Dailydave mailing list archives
Re: Encrypted Malware Traffic Detection == hilarious?
From: Jim Bieda <jhbieda () gmail com>
Date: Fri, 23 Jun 2017 13:41:54 -0700
Here's the blog entry from Blake Anderson (one of the authors of the paper). https://blogs.cisco.com/security/detecting-encrypted-malware -traffic-without-decryption?CAMPAIGN=Security&Country_Site= us&POSITION=Social+Media&REFERRING_SITE=Facebook&CREATIVE=Cisco%20Security There is an open source version of this tooling that extracts of the TLS features from pcap flows and generates 'enhanced' netflow (pcap2flow) used by the model. The package, called "Joy" is located on GitHub ( https://github.com/cisco/joy) and includes an earlier version of the trained model to spot potential malware-originated TLS flows. Cheers, Jim On Wed, Jun 21, 2017 at 11:33 AM, Thorsten Holz <thorsten.holz () gmail com> wrote:
On Wed, Jun 21, 2017 at 4:25 PM, dave aitel <dave () immunityinc com> wrote:99% effective with the kind of traffic a normal network sees means you are FLOODED AND OVERWHELMED WITH FALSE POSITIVES. Although they don't specify what that number even means. Is it false positives? False negatives? Both? Let's just say this: 99.99% is useless when doing a network-based IDS.More details are available in a technical report: https://arxiv.org/pdf/1607.01639.pdf Starting on page 8, the evaluation is explained in more detail. 99% reflects the accuracy, but the 1-in-10,000 false discovery rate (FDR) is much lower even in their tests. Furthermore, all these results were obtained in synthetic tests where the ratio of malicious traffic to benign traffic was almost 1:1 ("In total, there were 225,740 malicious and 225,000 enterprise flows for this experiment")... Cheers, Thorsten _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Encrypted Malware Traffic Detection == hilarious? dave aitel (Jun 21)
- Re: Encrypted Malware Traffic Detection == hilarious? Dominique Brezinski (Jun 21)
- Re: Encrypted Malware Traffic Detection == hilarious? Dave Aitel (Jun 21)
- Re: Encrypted Malware Traffic Detection == hilarious? Thorsten Holz (Jun 21)
- Re: Encrypted Malware Traffic Detection == hilarious? Jim Bieda (Jun 25)
- Re: Encrypted Malware Traffic Detection == hilarious? Robert Graham (Jun 25)
- Re: Encrypted Malware Traffic Detection == hilarious? Dominique Brezinski (Jun 21)