Researchers Spot Malware in Encrypted Traffic

A group of Cisco researchers have managed to spot malicious traffic in encrypted traffic without any need to decrypt data. The discovery could pave the way for products that can secure networks while maintaining privacy. Peter Kosinar, Researcher at ESET commented below.

Peter Kosinar, Researcher at ESET:

“The findings in the paper are certainly interesting and could be used to improve detection rates in certain scenarios — even though the number of malware families analyzed in the paper is not very high (i.e. the overall efficiency might improve only a little). Moreover, the findings of the paper only apply to the enterprise environment; home users tend to run a lot more software which can exhibit non-standard communication patterns and thus this kind of network-based approach would cause too many false positives. And one should not forget that this kind of detection only works post-fact, when the computer is already infected and communicates with its C&C server; which means damage (e.g. file encryption in case of ransomware) might already have been done…

I certainly don’t know if *this* specific approach will be used by any security vendor; but many of them do employ a variety of methods based on structural properties of network communication, be it encrypted or not. I would also expect this kind of detection to be employed in network-based security solutions, rather than host-based ones (i.e. a security system running on your router, firewall or similar network component, rather than an endpoint computer); the latter have better information about what is happening on the computer and can thus base their decisions on far more data than “just” the network flow. The whole experiment was also undertaken in enterprise environment — which is the kind of environment where network-based security solutions are mostly employed.

There are many simple approaches to avoiding this type of detection — using existing open-source browser implementations (e.g. taking parts of Firefox or Chromium’s source code) would make the client side of communication behave exactly like the browser does.

Alternatively, one could just hijack the pre-existing browser on the system to do all the network communication; thus making its communication patterns completely indistinguishable from the browser’s regular behaviour. And, of course, one can just employ encryption within the HTTP protocol, rather than on top of it, as SSL/TLS do. The server-side of communication can be circumvented using known legitimate services, like Dropbox or Google Drive as C&C… which is something already being done by some families of malware. Of course, *whether* the bad guys do so… is another question. They certainly have no reason to even attempt to avoid this kind of detection before someone actually implements in their products.”