MALWARE DETECTION ON ENCRYPTED TRAFFIC NETWORKS
In an era where information and communication technology has developed very rapidly, there are also many opportunities to commit cybercrime. One of them is the spread of malware. Malware generally requires communication with a command and control server. One way to communicate is by using HTTP...
Saved in:
| Main Author: | |
|---|---|
| Format: | Final Project |
| Language: | Indonesia |
| Online Access: | https://digilib.itb.ac.id/gdl/view/54465 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Institut Teknologi Bandung |
| Language: | Indonesia |
| id |
id-itb.:54465 |
|---|---|
| spelling |
id-itb.:544652021-03-17T09:51:06ZMALWARE DETECTION ON ENCRYPTED TRAFFIC NETWORKS Abdullah Munir, Muhammad Indonesia Final Project malware, https, TLS inspection, encryption INSTITUT TEKNOLOGI BANDUNG https://digilib.itb.ac.id/gdl/view/54465 In an era where information and communication technology has developed very rapidly, there are also many opportunities to commit cybercrime. One of them is the spread of malware. Malware generally requires communication with a command and control server. One way to communicate is by using HTTP protocol. However, in the current era HTTP has received an upgrade, namely the presence of HTTPS or HTTP Secure. All payloads communicated via HTTPS will be end-toend encrypted. So that the detection engine (IDS) cannot know the communicated payload and cannot analyze it. So that in this final project will be built a system that can detect malware on encrypted traffic networks, especially in HTTPS protocol. In this final project, to detect malware, a signature-based approach will be used, with the data being analyzed are traffic packets that are sent on HTTPS protocol. Therefore, we need a way to get an encrypted payload. So an approach is used using TLS inspection using SSLSplit to get the payload. In the developed system, SSLSplit is modified by adding a exception list filter. This is done to reduce the burden on the DPI Server and to protect user privacy regarding private information that are likely to be recorded in the traffic logs. In the end, a system built with a DPI Server works effectively to get the payload of HTTPS traffic. Then the payload can be used to detect malware using conventional IDS (Suricata), then warnings of malware can be seen on the dashboard (EveBox). The system that has been developed has a good performance, with the use of CPU (2 cores, high-end class CPU) of 30.7% for 662 Mbps traffic. And there is an increase in latency from 2.34 ms to 19.74 ms. text |
| institution |
Institut Teknologi Bandung |
| building |
Institut Teknologi Bandung Library |
| continent |
Asia |
| country |
Indonesia Indonesia |
| content_provider |
Institut Teknologi Bandung |
| collection |
Digital ITB |
| language |
Indonesia |
| description |
In an era where information and communication technology has developed very rapidly, there are
also many opportunities to commit cybercrime. One of them is the spread of malware. Malware
generally requires communication with a command and control server. One way to communicate
is by using HTTP protocol. However, in the current era HTTP has received an upgrade, namely
the presence of HTTPS or HTTP Secure. All payloads communicated via HTTPS will be end-toend encrypted. So that the detection engine (IDS) cannot know the communicated payload and
cannot analyze it. So that in this final project will be built a system that can detect malware on
encrypted traffic networks, especially in HTTPS protocol.
In this final project, to detect malware, a signature-based approach will be used, with the data being
analyzed are traffic packets that are sent on HTTPS protocol. Therefore, we need a way to get an
encrypted payload. So an approach is used using TLS inspection using SSLSplit to get the payload.
In the developed system, SSLSplit is modified by adding a exception list filter. This is done to
reduce the burden on the DPI Server and to protect user privacy regarding private information that
are likely to be recorded in the traffic logs.
In the end, a system built with a DPI Server works effectively to get the payload of HTTPS traffic.
Then the payload can be used to detect malware using conventional IDS (Suricata), then warnings
of malware can be seen on the dashboard (EveBox). The system that has been developed has a
good performance, with the use of CPU (2 cores, high-end class CPU) of 30.7% for 662 Mbps
traffic. And there is an increase in latency from 2.34 ms to 19.74 ms. |
| format |
Final Project |
| author |
Abdullah Munir, Muhammad |
| spellingShingle |
Abdullah Munir, Muhammad MALWARE DETECTION ON ENCRYPTED TRAFFIC NETWORKS |
| author_facet |
Abdullah Munir, Muhammad |
| author_sort |
Abdullah Munir, Muhammad |
| title |
MALWARE DETECTION ON ENCRYPTED TRAFFIC NETWORKS |
| title_short |
MALWARE DETECTION ON ENCRYPTED TRAFFIC NETWORKS |
| title_full |
MALWARE DETECTION ON ENCRYPTED TRAFFIC NETWORKS |
| title_fullStr |
MALWARE DETECTION ON ENCRYPTED TRAFFIC NETWORKS |
| title_full_unstemmed |
MALWARE DETECTION ON ENCRYPTED TRAFFIC NETWORKS |
| title_sort |
malware detection on encrypted traffic networks |
| url |
https://digilib.itb.ac.id/gdl/view/54465 |
| _version_ |
1822001790231511040 |