Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Cisco says malicious traffic in TLS tunnels can be detected and blocked

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

July 8, 2016

A team of researchers who work for Cisco's security department assert that malicious traffic in TLS tunnels can be detected and blocked, without decrypting user traffic.

That's very good news in the corporate environment since today's overall protection relies on the controversial approach of terminating the encryption to inspect the traffic.

Blake Anderson, Subharthi Paul and David McGrew explain in a whitepaper that malware leaves recognizable footprints in the TLS flows.

Their research covered thousands of samples across no less than eighteen malware families, and tens of thousands of malicious flows out of the millions of encrypted connections captured from an enterprise network.

They note that this work might only be relevant to enterprise networks and not, for example, service provider networks, however.

The main utilization of deep packet inspection in the researchers' data collection was to sniff out the clientHello and serverHello messages, and ID the TLS versions, but not the user data.

The team says that network data alone is enough to attribute TLS flows to most malware families. Even when different families use the same TLS parameters, they can usually be distinguished by their flow-based parameters.

The features they used included flow metadata (bytes in and out, packets in and out, network port numbers, and flow duration); the sequence of packet lengths and times; byte distribution; and TLS header information.

The research included malware from the Bergat, Deshacop, Dridex, Dynamer, Kazy, Parite, Razy, Zedbot and Zusy families, among many others.

The researchers say the right application of machine learning to the flow analysis got them an accuracy of about 90.3 percent for the family attribution problem when restricted to a single, encrypted flow, and an accuracy of about 93.2 percent when we make use of all encrypted flows within a 5-minute window.

Such research might be Cisco-sponsored, or the researchers might be publishing as individuals. The whitepaper doesn't stipulate which, however.

Source: Cisco.

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer