[Cryptography] doing traffic analysis for good - analysing TLS metadata for evidence of malware

John Gilmore gnu at toad.com
Wed Jun 21 15:20:02 EDT 2017


> According to Anderson’s latest testing, not only does this
> approach preserve user privacy by not breaking encryption, but tests
> of ETA against large samples of network data and malware samples
> show promising results for its accuracy. Using only NetFlow
> features, ETA catches malware about 67 percent of the time. When ETA
> is fed those NetFlow features with additional feature sets like
> Service Packet Length (SPL), DNS, TLS metadata, HTTP and others, the
> accuracy jumps up to more than 99 percent.

It works great until the adversary catches on; then it doesn't work at all.

Years ago, Tor traffic used to disguise itself as TLS browser
sessions.  It turned out that some national firewalls were able to
tell Tor traffic from https traffic due to things like this (the set
of crypto parameters they would negotiate, or which certificate chains
they sent).  Tor had to evolve to look MUCH more like browser traffic,
to continue making it through the firewalls.

	John



More information about the cryptography mailing list