Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Arming malware with GANs - Maria Rigaki [CVUT I...

Arming malware with GANs - Maria Rigaki [CVUT IN PRAGUE]

Generative Adversarial Networks (GANs) are a recent invention that shows impressive results in generating completely new images of faces, building interiors and much more. In this talk we present how we can use GANs to modify network traffic parameters in order to mimic other types of traffic. More specifically, we modify an open source malware to use a GAN to dynamically adapt its Command and Control network behavior and mimic the traffic characteristics of Facebook chat. In this way it is able to avoid the detection from new-generation Intrusion Prevention Systems that use behavioral characteristics. We will present our experiments from a real-life scenario that used the Stratosphere behavioral IPS deployed in a router between the malware which was deployed in our lab and the C&C server deployed in AWS. Results show that it is possible for the malware to become undetected when given the input parameters from a GAN. The malware is also aware of whether or not it is being blocked and uses this as a feedback signal in order to improve the GAN model. Finally, we discuss the implications of this work in malware detection as well as other areas such as censorship circumvention. #securitysession2018

SecuritySession

April 07, 2018
Tweet

More Decks by SecuritySession

Other Decks in Technology

Transcript

  1. See discussions, stats, and author profiles for this publication at:

    https://www.researchgate.net/publication/324694302 Arming Malware with GANs Presentation · April 2018 CITATIONS 0 READS 104 1 author: Maria Rigaki Czech Technical University in Prague 5 PUBLICATIONS 3 CITATIONS SEE PROFILE All content following this page was uploaded by Maria Rigaki on 23 April 2018. The user has requested enhancement of the downloaded file.
  2. Background Information • PhD student at CVUT in Prague (advisor:

    Sebastian Garcia) • Member of the Stratosphere Lab • Machine Learning and Network Security • Background in Software Development and Systems Engineering Photo from https://www.japanpowered.com/japan-culture/japans-warrior-women
  3. What is this talk about? • It is NOT about

    guns! • Work based on our paper: “Rigaki M., Garcia S., Bringing a GAN to a knife-fight: Adapting Malware Communication to Avoid Detection” • Soon to be published • High level view of GANs • An example of using GANs in a Network Security application
  4. What are we trying to do? Can we use GANs

    to modify malware C&C traffic to mimic normal network traffic, in order to evade detectors while the communication channel remains effective?
  5. Generative Adversarial Networks (GANs) Karras, T., Aila, T., Laine, S.,

    & Lehtinen, J. (2017). Progressive growing of gans for improved quality, stability, and variation. arXiv preprint arXiv:1710.10196.
  6. Dataset • Network captures of two Facebook users chatting for

    a day • Extracted the Facebook related netflows • Features: duration, byte size and time between consecutive flows • Treated the data as time series • Detector behavioral model
  7. Malware • RAT: https://github.com/fluproject/flu • Client in C#, web server

    in php • Client C&C periodic actions: a. checks if server is online, b. connects to the server & registers, c. downloads a list of commands to execute • HTTP GET requests • Adapted duration, byte size and time between consecutive flows
  8. Detector • Stratosphere IPS (SLIPS) https://www.stratosphereips.org/str atosphere-ips-suite • Behavior-based detection

    • Does not depend on static signatures / IOCs • Models netflow characteristics such as periodicity, size, duration of flows • Set to detect Facebook chat traffic 88*y*y*i*H*H*H*y*0yy*H*H*H*y*y*y*y *H*h*y*h*h*H*H*h*H*y*y*y*H*
  9. Generator Discriminator Fake data Noise Facebook data Web service Flu

    client Win7 SLIPS1 C&C server Internet service Linux 1 Thanks to Ondrej Lukas for implementing SLIPS :)
  10. Phase 2 Train GAN Malware C&C Block or not? Measure

    Every 5 minutes After 4 hours Add data Note: this approach showed that there is some improvement but not significant enough
  11. Efficiency - Phase 1 • Maximum efficiency is 7.5 flows

    / time window • 1 connection every 40 seconds
  12. Future Work • Add support for HTTPS • Combine generator

    and malware • Test with different types of traffic / detectors • Incorporate in a red team tool • Improve the feedback loop • Automate the time window discovery
  13. Discussion • Yes we can! use GANs for mimicking traffic

    characteristics • Other areas: censorship circumvention, network traffic generation • Maybe an overkill now, but...