machine detectable network behavioural commonalities for
play

Machine Detectable Network Behavioural Commonalities for Exploits - PowerPoint PPT Presentation

Dec 04, 2022 •28 likes •248 views

Machine Detectable Network Behavioural Commonalities for Exploits & Malware University of Amsterdam Alexandros Stavroulakis MSc System & Network Engineering Research Project II What is this about? Automatic generation of malicious

  1. Machine Detectable Network Behavioural Commonalities for Exploits & Malware University of Amsterdam Alexandros Stavroulakis MSc System & Network Engineering Research Project II

  2. What is this about? Automatic generation of malicious code by the penetration testing tool, Armitage, which is a GUI of the Metasploit Framework More specifically When it is used by inexperienced users (hackers) and/or hobbyists

  3. What is the problem? A large part of ad-hoc created malware is generated using Armitage It is possible to generate a new virus / trojan which will be hardly detectable by AV software

  4. Why are we researching this? To determine whether this automated generation procedure, produces code that has predictable network behaviour, Such as packet sizes, rhythm of packets, sequence of ports, etc If Armitage generated malware could be detected by its network behaviour characteristics, then malware detection solutions could take a major step forward

  5. Which leads us to the Research Question Is it possible to detect the presence of malicious software, generated by Armitage, by identifying its network behaviour?

  6. What is the plan? Set up a secure “victim” environment (roll-back after each trial) I. Windows 7 SP1 Virtual Machine II. Kali Linux Virtual Machine Create a feature plan of malware generation using Armitage Capture and analyze traffic

  7. How is malware generated? Malware == Metasploit Payloads LHOST and LPORT are set for the attacking side Figure out a way to infect the victim with executable

  8. How is malware generated? Multi/Handler is used by all Metasploit Payloads in order to establish a connection between the victim and the attacker It creates a listener waiting for malware on the victim side to connect

  9. And then? Once the executable runs and a session is established, Armitage’ s representation of the victim changes

  10. What are we looking into? Hobbyists and inexperienced users are more probable to look into tutorials, easy- to-implement attacks that are sure to work The most common attacks make use of the “ reverse_tcp ” and “ reverse_http(s) ” payloads They connect back to the attacker and set up a communication according to their title The presentation will focus on the above payloads

  11. What patterns are we looking for? Basically… anything that can show any kind of predictability in network behaviour

  12. What patterns are we looking for? Basically… anything that can show any kind of predictability in network behaviour

  13. What patterns are we looking for? Basically… anything that can show any kind of predictability in network behaviour

  14. What patterns are we looking for? Basically… anything that can show any kind of predictability in network behaviour

  15. What did we find? reverse_tcp Transmission of packets Randomly chosen port 49163 used in every ~60 seconds every test 5 packets per transmission Same packet length, in order, per (652 Bytes per transmission) transmission

  16. What did we find? reverse_tcp When the session closes, the malware exits and has no network presence The moment the session ends, each test showed a large spike in traffic (10 - 20 packets)

  17. What did we find? reverse_http(s) Packet transmission increases from Randomly chosen port 49164 used every ~4,5 to 10 seconds in every test 5 packets per transmission (PDU Same packet length, in order, per packet size varies per test, 293 - 364) transmission

  18. What did we find? reverse_http(s) When the session closes, the malware exits and has no network presence The moment the session ends, each test showed a large spike in traffic (+9 packets)

  19. What about Evasion Techniques? Antivirus evasion Encode the generated payload multiple times to increase obfuscation IDS/IPS evasion Changing the transport type of the payload, e.g. from TCP to HTTPS

  20. What does it all mean? There is evidence to suggest the existence of patterns in the network behaviour of certain automatically generated malware Not all malware behaves the same Metasploit is an ever changing platform, constantly updating

  21. What is next? The next step would be to automate this procedure In a way that false positive occurences would be kept to a minimum Analyze other frequently used payloads/exploits for multiple platforms

  22. What’s up? Thank you for your attention. Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Beba BEhavioural BAsed forwarding Giuseppe Bianchi Whats the problem? Legacy network

Beba BEhavioural BAsed forwarding Giuseppe Bianchi Whats the problem? Legacy network

Software Defined Networking & Network Function Virtualization: evolution, opportunities, challenges Giuseppe Bianchi CNIT / University of Roma Tor Vergata Credits to A. Capone for part of the slides Beba BEhavioural BAsed forwarding

482 views • 32 slides
What is really behavioural in behavioural health policy? Matteo M Galizzi

What is really behavioural in behavioural health policy? Matteo M Galizzi

What is really behavioural in behavioural health policy? Matteo M Galizzi m.m.galizzi@lse.ac.uk LSE Behavioural Research Lab LSE Health and Social Care Department of Social Policy Centre for the Study of Incentives in Health Paris School

1.45k views • 116 slides
TOOLS AND ETHICS FOR APPLIED BEHAVIOURAL INSIGHTS The BASIC toolkit Nick Malyshev Regulatory

TOOLS AND ETHICS FOR APPLIED BEHAVIOURAL INSIGHTS The BASIC toolkit Nick Malyshev Regulatory

TOOLS AND ETHICS FOR APPLIED BEHAVIOURAL INSIGHTS The BASIC toolkit Nick Malyshev Regulatory Policy Division, OECD Ibero-American and Caribbean Regulatory Improvement Network 10 October 2019, Lima Agenda 1. What are behavioural insights? 2.

401 views • 21 slides
Commonalities between Edwards ensemble and glasses Adrian Baule Lin Bo Max Danisch Hernan

Commonalities between Edwards ensemble and glasses Adrian Baule Lin Bo Max Danisch Hernan

Commonalities between Edwards ensemble and glasses Adrian Baule Lin Bo Max Danisch Hernan Makse Yuliang Jin City College of Romain Mari New York Louis Portal Chaoming Song jamlab.org Workshop: Physics of glassy and granular materials

831 views • 60 slides
Comics to Consoles Antony Johnston Games & Comics: Commonalities Interactive

Comics to Consoles Antony Johnston Games & Comics: Commonalities Interactive

Comics to Consoles Antony Johnston Games & Comics: Commonalities Interactive Outcast Media Abstraction of both Iconography & Activity Audience controls the pace of experience A Brief Word On Concept (...Or, why

689 views • 57 slides
Honeywords Making Password-Cracking Detectable By Ari Juels and Ronald L. Rivest Presented by

Honeywords Making Password-Cracking Detectable By Ari Juels and Ronald L. Rivest Presented by

Honeywords Making Password-Cracking Detectable By Ari Juels and Ronald L. Rivest Presented by Nunzio Cicone and Hans-Peter Hllwirth Setting Password Attacks Passwords are a notoriously weak authentication mechanism One significant

422 views • 20 slides
ENHANCING BEHAVIOURAL INSIGHTS TO CREATE SUSTAINBLE BEHAVIOURAL CHANGE AT WORK Date: 16 TH APRIL

ENHANCING BEHAVIOURAL INSIGHTS TO CREATE SUSTAINBLE BEHAVIOURAL CHANGE AT WORK Date: 16 TH APRIL

ENHANCING BEHAVIOURAL INSIGHTS TO CREATE SUSTAINBLE BEHAVIOURAL CHANGE AT WORK Date: 16 TH APRIL 2020 Presenter: ISAAC PETER CEO & Principal Consultant ENHANCING BEHAVIOURAL INSIGHTS TO CREATE SUSTAINBLE BEHAVIOURAL CHANGE AT WORK

449 views • 32 slides
Firewalls What is a firewall? A machine to protect a network from malicious external

Firewalls What is a firewall? A machine to protect a network from malicious external

Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits between a LAN/WAN and the Internet Running special software to regulate network traffic Lecture 9 Page 1

602 views • 29 slides
Network Programming Network Programming as Programming across Machine Boundaries The

Network Programming Network Programming as Programming across Machine Boundaries The

CPSC-313: Introduction to Computer Systems Networking Programming Network Programming Network Programming as Programming across Machine Boundaries The Sockets API Reliable Communication Channels: TCP Dangerous at any Speed;

552 views • 14 slides
Applying Behavioural Insights to Public Policy Simon Ruda Outline 1. What are behavioural

Applying Behavioural Insights to Public Policy Simon Ruda Outline 1. What are behavioural

Applying Behavioural Insights to Public Policy Simon Ruda Outline 1. What are behavioural insights? 2. Who are the Behavioural Insights Team? 3. How can we apply behavioural insights to public policy? What are Behavioural Insights?

626 views • 51 slides
Lexico-grammatical Features of the Behavioural Process 1 L U C Y C H R I S P I N C A R D I F F

Lexico-grammatical Features of the Behavioural Process 1 L U C Y C H R I S P I N C A R D I F F

An Investigation into the Lexico-grammatical Features of the Behavioural Process 1 L U C Y C H R I S P I N C A R D I F F U N I V E R S I T Y Outline 2 Overview of Systemic Functional Linguistics (Halliday 1994) and the Behavioural

618 views • 29 slides
Bisimilarity and Behavioural Equivalences Lus Soares Barbosa HASLab - INESC TEC Universidade

Bisimilarity and Behavioural Equivalences Lus Soares Barbosa HASLab - INESC TEC Universidade

Bisimilarity and Behavioural Equivalences Lus Soares Barbosa HASLab - INESC TEC Universidade do Minho Braga, Portugal February 2019 Behavioural equivalences Similarity Bisimilarity Observable behaviour Behavioural Equivalences

541 views • 53 slides
Behavioural Supports Ontario (BSO) Presentation to the Hamilton Niagara Haldimand Brant (HNHB)

Behavioural Supports Ontario (BSO) Presentation to the Hamilton Niagara Haldimand Brant (HNHB)

Behavioural Supports Ontario (BSO) Presentation to the Hamilton Niagara Haldimand Brant (HNHB) Local Health Integration Network (LHIN) Board of Directors October 25, 2011 1 BSO Project Overall Goal: To enhance services for older adults

386 views • 19 slides
BFFF Birmingham Roger Martin-Fagg behavioural economist Mainstream vv Behavioural Economists

BFFF Birmingham Roger Martin-Fagg behavioural economist Mainstream vv Behavioural Economists

ECONOMIC UPDATE MARCH 2017 BFFF Birmingham Roger Martin-Fagg behavioural economist Mainstream vv Behavioural Economists Economic man Emotional man Rational Instinctive 20% 80% System 2 System 1 Daniel Kahneman Thinking fast, Thinking

890 views • 32 slides
KYTCs Real Time Network and its role in GPS Machine Control Machine Control Pilot Project

KYTCs Real Time Network and its role in GPS Machine Control Machine Control Pilot Project

KYTCs Real Time Network and its role in GPS Machine Control Machine Control Pilot Project Evaluate use of RTN in place of on site GPS Base Station Additional Cost Downtime for setup Communication Issues Accuracy Comparison

635 views • 21 slides
Using behavioural experiments to identify consumer problems in markets: Partitioned pricing

Using behavioural experiments to identify consumer problems in markets: Partitioned pricing

Using behavioural experiments to identify consumer problems in markets: Partitioned pricing practices Office of Fair Trading Economic Seminar Series 14 th January 2014 Dr Charlotte Duke Presentation outline How we use behavioural

287 views • 26 slides
Dynamic Binary Instrumentation-based Framework for Malware Defense Najwa Aaraj , Anand

Dynamic Binary Instrumentation-based Framework for Malware Defense Najwa Aaraj , Anand

Dynamic Binary Instrumentation-based Framework for Malware Defense Najwa Aaraj , Anand Raghunathan , and Niraj K. Jha Department of Electrical Engineering, Princeton University, Princeton, NJ 08544, USA NEC Labs America,

410 views • 25 slides
simplify. the. dream. AND. execute. a panel & workshop discussion on how to simplify BIG

simplify. the. dream. AND. execute. a panel & workshop discussion on how to simplify BIG

simplify. the. dream. AND. execute. a panel & workshop discussion on how to simplify BIG dreams into actionable steps and executable goals that win! SCOPE Four dynamic women in the digital and content creation space come together to share

387 views • 15 slides
CALCULIX LAUNCHER VERSION 0.32 http://calculix.de/ http://calculixforwin.blogspot.com/

CALCULIX LAUNCHER VERSION 0.32 http://calculix.de/ http://calculixforwin.blogspot.com/

CALCULIX LAUNCHER VERSION 0.32 http://calculix.de/ http://calculixforwin.blogspot.com/ http://www.calculixforwin.com/ Table of Contents Installation

391 views • 19 slides
and Shared Artefacts Agile Interaction Designers and Developers Working Toward Common Aims

and Shared Artefacts Agile Interaction Designers and Developers Working Toward Common Aims

Collaborative Events and Shared Artefacts Agile Interaction Designers and Developers Working Toward Common Aims Judith Brown Gitte Lindgaard, Robert Biddle Department of Psychology and School of Computer Science, Carleton University, Canada

541 views • 35 slides
Evolution of Malware and the Next Generation Endpoint Protection against Targeted Attacks Index

Evolution of Malware and the Next Generation Endpoint Protection against Targeted Attacks Index

Evolution of Malware and the Next Generation Endpoint Protection against Targeted Attacks Index 1. Malware volume evolution 2. Malware Eras 3. Panda Adaptive Defense 1. What is it 2. Features & Benefits 3. How does it work 4.

661 views • 47 slides
CYBER SECURITY PART 1 Keeping you safe in an electronic age David Gibb, Cyber Protect

CYBER SECURITY PART 1 Keeping you safe in an electronic age David Gibb, Cyber Protect

CYBER SECURITY PART 1 Keeping you safe in an electronic age David Gibb, Cyber Protect Officer, Essex Police Barry Linton, Thorpe Bay U3A Thorpe Bay U3A Criminal insight - why commit cybercrime? Scale Nationally 1.6 million cyber

429 views • 25 slides
st t t

st t t

st tts trt Prtt strt tt tt ts ts

1.47k views • 125 slides
MANAGEMENT INFORMATION SYSTEM VIRAJ SHINDE : 16-H-15 RUCHI THAKKAR : 16-H-16

MANAGEMENT INFORMATION SYSTEM VIRAJ SHINDE : 16-H-15 RUCHI THAKKAR : 16-H-16

MANAGEMENT INFORMATION SYSTEM VIRAJ SHINDE : 16-H-15 RUCHI THAKKAR : 16-H-16 PADMA KAMBLE : 16-H-31 SALMA VADHAVANIA : 16-H-37 1 SHRADDHA JOSHI : 16-H-38 OUTLINE 1. Introduction to MIS and Definition 2.

468 views • 31 slides

More recommend