DeepSec 2022 Talk: Signature-based Detection Using Network Timing – Josh Pyorre

Malware often has behaviors that can be used to identify other variants of the same malware families, typically seen in the code structure, IP addresses and domains contacted, or in certain text strings and variable names within the malware.

However, it may be possible to identify malware, or anomalous behavior by analyzing the timing in between network transactions. My presentation will explore this idea using network captures of malicious activity amongst potentially normal network traffic, analyzed quickly with Python. We’ll explore this on network data with full visibility into the transactions as well as noisier encrypted traffic, where we’ll attempt to identify unusual activity based only on bandwidth.

We asked Josh Pyorre a few more questions about his talk.

Please tell us the top 5 facts about your talk.

1. Signatures are the primary method of catching malicious activity in network traffic, but machine learning is helping the security industry move beyond signature-based detection. The talk is about my research into attempting an idea to detect activity using network timing relationships between similar malware activity. It might not totally work and may require the addition of machine learning algorithms (which I’m still new to) and third party API calls.
2. I’m not yet sure if I’ll have an amazing ‘Wow’ moment for this talk, as I’m still actively researching up to a month before presenting. I hope to have some conclusions that attendees will find interesting and will be providing my code for others to use and modify.
3. As someone who spent several years looking at network traffic in a SOC, I hope to help in building something that can look at PCAP files, coming to the same conclusion as a human analyst. The work I’m doing for this talk will hopefully help others to speed up their network analysis activities.
4. I am also attempting to include analysis of network activity and/or bandwidth based off audio analysis and machine learning techniques.
5. Having spent a lot of time at night working on this while having a couple drinks, I’ll find my code works but I don’t really know why and end up having to audit the code to figure out what happened. I’m still not sure how I’ve figured out some parts.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I had this idea of identifying malicious malware activity based on the timing of network transactions from something I barely touched on during another presentation about tracking botnet activity and decided the best way to actually make time to work on it would be to submit it as a presentation.

Why do you think this is an important topic?

Having worked in a SOC, I now the pain of combing through network captures and writing signatures to catch activity on the wire. This is one of my attempts to improve the speed of that work.

Is there something you want everybody to know – some good advice for our readers maybe?

Threat actors who create malware are people, and they have the same flaws, busy lives, and distractions that we do. They make coding mistakes and have as difficult a time changing patterns and habits as the rest of us. This makes it easier to find patterns in malware variants, hosting infrastructure, C2 callouts, and other behavior, and it can make our work less intimidating.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

The security industry is moving towards automating everything to reduce the need for humans. Work I did 10 years ago in a SOC is now done better and faster by automated processes. If we want to keep moving forward, we should embrace how automation, machine learning, and artificial intelligence will change the direction of our work. Build the things that will make this future and you’ll always have something to work on. Keep researching new and crazy ideas!