SHARE



ABOUT THE AUTHOR


Brent Kelly
Brent Kelly is president and principal analyst at KelCor, Inc., where he provides strategy and counsel to key client types...
Read Full Bio >>
SHARE



Brent Kelly | August 31, 2017 |

 
   

Cisco Malware Detection: What Communications Folks Need to Know

Cisco Malware Detection: What Communications Folks Need to Know Encrypted Traffic Analytics, a new method for detecting malware in encrypted data traffic, may have applicability for encrypted SIP flows.

Encrypted Traffic Analytics, a new method for detecting malware in encrypted data traffic, may have applicability for encrypted SIP flows.

One of the most intriguing capabilities Cisco announced at its June Cisco Live conference is Encrypted Traffic Analytics (ETA), a solution that has the ability to examine encrypted data traffic and identify threats, like viruses and malware. The company claims ETA is 99+% accurate in detecting these menaces without decryption.

This post describes how ETA works, why it requires a new generation of switches, and why we in the communications industry should care.

Encrypted Traffic Is Growing
According to an April 2017 study sponsored by Thales e-Security, enterprise use of encrypted data flows, already on the rise, is expected to increase rapidly as companies roll out Internet of Things (IoT) programs and make encryption devices and policies the norm. Encrypting data brings a far greater sense of content security than allowing open data flows, but it turns out that hackers and malware makers are also incorporating the use of encrypted flows to make their threats much more difficult to detect.

Many organizations have responded to this increase in encrypted traffic by putting some sort of trusted "device in the middle" that decrypts traffic, does a deep packet inspection looking for threats, and then re-encrypts the data. While this method works, it isn't scalable in terms of investment and required compute power.

Cisco's ETA Approach for Malware Detection
With ETA, Cisco takes an alternative approach for examining encrypted traffic by examining patterns in malware-infected, but still encrypted, data flows. Many malware schemes create unique fingerprints or identifiable patterns while they are setting up the flows and as the flows progress. By training a machine learning algorithm using known patterns of infected encrypted data, ETA can detect malware even while the data flow is encrypted.

Two key elements establish a malware fingerprint in encrypted data: the initial data packet, and the sequence of packet lengths and times during a flow.

Many encrypted data flows use transport layer security (TLS) as the cryptographic protocol for providing security between two applications communicating over a network. The majority of TLS handshake messages are unencrypted, and Cisco switches in the flow path can gather this TLS handshaking information and use it as meta data. The initial packet offered by the device initiating the flow is very important because it provides a gold mine of TLS information while remaining unencrypted.

TLS handshaking for establishing a secure connection involves the following steps:

  1. Agree on the version of the TLS protocol to use
  2. Agree on the cryptographic algorithms to use
  3. Exchange and validate digital certificates
  4. Generate a shared secret key

Cisco also collects the sequence of packet lengths and times because they can serve as indicators of what's happening in an encrypted flow.

The figure above shows packet length (vertical lines) and arrival times (horizontal lines) for two different TLS sessions. On the left is a pattern for a typical Google search, while the image at the right is a session for the BestaFera trojan hackers used to collect a user's online banking data and send information to a control server. The red lines at the start represent unencrypted TLS packets while the gray lines are encrypted data flows.

The Google search at the left proceeds as expected. The user begins typing, and the browser sends an outbound packet to Google. Google immediately responds with a lot of packets containing possible auto-complete results based on its predictive algorithms using the typed letters or words. The small gray packets on top represent the user still typing as he/she completes entering the search terms. Google then sends updated results.

In the malware image on the right, the TLS handshake occurs, but the BestaFera server sends back a self-signed certificate (note it is still in red, unencrypted, so ETA can detect it). The virus then commands the user's device to begin sending a lot of data (Data Exfiltration), as shown in the upper gray lines. Finally, the virus server sends a command and control message (the C2 Message).

The point is that mapping arrival times and packet sizes along with TLS handshake information provides a pattern for detecting both good and bad data in encrypted traffic flows.

Tuning the Machine Learning Algorithm
In the example above, Cisco used the free scikit-learn software machine learning library. Written in the Python programming language, scikit-learn has a number of sponsors including INRIA, a French technology institute; New York University; Paris-Saclay Center for Data Science; Columbia University; and Google.

In simple terms, engineers can use the scikit-learn machine learning program to classify data or information. They can also use it to estimate values (regression) or to identify clusters. Cisco is using it to classify data flows as either malicious or benign.

Without going into too much detail, readers should understand that engineers can tweak and tune machine learning models, and that it takes judgment and skill to determine which tuning parameters will give the best results. The data below shows the results of Cisco's training of the scikit-learn program.

The data shown above illustrates the accuracy of the model given different data combinations. Legacy, on the left, means typical NetFlow information, such as the duration of the flow and the number of packets and bytes exchanged by each side. Legacy/SPL adds the sequence of packet lengths while TLS adds data for the TLS handshaking.

The most important data to examine are the two bottom rows, as all available data is used to train the model. The tradeoff between correctly detecting malware and predicting false positives is clear. For example, at the 0.5 value for the tuning parameter, the model correctly detects malware 99.35% of the time and benign flows 98.38% of the time. This 98.38% figure means that in 162 flows out of 10,000 (10,000 - 9,838), the model will incorrectly predict that a benign flow has malware (a false positive). When the tuning parameter is set to 0.99, the model gets the benign packets right 100% of the time, but is only 68.83% accurate in detecting malware packets. The point is that these machine learning models are rarely 100% accurate, which is the case when detecting both benign and malware-laden packets. Thus, human judgment and understanding is still required, even when artificial intelligence and machine learning are in use.

When ETA predicts malware, it does not automatically quarantine a machine from the network. Rather it raises an alarm that manual, human intervention is required to place devices under quarantine.

Continue to next page to read about the ETA product ecosystem and why the communications industry should care





COMMENTS



Enterprise Connect Orlando 2018
March 12-15 | Orlando, FL

Connect with the Entire Enterprise Communications & Collaboration Ecosystem


Stay Up-to-Date: Hear industry visionaries in Keynotes and General Sessions delivering the latest insight on UC, mobility, collaboration and cloud

Grow Your Network: Connect with the largest gathering of enterprise IT and business leaders and influencers

Learn From Industry Leaders: Attend a full range of Conference Sessions, Free Programs and Special Events

Evaluate All Your Options: Engage with 190+ of the leading equipment, software and service providers

Have Fun! Mingle with sponsors, exhibitors, attendees, guest speakers and industry players during evening receptions

Register now with code NOJITTEREB to save $200 Off Advance Rates or get a FREE Expo Pass!

November 29, 2017

As video conferencing use rises in the enterprise, businesses are looking for ways to bring this technology out of traditional conference room and make it more broadly accessible. That's made the h

November 1, 2017

Your customers (internal and external) demand that you offer them the ability to connect by any means. With the adoption of cloud communications tools you now have access to an expanded portfolio o

October 18, 2017

Microsofts recent Ignite event had some critically important announcements for enterprise communications. Namely, Microsofts new Team Collaboration offering, Teams, will be its primary communicatio

October 23, 2017
Wondering which Office 365 collaboration tool to use when? Get quick pointers from CBT Nuggets instructor Simona Millham.
September 22, 2017
In this podcast, we explore the future of work with Robert Brown, AVP of the Cognizant Center for the Future of Work, who helps us answer the question, "What do we do when machines do everything?"
September 8, 2017
Greg Collins, a technology analyst and strategist with Exact Ventures, delivers a status report on 5G implementation plans and tells enterprises why they shouldn't wait to move ahead on potential use ....
August 25, 2017
Find out what business considerations are driving the SIP trunking market today, and learn a bit about how satisfied enterprises are with their providers. We talk with John Malone, president of The Ea....
August 16, 2017
World Vision U.S. is finding lots of goodness in RingCentral's cloud communications service, but as Randy Boyd, infrastructure architect at the global humanitarian nonprofit, tells us, he and his team....
August 11, 2017
Alicia Gee, director of unified communications at Sutter Physician Services, oversees the technical team supporting a 1,000-agent contact center running on Genesys PureConnect. She catches us up on th....
August 4, 2017
Andrew Prokop, communications evangelist with Arrow Systems Integration, has lately been working on integrating enterprise communications into Internet of Things ecosystems. He shares examples and off....
July 27, 2017
Industry watcher Elka Popova, a Frost & Sullivan program director, shares her perspective on this acquisition, discussing Mitel's market positioning, why the move makes sense, and more.
July 14, 2017
Lantre Barr, founder and CEO of Blacc Spot Media, urges any enterprise that's been on the fence about integrating real-time communications into business workflows to jump off and get started. Tune and....
June 28, 2017
Communications expert Tsahi Levent-Levi, author of the popular BlogGeek.me blog, keeps a running tally and comprehensive overview of communications platform-as-a-service offerings in his "Choosing a W....
June 9, 2017
If you think telecom expense management applies to nothing more than business phone lines, think again. Hyoun Park, founder and principal investigator with technology advisory Amalgam Insights, tells ....
June 2, 2017
Enterprises strategizing on mobility today, including for internal collaboration, don't have the luxury of learning as they go. Tony Rizzo, enterprise mobility specialist with Blue Hill Research, expl....
May 24, 2017
Mark Winther, head of IDC's global telecom consulting practice, gives us his take on how CPaaS providers evolve beyond the basic building blocks and address maturing enterprise needs.
May 18, 2017
Diane Myers, senior research director at IHS Markit, walks us through her 2017 UC-as-a-service report... and shares what might be to come in 2018.
April 28, 2017
Change isn't easy, but it is necessary. Tune in for advice and perspective from Zeus Kerravala, co-author of a "Digital Transformation for Dummies" special edition.
April 20, 2017
Robin Gareiss, president of Nemertes Research, shares insight gleaned from the firm's 12th annual UCC Total Cost of Operations study.
March 23, 2017
Tim Banting, of Current Analysis, gives us a peek into what the next three years will bring in advance of his Enterprise Connect session exploring the question: Will there be a new model for enterpris....
March 15, 2017
Andrew Prokop, communications evangelist with Arrow Systems Integration, discusses the evolving role of the all-important session border controller.
March 9, 2017
Organizer Alan Quayle gives us the lowdown on programmable communications and all you need to know about participating in this pre-Enterprise Connect hackathon.
March 3, 2017
From protecting against new vulnerabilities to keeping security assessments up to date, security consultant Mark Collier shares tips on how best to protect your UC systems.
February 24, 2017
UC analyst Blair Pleasant sorts through the myriad cloud architectural models underlying UCaaS and CCaaS offerings, and explains why knowing the differences matter.
February 17, 2017
From the most basics of basics to the hidden gotchas, UC consultant Melissa Swartz helps demystify the complex world of SIP trunking.
February 7, 2017
UC&C consultant Kevin Kieller, a partner at enableUC, shares pointers for making the right architectural choices for your Skype for Business deployment.
February 1, 2017
Elka Popova, a Frost & Sullivan program director, shares a status report on the UCaaS market today and offers her perspective on what large enterprises need before committing to UC in the cloud.
January 26, 2017
Andrew Davis, co-founder of Wainhouse Research and chair of the Video track at Enterprise Connect 2017, sorts through the myriad cloud video service options and shares how to tell if your choice is en....
January 23, 2017
Sheila McGee-Smith, Contact Center/Customer Experience track chair for Enterprise Connect 2017, tells us what we need to know about the role cloud software is playing in contact centers today.