Publications
Exposing the Rat in the Tunnel: Tor-based Malware Detection Using Traffic Analysis
In this work, we present an AI-based traffic analysis approach to accurately identify Tor-based malware communication from a client network. We collect hundreds of Tor-based malware binaries, execute and examine more than 30,000 active encrypted malware connections and compare them with benign Tor traffic. We fingerprint malware C&C traffic and client-side behavior with traditional traffic analysis features and our novel host-level features, respectively.
Our experiments confirm that our models are able to detect "zero-day'' malware connections with 0.5% FPR even when malware connections constitute less than 5% of Tor traces in the test set. Additionally, we are able to accurately infer the malware class type (eg: ransomware, virus, worm etc). Finally, we validate the efficacy of our models on real world enterprise logs and show that the classifier is able to identify the infected host even in the absence of connection-level features.
Paper Conference: ACM Computer & Communications Security
(CCS) 2022
Sorting The Garbage: Filtering Out DRDoS Amplification Traffic in ISP Networks
In this work, we propose a novel idea to filter out garbage amplification traffic from ISP networks resulting from abuse of UDP services (such as DNS, NTP, SMTP etc) in Amplification attacks. We employ a special type of honeypot that collects information about ongoing DRDoS attacks and the Software Defined Network (SDN) paradigm which offers a unified interface to deploy firewall rules on a large variety of network devices. The rules block incoming amplification requests from reaching amplifiers located within the provider network rescuing vulnerable services from being abused.
Such a solution prevents garbage traffic from leaving the ISP network saving valuable bandwidth thereby improving the QoS. This also contributes to victim’s liveliness because it stops the attack traffic mid way before reaching the victim network.
Paper Conference: IEEE Network Softwarization (NetSoft) 2019
Poster Conference: ACM CCS 2019
Ministry Of Interior, Qatar
Network Logs Analysis & Threat Hunting Case Study
In this work, we conduct an investigative threat hunting/forensic analysis study over real world network logs shared by the Ministry of Interior, Qatar. We analyze more than 600 million TCP/UDP/ICMP connections and their corresponding DNS, HTTP and SSL activity captured at the enterprise network using Zeek, a network analyzer tool.
Our study reveals ransomware infections in two ministries of the MOI, namely Ministry of Public Health (MOPH) and Ministry of Justice (MOJ). We identify traces of malware activity in the DNS logs which reveal leaked Tor onion domains used for C&C by the Wannacry and Badrabbit ransomware.