FloCon 2020 has ended
Back To Schedule
Tuesday, January 7 • 10:00am - 10:30am
Bayes at 10+ Gbps: Identifying Malicious and Vulnerable Processes from Passive Traffic Fingerprinting

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
As network monitoring techniques have evolved in response to the rise of encrypted traffic, protocol fingerprinting has become an essential component of network defense. While exact-match fingerprinting of TLS clients is now widespread, it is too imprecise to use for process identification. To more reliably determine the process associated with a session, we applied inferencing based on naïve Bayes to fingerprints and destination information, using equivalence classes of destinations derived from auxiliary data. Our implementation of the packet capture and inferencing uses Linux TPACKETv3 and can identify processes on 10+ Gbps enterprise internet connections. This system detects many interesting categories of processes, including malware, evasive applications, scanners, and obsolete and vulnerable software. As it is based on an interpretable machine learning model, its findings are readily understandable and it can adapt to different prior probabilities. In this presentation, we describe our inferencing system and its implementation, our results in applying it to real-world traffic, and open issues in this technology area. We also review the data and open source software that we published to demonstrate this capability.

Attendees Will Learn:
Attendees will learn about the prevalence of encrypted traffic, the problems with simplistic exact-match TLS fingerprinting, and the benefits of inferencing on fingerprints plus destination information. They will also learn about our open source software and data.

avatar for David McGrew

David McGrew

Fellow, Cisco Systems
David works in cybersecurity research and development and applied cryptography. He designed authenticated encryption and encrypted voice and video communications standards that are in widespread use, championed open and patent-free cryptography, and pioneered the commercial use of... Read More →

Tuesday January 7, 2020 10:00am - 10:30am EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401