You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Feb 28, 2019. It is now read-only.
In this project we've tried to identify threats by using network analysis. to overcome the difficulties of the real world we've tried to break the project into multiple stages , so that if we couldn't finish the project , somebody else might get intersted and carry on the job.
4
+
5
+
6
+
7
+
## Stage Zero
8
+
9
+
In the very fist steps we must be capable of watching the network for any malware moving around, before any system gets infected.
10
+
11
+
* parse a [Pcap][pcap] file that was sniffed from network to get all passed URLs
12
+
* it must be capable of filtering the result by source or destination
13
+
14
+
15
+
16
+
## Stage One
17
+
18
+
We want to generalize the malware detection part eventually , but right now i think the [Cuckoo Sandbox][cuckoo] would be sufficient.
19
+
20
+
* create a workflow to analyse urls and files using [Cuckoo Sandbox][cuckoo]
21
+
* it must be capable of passing the urls that were from [Stage Zero][stagezero] to [Cuckoo Sandbox][cuckoo]
22
+
23
+
24
+
25
+
## Stage Two
26
+
27
+
Some of the current malwares in the wild are just a mutation of older ones, but due to lack of signature they cannot be detected , but maybe adding blacklisted hosts and community signature would help us to overcome that problem.
28
+
29
+
* use [Blacklists][blacklist] and [Signatures][signature] to increase the malware detection rate
30
+
31
+
32
+
33
+
## Stage Three
34
+
35
+
Some malwares would use known ports with their own protocol so they can evade detection , for example if some host is talking on port 443 but not using the https protocol, it is a little bit suspicious! don't you agree with me?
36
+
37
+
* use protocol analysis to detect unusual activity on known ports
38
+
39
+
40
+
41
+
## Stage Four
42
+
43
+
Many of the infected hosts will talk to [botnet C&C servers][botcnc] using [API][api] Call
44
+
45
+
* analyse http headers for any unsual http api call
46
+
47
+
48
+
49
+
## Stage Five
50
+
51
+
Many of the infected hosts contact their [botnet C&C servers][botcnc] periodically and/or with similar Packets , so in this stage we will introduce ways to detect those patterns and mark them as suspecius traffic.
52
+
53
+
****Time Based*** : infected host asks for specific (non whitelisted) dns name priodically.
54
+
****Dns Answer Based*** : in case many Dns name requests ends up with the same IP address (many APTs would try to hide by using different dns names for their C&C servers).
55
+
****TTL Value Based*** : packets that are transfered between infected hosts and C&C server have a very low TTL to be effective in running commands.
56
+
****Domain Name Based*** : another possible method is to check the percentage of meaningfull name in dns name.
57
+
58
+
59
+
60
+
## Stage Six
61
+
62
+
Do all the previous steps in *Realtime* (not from a saved [Pcap][pcap] file)
63
+
64
+
* another plus in this stage would be to check for any [IRC][irc] traffic to mark them as suspicious.
65
+
66
+
67
+
68
+
## Stage Seven
69
+
70
+
Use [WhiteList][whitelist] and [Machine Learning][maclearn] Algorithms to Lower down the [False Positives][falsepositive] .
71
+
72
+
## Stage Eight
73
+
74
+
If we're 100% sure that a network is clean ; for example in an Industrial Network when it's completely off the grid, and we've not connected any device to it; we can Train our program to consider all traffic in that stage clean , and the when we've connected our network to outside world we can use [Anomaly Detection][anomalydet] to increase our [Zero Day][zeroday] detection rate.
75
+
76
+
77
+
78
+
## Stage Nine
79
+
80
+
use [Traffic Classification][trafclass] to Manually analyse the suspecouis categories.
81
+
82
+
83
+
84
+
## Stage Ten
85
+
86
+
use [Dynamic Analyses][dynanal] and [Sandboxing][sandbox] to increase malware detection rate.
87
+
88
+
89
+
90
+
## ETC
91
+
92
+
and many other ideas that will be added gradually...
0 commit comments