Malware Detection through Network Flow Analysis

Presented at DEF CON 16 (2008), Aug. 10, 2008, 10 a.m. (50 minutes)

Over the last several years, we've seen a decrease in effectiveness of "classical" security tools. The nature of the present day attacks is very different from what the security community has been used to in the past. Rather than wide-spread worms and viruses that cause general havoc, attackers are directly targeting their victims in order to achieve monetary or military gain. These attacks are blowing right past firewalls and anti-virus and placing malware deep in the enterprise. Ideally, we could fix this problem at its roots; fixing the software that is making us vulnerable. Unfortunately that's going to take a while, and in the interim security engineers and operators need new, advanced tools that allow deeper visibility into systems and networks while being easy and efficient to use. This talk will focus on using network flows to detect advanced malware. Network flows, made popular by Cisco's NetFlow implementation available on almost all their routers, has been used for years for network engineering purposes. And while there has been some capability for security analysis against these flows, there has been little interest until recently. This talk will describe NetFlow and how to implement it in your network. It will also examine advanced statistical analysis techniques that make finding malware and attackers easier. I will release a new version of Psyche, an open source flow analysis tool, and show specific examples of how to detect malware on live networks. I will also release a tool designed to craft and spoof netflow records for injection into netflow collectors.

Presenters:

• Bruce Potter / @gdead - Founder, The Shmoo Group   as Bruce Potter
  Bruce Potter is the founder of the Shmoo Group of security, crypto, and privacy professionals. He is also the co-founder and CTO of Ponte Technologies, a company focused on developing and deploying advanced IT defensive technologies. His areas of expertise include wireless security, network analysis, trusted computing, pirate songs, and restoring hopeless vehicles. Mr. Potter has co-authored several books including "802.11 Security" and "Mastering FreeBSD and OpenBSD Security" published by O'Reilly and "Mac OS X Security" by New Riders.

Links:

• https://defcon.org/html/defcon-16/dc-16-speakers.html#Potter
• https://infocon.org/cons/DEF CON/DEF CON 16/DEF CON 16 video/DEF CON 16 - Bruce Potter - Malware Detection - Video.mp4
• https://www.youtube.com/watch?v=eP9B_rEbn2c

Similar Presentations:

• Kernelcon 2022 / NetflOSINT: Taking an often-overlooked data source and operationalizing it
• DEF CON 14 (2006) / Hacking Malware: Offense Is the New Defense
• ekoparty 14 (2018) / To Execute or Not to Execute. How to Build a Malware Execution Lab