Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cisco Can Now Sniff Out Malware Inside Encrypted Traffic (theregister.co.uk)

Posted by msmash on from the next-up dept.

Simon Sharwood, writing for The Register: Cisco has switched on latent features in its recent routers and switches, plus a cloud service, that together make it possible to detect the fingerprints of malware in encrypted traffic. Switchzilla has not made a dent in transport layer security (TLS) to make this possible. Instead, as we reported in July 2016, Cisco researchers found that malware leaves recognisable traces even in encrypted traffic. The company announced its intention to productise that research last year and this week exited trials to make the service -- now known as Encrypted Traffic Analytics (ETA) -- available to purchasers of its 4000 Series Integrated Service Routers, the 1000-series Aggregation Services Router and the model 1000V Cloud Services Router 1000V. Those devices can't do the job alone: users need to sign up for Cisco's StealthWatch service and let traffic from their kit flow to a cloud-based analytics service that inspects traffic and uses self-improving machine learning algorithms to spot dodgy traffic.

10 of 97 comments (clear)

  1. And obviously ... by nospam007 · · Score: 4, Interesting

    ...malware is torrents.

  2. Not analyzing payload by sinij · · Score: 5, Informative

    They are not analyzing payload/application data, this is not possible with end-to-end. They are not analyzing metadata, as most malware C&C now pretends to be web traffic. So how? Packet sizes and frequency? This would be trivial for malware creators to circumvent.

    1. Re:Not analyzing payload by 110010001000 · · Score: 4, Insightful

      "users need to sign up for Cisco's StealthWatch service and let traffic from their kit "

      "Sign up for" means "pay monthly for". It sounds like they are analyzing forwarded flow data and looking for flows to/from a particular port/IPs. It would catch malware that uses C&C to known rogue IPs, etc.

    2. Re:Not analyzing payload by ShanghaiBill · · Score: 4, Informative

      So how?

      According to TFA they look for "dodgy destinations" and self-signed certificates.

      So no, they aren't looking at the actual contents of the encrypted traffic at all, and they aren't "sniffing" anything.

    3. Re:Not analyzing payload by ugen · · Score: 4, Insightful

      The amount of bycatch will be nontrivial. This will inevitably result either in a lot of valid traffic being blocked, or no meaningful blocking of malware.

      Except this time they slapped AI label on the service, so it's very modern and cool and costs more money.

      We've seen this before.

    4. Re:Not analyzing payload by GameboyRMH · · Score: 4, Interesting

      Packet sizes and frequency, along with metadata. I saw a similar analysis of encrypted video streams being used to detect drone video:

      https://www.wired.com/story/a-...

      Looks like the next big thing in cryptography will be data padding...

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
  3. Great for now by TimothyHollins · · Score: 4, Interesting

    That's wonderful news. I wonder how long it will be until Cisco caves to NSA pressure and starts looking for other "mal"traffic as well. And then how long until Russia learns how to do it as well.

  4. kind of like... by supernova87a · · Score: 4, Insightful

    I suppose this the the banks (hubs of the financial world) being made to detect money laundering by the pattern and size / frequency of money transfers. They don't know about the source or nature of the transaction underlying the money, just that when it obeys certain flows, they're supposed to flag it.

  5. No they can't by ByteSlicer · · Score: 5, Informative

    They can recognize traffic patterns in TLS streams, created by malware on IP connected devices.
    They can't detect the malware itself in the stream.

  6. Evil bit by Errol+backfiring · · Score: 4, Funny

    Well, probably the logical thing to do: they set the evil bit.

    --
    Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!