MALWARE DETECTION ON ENCRYPTED TRAFFIC NETWORKS

MALWARE DETECTION ON ENCRYPTED TRAFFIC NETWORKS

In an era where information and communication technology has developed very rapidly, there are also many opportunities to commit cybercrime. One of them is the spread of malware. Malware generally requires communication with a command and control server. One way to communicate is by using HTTP...

Full description

Saved in:
Bibliographic Details
Main Author: Abdullah Munir, Muhammad
Format: Final Project
Language:Indonesia
Online Access:https://digilib.itb.ac.id/gdl/view/54465
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Institut Teknologi Bandung
Language: Indonesia
Description
Summary:In an era where information and communication technology has developed very rapidly, there are also many opportunities to commit cybercrime. One of them is the spread of malware. Malware generally requires communication with a command and control server. One way to communicate is by using HTTP protocol. However, in the current era HTTP has received an upgrade, namely the presence of HTTPS or HTTP Secure. All payloads communicated via HTTPS will be end-toend encrypted. So that the detection engine (IDS) cannot know the communicated payload and cannot analyze it. So that in this final project will be built a system that can detect malware on encrypted traffic networks, especially in HTTPS protocol. In this final project, to detect malware, a signature-based approach will be used, with the data being analyzed are traffic packets that are sent on HTTPS protocol. Therefore, we need a way to get an encrypted payload. So an approach is used using TLS inspection using SSLSplit to get the payload. In the developed system, SSLSplit is modified by adding a exception list filter. This is done to reduce the burden on the DPI Server and to protect user privacy regarding private information that are likely to be recorded in the traffic logs. In the end, a system built with a DPI Server works effectively to get the payload of HTTPS traffic. Then the payload can be used to detect malware using conventional IDS (Suricata), then warnings of malware can be seen on the dashboard (EveBox). The system that has been developed has a good performance, with the use of CPU (2 cores, high-end class CPU) of 30.7% for 662 Mbps traffic. And there is an increase in latency from 2.34 ms to 19.74 ms.

Similar Items