Markov Models. Compute the winner model. Are results good?
  17. 17. VERIFICATION Q Yes, but. .. Q Depends in G) Datasets (9 Time Frame G) Verification Method Q Large, public, labeled and real datasets with normal, malicious and hybrid behaviors. Q Compare different approaches. Q Crucial for predicting the performance.
  18. 18. CONCLUSION Q Network behavioral patterns work well as a complement of current detection solutions. Thanks! 0 Sebastian Garcia 0 sebastian. garcia@agents. fe| .evut. ez 0 @eldracote o https: //stratosphereips. org
  • Anubhaupreti6

    Apr. 10, 2020
  • santiagonavarro4

    Oct. 7, 2015
  • luissaiz

    Oct. 7, 2015

An insight of how machine learning behavioral models can help detect new malware and botnet traffic. Show how the Stratosphere IPS project implements traffic models and detection models. Talk given in Virus Bulletin conference 2015.

Views

Total views

502

On Slideshare

0

From embeds

0

Number of embeds

17

Actions

Downloads

15

Shares

0

Comments

0

Likes

3

×