Using Machine Learning to Stop Exploit Kits In-Line in Real-Time

Presented at VB2016, Oct. 7, 2016, 11 a.m. (30 minutes).

Intrusion prevention systems identify and block threats at high bandwidth choke points within a network, in-line with traffic and requiring real-time capability in order not to incur latency. IPS have been restricted to rules limited to string or pattern matching, whether they are blacklists of malicious IPs and domains or are patterns for some vulnerability or exploit. We have developed IPS support for evaluating statistical models which were learned through application of machine-learning techniques. The first threats we have targeted are exploit kits that make use of obfuscated HTML, including the ever-changing Angler Exploit Kit. Pattern recognition through use of regular expressions is not sufficient to identify and block these threats, because of their mutable nature. We are now able to block the Angler Exploit Kit with the IPS, over millions of flows at 20 Gb/s.

Our initial effort has been limited to processing linear models within the IPS. While these are simple models requiring no more calculation than a weighted sum of feature values, they are able to separate obfuscated HTML from benign web pages without false positives. We have begun by building models for the Angler Exploit Kit, and will extend this work to cover other prevalent exploit kits, such as Sweet Orange, Nuclear, KaiXin and others. Also we plan to extend our work to incorporate other types of models that are not linear but that can still be processed at line speed over large amounts of traffic.

While there are some intrusion detection systems that make use of machine-learning techniques like anomaly detection or even classification using models, these systems do not have the requirements of an IPS. An intrusion prevention system works in-line with traffic, able to block threats as they come across the wire. We can now block threats that cannot be stopped by matching regular expressions, in real-time, for bandwidth required at the perimeter of enterprise networks.


Presenters:

  • Josiah Hagen - Trend Micro TippingPoint
    Josiah Hagen Josiah is a security researcher with Trend Micro TippingPoint DVLabs Advanced Security Research Group. He has a BA in mathematics and computer science from Oberlin College and 16 years of professional software development experience. Josiah has eight years in the AI field, with work focused on graph theory, search, and deductive inference on large knowledge bases. Subsequent work in AI included applying machine learning techniques identifying failure modes in email traffic. He has additional experience in systems development, including clustered NAS/SAN development and integrated control systems. Current interests include clustering, classifying and understanding network traffic.
  • Brandon Niemczyk - Trend Micro TippingPoint
    Brandon Niemczyk Brandon Niemczyk was born in Chicago. He has been writing code since he was a child with his first 386, modifying the QBASIC game gorillas.bas. Later, he moved on to write GIS software in Orlando, FL, and then he wandered into information security after a brief stint writing accounting software. His interests are machine learning, mathematics, motorcycles, games, reverse engineering, and family.
  • Jonathan Andersson - Trend Micro TippingPoint
    Jonathan Andersson Jonathan Andersson is an engineering professional and internationally published infosec speaker with more than 25 years of experience in a range of engineering disciplines including software development, electronic design, FPGA & PCB design, reverse engineering, patent development, and engineering team / executive management. He has domain expertise in embedded systems, information security & real-time transaction processing systems, machine learning, vulnerability & malware analysis, product development & manufacturing, credit card & check processing, optics & pattern recognition systems, image processing, USB storage & media card technology, solar power technology, vehicle diagnostic technology, and varied mobile & wireless technologies. He currently manages the TrendMicro TippingPoint DVLabs Advanced Research Group and is the holder of three US patents with eight patents pending.

Links:

Similar Presentations: