US2022094529A1PendingUtilityA1

Passive decryption of encrypted traffic to generate more accurate machine learning training data

66
Assignee: CISCO TECH INCPriority: Aug 31, 2017Filed: Dec 6, 2021Published: Mar 24, 2022
Est. expiryAug 31, 2037(~11.1 yrs left)· nominal 20-yr term from priority
H04W 72/27G06N 7/01H04L 9/0894G06N 5/025G06N 20/00H04L 63/1416H04L 9/0822H04L 63/1458H04L 63/0428H04L 63/1441H04W 72/0426
66
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

In one embodiment, an apparatus captures a memory dump of a device in a sandbox environment executing a malware sample. The apparatus identifies a cryptographic key based on a particular data structure in the captured memory dump. The apparatus uses the identified cryptographic key to decrypt encrypted traffic sent by the device. The apparatus labels at least a portion of the decrypted traffic sent by the device as benign. The apparatus trains a machine learning-based traffic classifier based on the at least a portion of the decrypted traffic sent by the device and labeled as benign.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method comprising:
 capturing a memory dump of a device in a sandbox environment executing a malware sample;   identifying a cryptographic key based on a particular data structure in the memory dump that is captured;   using the cryptographic key that is identified to decrypt encrypted traffic sent by the device, resulting in decrypted traffic;   labeling at least one portion of the decrypted traffic sent by the device as benign; and   training a machine learning-based traffic classifier to assess encrypted traffic in a network based on the at least one portion of the decrypted traffic sent by the device and labeled as benign.   
     
     
         2 . The method as in  claim 1 , further comprising:
 deploying the machine learning-based traffic classifier to a node in the network, to detect a presence of malware in the network.   
     
     
         3 . The method as in  claim 1 , wherein the particular data structure comprises a wrapper for the cryptographic key, the method further comprising:
 identifying an encryption suite used by the device to encrypt the encrypted traffic; and   identifying the particular data structure based on the encryption suite used by the device to encrypt the encrypted traffic.   
     
     
         4 . The method as in  claim 1 , wherein capturing the memory dump of the device executing the malware sample comprises:
 detecting a triggering condition to initiate the memory dump.   
     
     
         5 . The method as in  claim 4 , wherein the triggering condition to initiate the memory dump comprises one of: a Change Cipher Spec message appearing in the encrypted traffic sent by the device, multiple socket.send( ) calls to a particular 5-tuple being observed, detecting multiple calls to a particular application programming interface (API) of the device. 
     
     
         6 . The method as in  claim 1 , wherein identifying the cryptographic key based on the particular data structure in the memory dump that is captured comprises:
 identifying a set of bytes in the memory dump having high entropy in comparison to bytes preceding or following the set of bytes in the memory dump.   
     
     
         7 . The method as in  claim 1 , wherein the encrypted traffic sent by the device is encrypted using Transport Layer Security (TLS). 
     
     
         8 . An apparatus, comprising:
 one or more network interfaces to communicate with a network;   a processor coupled to the one or more network interfaces and configured to execute one or more processes; and   a memory configured to store a process that is executable by the processor, the process when executed configured to:
 capture a memory dump of a device in a sandbox environment executing a malware sample; 
 identify a cryptographic key based on a particular data structure in the memory dump that is captured; 
 use the cryptographic key that is identified to decrypt encrypted traffic sent by the device, resulting in decrypted traffic; 
 label at least one portion of the decrypted traffic sent by the device as benign; and 
 train a machine learning-based traffic classifier to assess encrypted traffic in a network based on the at least one portion of the decrypted traffic sent by the device and labeled as benign. 
   
     
     
         9 . The apparatus as in  claim 8 , wherein the process when executed is further configured to:
 deploy the machine learning-based traffic classifier to a node in the network, to detect a presence of malware in the network.   
     
     
         10 . The apparatus as in  claim 8 , wherein the particular data structure comprises a wrapper for the cryptographic key, wherein the process when executed is further configured to:
 identify an encryption suite used by the device to encrypt the encrypted traffic; and   identify the particular data structure based on the encryption suite used by the device to encrypt the encrypted traffic.   
     
     
         11 . The apparatus as in  claim 8 , wherein the apparatus captures the memory dump of the device executing the malware sample by:
 detecting a triggering condition to initiate the memory dump.   
     
     
         12 . The apparatus as in  claim 11 , wherein the triggering condition to initiate the memory dump comprises one of: a Change Cipher Spec message appearing in the encrypted traffic sent by the device, multiple socket.send( ) calls to a particular 5-tuple being observed, detecting multiple calls to a particular application programming interface (API) of the device. 
     
     
         13 . The apparatus as in  claim 8 , wherein the apparatus identifies the cryptographic key based on the particular data structure in the memory dump that is captured by:
 identifying a set of bytes in the memory dump having high entropy in comparison to bytes preceding or following the set of bytes in the memory dump.   
     
     
         14 . The apparatus as in  claim 8 , wherein the encrypted traffic sent by the device is encrypted using Transport Layer Security (TLS). 
     
     
         15 . A tangible, non-transitory, computer-readable medium that stores program instructions, which when executed cause a computing device to execute a process comprising:
 capturing a memory dump of a device in a sandbox environment executing a malware sample;   identifying a cryptographic key based on a particular data structure in the memory dump that is captured;   using the cryptographic key that is identified to decrypt encrypted traffic sent by the device, resulting in decrypted traffic;   labeling at least one portion of the decrypted traffic sent by the device as benign; and   training a machine learning-based traffic classifier to assess encrypted traffic in a network based on the at least one portion of the decrypted traffic sent by the device and labeled as benign.   
     
     
         16 . The tangible, non-transitory, computer-readable medium as in  claim 15 , wherein capturing the memory dump of the device executing the malware sample comprises:
 detecting a triggering condition to initiate the memory dump.   
     
     
         17 . The tangible, non-transitory, computer-readable medium as in  claim 16 , wherein the triggering condition to initiate the memory dump comprises one of: a Change Cipher Spec message appearing in the encrypted traffic sent by the device, multiple socket.send( ) calls to a particular 5-tuple being observed, detecting multiple calls to a particular application programming interface (API) of the device. 
     
     
         18 . The tangible, non-transitory, computer-readable medium as in  claim 16 , wherein identifying a cryptographic key based on a particular data structure in the memory dump that is captured comprises:
 identifying a set of bytes in the memory dump having high entropy in comparison to bytes preceding or following the set of bytes in the memory dump.   
     
     
         19 . The tangible, non-transitory, computer-readable medium as in  claim 16 , wherein the encrypted traffic sent by the device is encrypted using Transport Layer Security (TLS). 
     
     
         20 . The tangible, non-transitory, computer-readable medium as in  claim 16 , wherein the process further comprises:
 deploying the machine learning-based traffic classifier to a node in the network, to detect a presence of malware in the network.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.