DeepSec 2022 Talk: Signature-based Detection Using Network Timing – Josh Pyorre
Malware often has behaviors that can be used to identify other variants of the same malware families, typically seen in the code structure, IP addresses and domains contacted, or in certain text strings and variable names within the malware. However, it may be possible to identify malware, or anomalous behavior by analyzing the timing in between network transactions. My presentation will explore this idea using network captures of malicious activity amongst potentially normal network traffic, analyzed quickly with Python. We’ll explore this on network data with full visibility into the transactions as well as noisier encrypted traffic, where we’ll attempt to identify unusual activity based only on bandwidth. We asked Josh Pyorre a few more questions about his talk. Please tell us the top 5 facts about your talk. Signatures are the primary method