Search International and National Patent Collections

1. (WO2018178028) INITIALISATION VECTOR IDENTIFICATION FOR ENCRYPTED MALWARE TRAFFIC DETECTION

Pub. No.:    WO/2018/178028    International Application No.:    PCT/EP2018/057676
Publication Date: Fri Oct 05 01:59:59 CEST 2018 International Filing Date: Tue Mar 27 01:59:59 CEST 2018
IPC: H04L 29/06
Applicants: BRITISH TELECOMMUNICATIONS PUBLIC LIMITED COMPANY
Inventors: EL-MOUSSA, Fadi
KALLOS, George
Title: INITIALISATION VECTOR IDENTIFICATION FOR ENCRYPTED MALWARE TRAFFIC DETECTION
Abstract:
A method for identifying malicious encrypted network traffic associated with a malware software component communicating via a network, the method comprising: defining, for the malware, a portion of network traffic including a plurality of contiguous bytes occurring at a predefined offset in a network communication of the malware; extracting the defined portion of network traffic for each of a plurality of disparate encrypted network connections for the malware; training an autoencoder based on each extracted portion of network traffic, wherein the autoencoder includes: a set of input units each for representing information from a byte of an extracted portion; output units each for storing an output of the autoencoder; and a set of hidden units smaller in number than the set of input units and each interconnecting all input and all output units with weighted interconnections, such that the autoencoder is trainable to provide an approximated reconstruction of values of the input units at the output units; selecting a set of one or more offsets in the definition of a portion of network traffic as candidate locations for communication of an initialisation vector for encryption of the network traffic, the selection being based on weights of interconnections in the autoencoder; and identifying malicious network traffic based on an identification of an initialisation vector in the network traffic at one of the candidate locations.