Malware Detection: Cisco Develops Tool To Spot Malware In Encrypted Traffic

Technology firm Cisco has unveiled a networking solution the company says is capable of spotting security threats as they arise in real time and through encrypted traffic.

The so-called “intuitive network” adds a software-driven element to network security by tapping into concepts of machine learning to analyze and interpret data to identify malicious code as it passes through the network.

Read: Mac Malware: Popular Mac App HandBrake Compromised By Malware

At the heart of Cisco’s new system is its Encrypted Traffic Analytics, a tool that is able to look at encrypted information and — without breaking the encryption — analyze the web traffic to determine if any security threats are making their way onto the network.

The company accomplishes this trick by using its machine learning algorithms to read through the traffic metadata. While it may seem like a small amount of information to go on, Cisco’s software is able to use information about previous threats to detect attack signatures and stop attacks before they reach the network.

"It's like when you watch people having an argument," Prashanth Shenoy — Cisco’s vice president of marketing, enterprise networks, internet of things and developer platform — said in a statement. "You may not be able to hear what they are saying but you can tell what's going on from their gestures and expressions."

To determine a potential threat, Cisco’s Encrypted Traffic Analytics examines a number of data sources including, transport layer security handshake metadata, domain name server contextual flows linked to the encrypted data and the HTTP information taken from the same source IP address within a 5-minute window.

Read: NSA Malware DoublePulsar: How To Test If Your Computer Has Been Infected

The encrypted traffic analytics system starts its examination by looking at the initial data packet of a particular connection. It then looks at the byte distribution across the payloads of the packets. From the sequence of packet lengths and times, the system can glean clues about the traffic that may reveal malware or other attacks.

That typically benign information revealed the potential presence of malicious software even as it moved through encrypted traffic as the machine learning technology was able to spot the telltale signs of malware and can improve its detection over time as it analyzes more traffic passing through the network.

Cisco described encryption as a “double-edged sword,” as it can provide protections to users but also allows malicious actors to hide their activity.

The development of such threat protection is valuable as not all attacks come from unprotected sources. Gartner said nearly half of all cyberattacks will use some type of encryption to conceal their delivery. Gartner also predicted by 2020, 60 percent of organizations will fail to decrypt secure traffic to identify threats.

Cisco’s encrypted traffic analytics system will be available on the Cisco Catalyst 9000 series, including the Catalyst 9300 and 9500. The devices themselves will be available soon, with encrypted traffic analytics made available starting in September.

Newsweek’s Structure Security conference on Sept. 26-27 in San Francisco will highlight the best practices that security professionals are using to protect some of the world's largest companies and institutions, join us for two days of talks, workshops and networking sessions with key industry players - register now.