Arming malware with GANs - Maria Rigaki [CVUT IN PRAGUE]

Transcript

1. See discussions, stats, and author profiles for this publication at:

   https://www.researchgate.net/publication/324694302 Arming Malware with GANs Presentation · April 2018 CITATIONS 0 READS 104 1 author: Maria Rigaki Czech Technical University in Prague 5 PUBLICATIONS 3 CITATIONS SEE PROFILE All content following this page was uploaded by Maria Rigaki on 23 April 2018. The user has requested enhancement of the downloaded file.

2. Arming Malware with GANs Maria Rigaki [email protected] @mrigaki

3. Background Information • PhD student at CVUT in Prague (advisor:

   Sebastian Garcia) • Member of the Stratosphere Lab • Machine Learning and Network Security • Background in Software Development and Systems Engineering Photo from https://www.japanpowered.com/japan-culture/japans-warrior-women

4. What is this talk about? • It is NOT about

   guns! • Work based on our paper: “Rigaki M., Garcia S., Bringing a GAN to a knife-fight: Adapting Malware Communication to Avoid Detection” • Soon to be published • High level view of GANs • An example of using GANs in a Network Security application

5. What are we trying to do? Can we use GANs

   to modify malware C&C traffic to mimic normal network traffic, in order to evade detectors while the communication channel remains effective?

6. Generative Adversarial Networks (GANs) Karras, T., Aila, T., Laine, S.,

   & Lehtinen, J. (2017). Progressive growing of gans for improved quality, stability, and variation. arXiv preprint arXiv:1710.10196.
7. None

8. Image from http://www.kdnuggets.com/20 17/01/generative-adversarial- networks-hot-topic-machine-l earning.html

9. Dataset • Network captures of two Facebook users chatting for

   a day • Extracted the Facebook related netflows • Features: duration, byte size and time between consecutive flows • Treated the data as time series • Detector behavioral model

10. Malware • RAT: https://github.com/fluproject/flu • Client in C#, web server

    in php • Client C&C periodic actions: a. checks if server is online, b. connects to the server & registers, c. downloads a list of commands to execute • HTTP GET requests • Adapted duration, byte size and time between consecutive flows

11. Detector • Stratosphere IPS (SLIPS) https://www.stratosphereips.org/str atosphere-ips-suite • Behavior-based detection

    • Does not depend on static signatures / IOCs • Models netflow characteristics such as periodicity, size, duration of flows • Set to detect Facebook chat traffic 88*y*y*i*H*H*H*y*0yy*H*H*H*y*y*y*y *H*h*y*h*h*H*H*h*H*y*y*y*H*

12. Experiment Setup

13. Generator Discriminator Fake data Noise Facebook data Web service Flu

    client Win7 SLIPS1 C&C server Internet service Linux 1 Thanks to Ondrej Lukas for implementing SLIPS :)

14. Phase 1 Train GAN Malware C&C Block or not? Measure

    Every 5 minutes After 4 hours

15. Phase 2 Train GAN Malware C&C Block or not? Measure

    Every 5 minutes After 4 hours Add data Note: this approach showed that there is some improvement but not significant enough

16. Timing model of detection

17. Results

18. Detection Results - Phase 1

19. Efficiency - Phase 1 • Maximum efficiency is 7.5 flows

    / time window • 1 connection every 40 seconds

20. What’s next?

21. Future Work • Add support for HTTPS • Combine generator

    and malware • Test with different types of traffic / detectors • Incorporate in a red team tool • Improve the feedback loop • Automate the time window discovery

22. Discussion • Yes we can! use GANs for mimicking traffic

    characteristics • Other areas: censorship circumvention, network traffic generation • Maybe an overkill now, but...

23. Thank you for listening! [email protected] @mrigaki mariarigaki https://www.stratosphereips.org/ View publication

    stats View publication stats