Network traffic can flag malware early
A new study may be about to change the way we think about network defence
Analysis of network traffic can spot malware early on, according to new research, cutting the time taken to spot new unknown threats from weeks or months to mere hours.
The study from Georgia Institute of Technology calls for new malware-independent detection strategies that specifically hunt down command and control communications, thus giving network defenders the ability to identify network security breaches in a more timely manner.
“Our study shows that by the time you find the malware, it’s already too late because the network communications and domain names used by the malware were active weeks or even months before the actual malware was discovered,” said Manos Antonakakis, an assistant professor in the School of Electrical and Computer Engineering at the Georgia Institute of Technology. “These findings show that we need to fundamentally change the way we think about network defence.”
Traditional AV technology relies on samples of malware to match, then isolate and remove, but this technique is increasingly ineffective, requiring an sample to be processed, a signature developed then pushed back out to endpoints. Rapidly evolving malware often wrong-foots this strategy anyway, but the researchers suggest going one better, spotting an initial infection or endpoint compromise before the whole network is infiltrated. “What we need to do is minimize the amount of time between the compromise and the detection event,” Antonakakis said.
The researchers analysed more than five billion network events from nearly five years of network traffic carried by a major US internet service provider (ISP), as well as studying domain name server (DNS) requests made by nearly 27 million malware samples, and examined the timing for the re-registration of expired domains – which often provide the launch sites for malware attacks. They found that certain networks were more likely to be used by bad actors, and also that requests for dynamic DNS often indicated bad activity, often correlating with services that provide free domain registrations and the ability to add quickly add domains, both assets popular with hackers.
By studying malware-related network traffic seen by the ISPs prior to detection of the malware, the researchers were able to determine that malware signals were present weeks and even months before new malicious software was found. In all, the researchers found more than 300,000 malware domains that were active for at least two weeks before the corresponding malware samples were identified and analysed.
“The choke point is the network traffic, and that’s where this battle should be fought,” said Antonakakis. “This study provides a fundamental observation of how the next generation of defence mechanisms should be designed. As more complicated attacks come into being, we will have to become smarter at detecting them earlier.”
One technology that surely holds promise here is machine learning, which is being actively deployed in cybersecurity settings already, including in High-Tech Bridge’s ImmuniWeb application security testing platform. ImmuniWeb detects at least twice as many vulnerabilities than any automated solution would, including the most sophisticated ones that usually require human intelligence. The possibility of using similar Artificial Neural Networks to detect malware-related network traffic at an early stage is an interesting one.
Ilia Kolochenko, web application security expert and CEO of High-Tech Bridge said: “Modern machine technologies, based on Artificial Neural Networks (ANN) for example, can significantly reduce human time and efforts to perform certain tasks, particularly in cybersecurity. However, such technologies are usually quite complicated to design, train and monitor to get relevant and continuously improving results. AI-based technologies can optimise many tasks and save resources, however they will certainly not entirely replace human intelligence in the next ten years.”
The study comes as Kaspersky released figures claiming that ransomware alone rocketed by 253 per cent in Q1 2017. There’s certainly plenty of malware activity to spot on the wider network!