US2022094529A1PendingUtilityA1
Passive decryption of encrypted traffic to generate more accurate machine learning training data
Est. expiryAug 31, 2037(~11.1 yrs left)· nominal 20-yr term from priority
H04W 72/27G06N 7/01H04L 9/0894G06N 5/025G06N 20/00H04L 63/1416H04L 9/0822H04L 63/1458H04L 63/0428H04L 63/1441H04W 72/0426
66
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
In one embodiment, an apparatus captures a memory dump of a device in a sandbox environment executing a malware sample. The apparatus identifies a cryptographic key based on a particular data structure in the captured memory dump. The apparatus uses the identified cryptographic key to decrypt encrypted traffic sent by the device. The apparatus labels at least a portion of the decrypted traffic sent by the device as benign. The apparatus trains a machine learning-based traffic classifier based on the at least a portion of the decrypted traffic sent by the device and labeled as benign.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method comprising:
capturing a memory dump of a device in a sandbox environment executing a malware sample; identifying a cryptographic key based on a particular data structure in the memory dump that is captured; using the cryptographic key that is identified to decrypt encrypted traffic sent by the device, resulting in decrypted traffic; labeling at least one portion of the decrypted traffic sent by the device as benign; and training a machine learning-based traffic classifier to assess encrypted traffic in a network based on the at least one portion of the decrypted traffic sent by the device and labeled as benign.
2 . The method as in claim 1 , further comprising:
deploying the machine learning-based traffic classifier to a node in the network, to detect a presence of malware in the network.
3 . The method as in claim 1 , wherein the particular data structure comprises a wrapper for the cryptographic key, the method further comprising:
identifying an encryption suite used by the device to encrypt the encrypted traffic; and identifying the particular data structure based on the encryption suite used by the device to encrypt the encrypted traffic.
4 . The method as in claim 1 , wherein capturing the memory dump of the device executing the malware sample comprises:
detecting a triggering condition to initiate the memory dump.
5 . The method as in claim 4 , wherein the triggering condition to initiate the memory dump comprises one of: a Change Cipher Spec message appearing in the encrypted traffic sent by the device, multiple socket.send( ) calls to a particular 5-tuple being observed, detecting multiple calls to a particular application programming interface (API) of the device.
6 . The method as in claim 1 , wherein identifying the cryptographic key based on the particular data structure in the memory dump that is captured comprises:
identifying a set of bytes in the memory dump having high entropy in comparison to bytes preceding or following the set of bytes in the memory dump.
7 . The method as in claim 1 , wherein the encrypted traffic sent by the device is encrypted using Transport Layer Security (TLS).
8 . An apparatus, comprising:
one or more network interfaces to communicate with a network; a processor coupled to the one or more network interfaces and configured to execute one or more processes; and a memory configured to store a process that is executable by the processor, the process when executed configured to:
capture a memory dump of a device in a sandbox environment executing a malware sample;
identify a cryptographic key based on a particular data structure in the memory dump that is captured;
use the cryptographic key that is identified to decrypt encrypted traffic sent by the device, resulting in decrypted traffic;
label at least one portion of the decrypted traffic sent by the device as benign; and
train a machine learning-based traffic classifier to assess encrypted traffic in a network based on the at least one portion of the decrypted traffic sent by the device and labeled as benign.
9 . The apparatus as in claim 8 , wherein the process when executed is further configured to:
deploy the machine learning-based traffic classifier to a node in the network, to detect a presence of malware in the network.
10 . The apparatus as in claim 8 , wherein the particular data structure comprises a wrapper for the cryptographic key, wherein the process when executed is further configured to:
identify an encryption suite used by the device to encrypt the encrypted traffic; and identify the particular data structure based on the encryption suite used by the device to encrypt the encrypted traffic.
11 . The apparatus as in claim 8 , wherein the apparatus captures the memory dump of the device executing the malware sample by:
detecting a triggering condition to initiate the memory dump.
12 . The apparatus as in claim 11 , wherein the triggering condition to initiate the memory dump comprises one of: a Change Cipher Spec message appearing in the encrypted traffic sent by the device, multiple socket.send( ) calls to a particular 5-tuple being observed, detecting multiple calls to a particular application programming interface (API) of the device.
13 . The apparatus as in claim 8 , wherein the apparatus identifies the cryptographic key based on the particular data structure in the memory dump that is captured by:
identifying a set of bytes in the memory dump having high entropy in comparison to bytes preceding or following the set of bytes in the memory dump.
14 . The apparatus as in claim 8 , wherein the encrypted traffic sent by the device is encrypted using Transport Layer Security (TLS).
15 . A tangible, non-transitory, computer-readable medium that stores program instructions, which when executed cause a computing device to execute a process comprising:
capturing a memory dump of a device in a sandbox environment executing a malware sample; identifying a cryptographic key based on a particular data structure in the memory dump that is captured; using the cryptographic key that is identified to decrypt encrypted traffic sent by the device, resulting in decrypted traffic; labeling at least one portion of the decrypted traffic sent by the device as benign; and training a machine learning-based traffic classifier to assess encrypted traffic in a network based on the at least one portion of the decrypted traffic sent by the device and labeled as benign.
16 . The tangible, non-transitory, computer-readable medium as in claim 15 , wherein capturing the memory dump of the device executing the malware sample comprises:
detecting a triggering condition to initiate the memory dump.
17 . The tangible, non-transitory, computer-readable medium as in claim 16 , wherein the triggering condition to initiate the memory dump comprises one of: a Change Cipher Spec message appearing in the encrypted traffic sent by the device, multiple socket.send( ) calls to a particular 5-tuple being observed, detecting multiple calls to a particular application programming interface (API) of the device.
18 . The tangible, non-transitory, computer-readable medium as in claim 16 , wherein identifying a cryptographic key based on a particular data structure in the memory dump that is captured comprises:
identifying a set of bytes in the memory dump having high entropy in comparison to bytes preceding or following the set of bytes in the memory dump.
19 . The tangible, non-transitory, computer-readable medium as in claim 16 , wherein the encrypted traffic sent by the device is encrypted using Transport Layer Security (TLS).
20 . The tangible, non-transitory, computer-readable medium as in claim 16 , wherein the process further comprises:
deploying the machine learning-based traffic classifier to a node in the network, to detect a presence of malware in the network.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.