System for traffic analysis without decryption. This method is simply called "machine learning." It turned out that if a very large volume of various traffic was applied to the input of a special classifier, the system with a very high degree of probability can detect the actions of malicious code inside encrypted traffic.
Network threats have changed and become smarter. Recently, the concept of attack and defense has changed. The number of events on the network has increased significantly. Attacks have become more sophisticated, and hackers have a wider range of attacks.
According to Cisco statistics, cybercriminals over the past year have 3 times increased the number of malicious programs that they use for their activities, or rather, to hide it - encryption. It is known from theory that the βcorrectβ encryption algorithm cannot be hacked. In order to understand what is hidden inside the encrypted traffic, you must either decrypt it knowing the key, or try to decrypt it with various tricks, or by hacking it in the forehead, or using some vulnerabilities in cryptographic protocols.
Picture of the network threats of our time
Machine learning
! , .
(Machine Learning) β , , . «» . β -. «». ( 2- ). , - ( ) . , - ( ) () , , (). - , , , , . , , .
(if-else). . «» . .
. .
. 1 2012 β 10 , , 2 2011 .
. 20 . Β«- - Β». . : , . , . - Β« ?Β». β . β 1 , β 0. ( ). ( ), .
, , . 2- . β , β .
, Β« ?Β». 2 . 1 β ( ). 2 β , ( ).
, . 2 β .
β . , β .
β ( , ). , .
. .
β . β ( ) Β« Β». , , . - , ( ), .
β BrainPort.
2009 , Β« Β», β BrainPort. BrainPort : , , . , .
BrainPort
BrainPort
. , . β . , .
Encrypted Traffic Analytics
Encrypted Traffic Analytics Stealthwatch. Stealthwatch β Cisco , .
Stealthwatch Enterprise Flow Rate License, Flow Collector, Management Console Flow Sensor.
Cisco Stealthwatch
, . ( ), «» . β WannaCry, Tor .
Encrypted Traffic Analytics (ETA) . , .
. - . TLS (transport layer security β ). , . , .
Encrypted Traffic Analytics (ETA)
. Cisco 2 β «» . , , , . , .
β , . β , , , .. , . , .
, β β , () .
β , 99% .
ETA
β . , ( ). -, ( ). -, ( , ).
Man-in-the-Middle
, .
4 : TCP/IP β , DNS β , TLS β , SPLT (SpaceWire Physical Layer Tester) β .
, ETA
. TCP/IP ( , ..), DNS , «» . TLS «» (fingerprint) (cert). β . , : , .. , .
, . , . , ( ). , . - .onion , . , .
ETA
, , , .
ETA
. -,
, .
, β . -,
, ,
, , .
Stealthwatch
β , β . , , β ISR = Cisco (Cisco Integrated Services Router); ASR = Cisco (Cisco Aggregation Services Router); CSR = Cisco (Cisco Cloud Services Router); WLC = Cisco (Cisco Wireless LAN Controller); IE = Ethernet- Cisco (Cisco Industrial Ethernet); ASA = Cisco (Cisco Adaptive Security Appliance); FTD = Cisco Firepower Threat Defense; WSA = - (Web Security Appliance); ISE = (Identity Services Engine)
Β«CiscoΒ» . , β¦
. Stealthwatch . , . 100 , , , , , , .. . . , , , ( 2). . . , , , , . . , Stealthwatch , , .
:
()
, . , , . .
, , , , . , , , .
, , , Stealthwatch. , «», « » , , , . , , .
, , β . , .
, Stealthwatch. Stealthwatch, , .
1 .
99 % . , , , , . , . β . . , , . 2 3 . .
. . 70 , Stealthwatch , , (DNS) - . 70 , , . , . .
. , . , - - . , , .
2 .
, , . , 90 %. :
. , , .
. 100 . , , . , , . , .
. , . , , . , . . - .
3 .
β , , , , . , , , , Β« Β».
. 99 100 % , () . , . , , , . , , ,
, . , .
ETA
, . , . , . Β« Β», . , , Stealthwatch , .
.
, 460 IP-
.
, ?
, . , , 2 .
1. . Cisco. , . , D-Link, MikroTik .. β . , .
2. . , - , , - , . , ( ), . , .
2 , . , .