In our era soon there will be no device left that is not connected to the internet. This connection is greatly beneficial for the users, but there are also threats in this opportunity. To deal with threats and malicious people we started using encryption to protect our data.
Mobile cloud and web applications rely on keys and certificates to ensure security. Encryption however not only hides the data from other eyes, but also from yourself. Malicious actors also benefit from encryption and can hide their activities under encrypted channels.
Traditional means of detection only works if it can see the data that is transmitted. If you are using encryption the data will be hidden from all parties. Of course it is still possible to search for malicious content, but so far it means decryption, analysis and re-encryption.
This is slowing down the data flow by a lot, so it is not usable in most scenarios. In many cases, however, advanced analytic techniques can be used to identify malicious flows for further inspection using decryption techniques. This is where Cisco’s new technique is coming in hand. They are well known of their hardware devices, but they are putting more and more effort in software solutions.
“Traditional flow monitoring provides a high-level view of network communications by reporting the addresses, ports and byte and packet counts of a flow. In addition, intraflow metadata, or information about events that occur inside of a flow, can be collected, stored and analyzed within a flow monitoring framework.
This data is especially valuable when traffic is encrypted, because deep-packet inspection is no longer viable. This intraflow metadata, called Encrypted Traffic Analytics, is derived by using new types of data elements or telemetry that are independent of protocol details, such as the lengths and arrival times of messages within a flow. These data elements have the attractive property of applying equally well to both encrypted and unencrypted flows.”
Encrypted Traffic Analytics focuses on detecting malicious content on encrypted channels by extracting relevant data and supervised machine learning with cloud based global visibility. The focus is Transport Layer Security (TLS) protocol, that encrypts other protocol based communications.
It is usually implemented on top of other protocols, such as HTTP (Hypertext Transfer Protocol) or SMTP (Simple Mail Transfer Protocol). Encrypted Traffic Analytics analyzes four main data elements: the sequence of packet lenghts and times, the byte distribution, TLS-specific features and the initial data packet. Cisco’s Application-Specific Integrated Circuit (ASIC) is making it available to extract these data without slowing down the data network.
SPLT (Sequence of Packet Lenghts and Times) can be represented as an array of packet sizes with the array of times between packets. Byte distribution represents the probability of a packet to be present in the payload within a stream. This is maintained as an array of counter for each character, but it can be easily turned into a proper distribution, by normalizing the array with the number of bytes.
IDP (Initial Data Packet) is used to get data from the first packet of the flow. It can be used to extract interesting elements of the flow such as HTTP URL, DNS hostname/address and other. The TLS handshake is composed of several messages that contain interesting, unencrypted metadata used to extract data elements such as cipher suites, TLS versions and the client’s public key length.
This is a very interesting and new way to increase network security and machine learning and new ASIC’s are making it possible. Being able to detect malicious activity hidden in encrypted channels, without disturbing the data flow is extremely beneficial. For more details or information read Cisco’s whitepaper on the subject.