[Dailydave] Encrypted Malware Traffic Detection == hilarious?
Jim Bieda
jhbieda at gmail.com
Fri Jun 23 16:41:54 EDT 2017
Here's the blog entry from Blake Anderson (one of the authors of the paper).
https://blogs.cisco.com/security/detecting-encrypted-malware
-traffic-without-decryption?CAMPAIGN=Security&Country_Site=
us&POSITION=Social+Media&REFERRING_SITE=Facebook&CREATIVE=Cisco%20Security
There is an open source version of this tooling that extracts of the TLS
features from pcap flows and generates 'enhanced' netflow (pcap2flow) used
by the model. The package, called "Joy" is located on GitHub (
https://github.com/cisco/joy) and includes an earlier version of the
trained model to spot potential malware-originated TLS flows.
Cheers,
Jim
On Wed, Jun 21, 2017 at 11:33 AM, Thorsten Holz <thorsten.holz at gmail.com>
wrote:
> On Wed, Jun 21, 2017 at 4:25 PM, dave aitel <dave at immunityinc.com> wrote:
>
>> 99% effective with the kind of traffic a normal network sees means you
>> are FLOODED AND OVERWHELMED WITH FALSE POSITIVES. Although they don't
>> specify what that number even means. Is it false positives? False
>> negatives? Both? Let's just say this: 99.99% is useless when doing a
>> network-based IDS.
>>
>
> More details are available in a technical report:
> https://arxiv.org/pdf/1607.01639.pdf
>
> Starting on page 8, the evaluation is explained in more detail. 99%
> reflects the accuracy, but the 1-in-10,000 false discovery rate (FDR) is
> much lower even in their tests. Furthermore, all these results were
> obtained in synthetic tests where the ratio of malicious traffic to benign
> traffic was almost 1:1 ("In total, there were 225,740 malicious and 225,000
> enterprise flows for this experiment")...
>
> Cheers,
> Thorsten
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20170623/c2c609b0/attachment.html>
More information about the Dailydave
mailing list