Deep Packet Dynamics (DPD) are network traffic traits and characteristics, agnostic to packet contents, used to create a historical inventory for behavioral profiling and fingerprinting, a technique equally effective with encrypted and unencrypted traffic.
ThreatEye NV’s DPD collects over 150 different traits and characteristics. DPD features include traffic characteristics such as producer/consumer ratio, jitter, RSTs, retransmits, sequence of packet lengths and times (SPLT), byte distributions, connection set up time, and round-trip time.
SPLT contains information about the sizes and timing of the connection’s packets. SPLT represents the length as the number of bytes of each packet’s application payload and the interarrival times of those packets.
SPLT is represented as an array of packet sizes (in bytes) and an array of times (in ms) representing the time since the previous packet was observed. DPD uses SPLT to make inferences based on the behavior of the encrypted traffic itself.
For example, web browsing, email, and file downloads-uploads can all be differentiated based on their SPLTs.
Additionally, SPLTs tend to be inherently different for malware and typical network traffic.
Deep packet dynamics offers superior features that are well-suited for Machine Learning and effectively identify patterns and anomalies that other approaches miss.
Defending Networks using Deep Packet Dynamics
The advantages of using deep packet dynamics for network security can be illustrated through real-world attack scenarios.
Actions On Objectives – Hands On Keyboard
Once an attacker has compromised a target and has enabled C2, they have “hands-on keyboard” access. At this step, an attacker may escalate their privileges, perform internal reconnaissance, move laterally, exfiltrate data, and perform many other malicious acts.
This activity flows over encrypted C2 channels. Detecting and mitigating actions on objectives prevent attackers from causing any further damage. ThreatEye NV identifies encrypted “hands-on keyboard” access by analyzing keystroke dynamics detected over the network.
While machine typing is characterized by speed and consistency, human typing is distinguished by gaps and randomness. ThreatEye NV can identify hands-on keyboard traffic by analyzing packet and flow characteristics such as packet ordering, packet loss or delay, packet arrival times, and state transition times.
For example, human-initiated SSH connections have keystrokes at the beginning and end of an SSH connection. Therefore, if keystroke activity is not detected during the SSH connection, the traffic may not be human-generated SSH traffic.
Monitoring deep packet dynamic data can detect human keystroke activity in encrypted SSH sessions by analyzing client data size, server echo data size, client interarrival times, and gaps in the session.
Actions On Objectives – Exfiltration
With command and control and hands-on keyboard access, attackers can transfer data from an organization’s systems and devices. Attackers may also use the compromised target to transfer or store data stolen from other organizations. Attackers typically steal usernames and passwords, cryptographic keys, personally identifiable information (PII), financial information, and intellectual property.
Data is often exfiltrated over encrypted channels such as SSL/TLS, SSH, and other encrypted protocols. In some attacks, exfiltration occurs in bulk data transfers. In others, attackers often use stealthy techniques such as timing channels to send small amounts of data to avoid detection. The combination of deep packet dynamics features with machine learning is used to detect data exfiltration by understanding application “fingerprints” and analyzing producer-consumer ratios (PCR).
Systems are both producers and consumers of data. Often web applications and Software as a Service (SaaS) produce characteristic patterns of data traversing the wire. Each system’s producer and consumer roles can be modeled as a producer-consumer ratio to identify the normal directionality of information transfer. The producer-consumer ratio may be modeled and monitored for network devices, servers, workstations, applications, and users.
Examining deep packet dynamics data can identify data exfiltration as anomalous activity via the producer-consumer ratio. For example, devices that primarily serve as a producer of data, such as a webserver, will have a PCR closer to 1.0. Conversely, devices that primarily function as a consumer of data, such as a web browsing client, will have a PCR closer to -1.0. Changes in PCR models may indicate a compromised device acting as a bot in a botnet, an asset used to transfer or store stolen data, or other data exfiltration activity.