INITIALISATION VECTOR IDENTIFICATION FOR ENCRYPTED MALWARE TRAFFIC DETECTION

摘要

A method for identifying malicious encrypted network traffic associated with a malware software component communicating via a network, the method including, for the malware, a portion of network traffic including a plurality of contiguous bytes occurring at a predefined offset in a network communication of the malware; extracting the defined portion of network traffic for each of a plurality of disparate encrypted network connections for the malware; training an autoencoder based on each extracted portion of network traffic, wherein the autoencoder includes: a set of input units each for representing information from a byte of an extracted portion; output units each for storing an output of the autoencoder; and a set of hidden units smaller in number than the set of input units and each interconnecting all input and all output units with weighted interconnections, such that the autoencoder is trainable to provide an approximated reconstruction of values of the input units at the output units; selecting a set of one or more offsets in the definition of a portion of network traffic as candidate locations for communication of an initialization vector for encryption of the network traffic, the selection being based on weights of interconnections in the autoencoder; and identifying malicious network traffic based on an identification of an initialization vector in the network traffic at one of the candidate locations.