back to article Cisco's 'encrypted traffic fingerprinting' turned into a product

Cisco has turned research published nearly a year ago into a product it hopes will protect enterprises against malware hidden in encrypted traffic. As The Register reported in July 2016, a group of Cisco researchers have been working on how to spot dangers entering networks through TLS. Since you can't see inside encrypted …

  1. Pen-y-gors

    Veeeeery interesting....

    So basically, although you can't see what's being sent, you can fingerprint a known thing and look for that fingerprint. But you do need to know what it is you're looking for and have a copy of it. And this will work for e.g. nasties phoning home, but is no use for intercepting the content of actual communications. And would this work on encrypted packets going over a VPN?

    Pretty neat. There's bound to be a downside, but on the whole it's mainly upside.

    1. Anonymous Coward
      Anonymous Coward

      Re: Veeeeery interesting....

      "There's bound to be a downside"

      I would hazard a guess that there are limitations in relation to what crypto algos it works best (if at all) with.

  2. mark l 2 Silver badge

    Sounds ideal for the NSA and GCHQ to monitor everybodies encrypted internet data to fingerprint those who are upto naughty things.

    1. Pascal Monett Silver badge

      Well as long as they are not seeing content and view any positives as a matter of getting a warrant to do so, I think I wouldn't mind all that much.

      It would be a sight better than the current situation.

  3. Version 1.0 Silver badge

    This is a new idea?

    I discussed this method with a programmer during a plane ride from Melbourne to Perth in the 90's - it was a new idea then. I guess I know where he's working these days.

  4. Christian Berger

    It's an old idea

    There were already papers on finding out what place one looks on google maps, based on the size of the tiles (which were received via https).

    It's not really suitable for finding malware, as it's trivial for malware to simply randomize its traffic. So instead of transmitting a file all at once, you send it in chunks of varying length, or mimic normal browser behaviour.

    1. I am the liquor

      Re: It's an old idea

      I wouldn't say preventing traffic analysis is trivial, especially if you don't know exactly what the eavesdropper is looking at. There could be all sorts of subtle patterns in your traffic even after you've sliced your files into random-sized chunks.

      1. Christian Berger

        Re: It's an old idea

        Yes, but since this is a packaged product, you can test it in your laboratory for as long as you want to. I'd guess that there is virtually no contrast between "normal" data and "malevolent" data, so those systems will probably spit out far to many false positives to be of any use.

        1. I am the liquor

          Re: It's an old idea

          A Catalyst 9300 is a pricy piece of kit, but cybercrime is apparently pretty lucrative so I guess the successful malware developers will be able to afford one for their test lab.

          Although I've got to say, this is an argument against pretty much any malware detection technology. If the author has tested their malware against your defensive product, they will surely have been able to find a way to circumvent it.

          1. Christian Berger

            Re: It's an old idea

            "Although I've got to say, this is an argument against pretty much any malware detection technology. If the author has tested their malware against your defensive product, they will surely have been able to find a way to circumvent it."

            Yes, and this is why security experts (outside of malware detection firms) call such products snake oil. Now add to this, that those programs typically are rather complex, run with high privileges and try to unpack every obscure format you may not even have software to use them otherwise. Right now, for example, it's likely that you can take over computers with that RAR decoder bug that's been found recently... even if that computer doesn't have an unpacker that supports RAR.

        2. Charles 9

          Re: It's an old idea

          "Yes, but since this is a packaged product, you can test it in your laboratory for as long as you want to."

          You can test it in YOUR environment, but how well can anyone replicate replicate the real-world network conditions of an average enterprise which could be as different as night and day? If such a product needs environmental conditioning first, then the defense has an insider's edge.

    2. Adam 1

      Re: It's an old idea

      All tor packets are the same size. Any malware with a c&c server that is remotely a threat is using the dark web to make it hard for law enforcement to locate.

      Also, with any modern crypto you can't differentiate the byte stream from random. If you can via DPI then we all have much much bigger problems.

      Maybe some sort of crypto downgrade attack might be possible during the negotiation phase to something practical to brute force (and the Muppets in charge still like the idea of backdoored encryption, will they ever learn from past mistakes).

  5. Anonymous Coward
    Anonymous Coward

    Everything-over-HTTPS

    The idea is already in use in products that block Tor or VPN traffic in countries less hampered by personal freedoms. The answer to that was obfsproxy

    In the future, malware will just use any standard HTTPS library and add some random padding.

    1. Charles 9

      Re: Everything-over-HTTPS

      But it's still tricky. In disguising some tells, you can create others. It's extremely difficult to obfuscate your traffic completely. Not just packet sizes but timings, rates, destinations, etc. can all leave tells, and if you try to scrub all the tells, you may not be able to get through. After all, even an envelope needs an address, and that alone can be useful information.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like