Technology in the Stratosphere IPS Project
The core of the Stratosphere IPS is composed of what we called network behavioral models and detection algorithms. The behavioral models represent what a specific connection does in the network during its life time. The behavior is constructed by analyzing the periodicity, size and duration of each flow. Based on these features each flow is assigned a letter and the group of letters characterize the behavior of the connection.
For example, the connection identified with the 4-tuple 10.0.2.106-220.127.116.11-80-tcp, that was assigned the label From-Botnet-V1-TCP-CC102-HTTP-Custom-Encryption had the following behavioral model:
11aaaaaaaaaaabrrctrraaaAaaaaaAaaaaaaaaaaaaaaaaaAAAaaaaaaaaaaaaaaaaaaaAaAaaa aaaaaaaaaaaaaaaaaaaaAAaaaaaaaaAAaaaaaaaaaaaaaaaaaaaaaaaaAAAAaaaaaaaaAAaaAAa aaaaaaaaaaaaaaaaaaaaAAaaaaaaaaaAAaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAaAaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaAaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAaaaaaaaaaaa(…)
This chain of states that we call the behavioral model highlight some of the characteristics of the C&C channel. In this case it tell us that that flows are highly periodic (letters ‘a’, ‘b’, ‘c’, and ‘A’), with some lost periodicity near the beginning (letters ‘r’ and ‘t’). The flows were also rather small and short. Using this models we are able to generate the behavioral characteristics of a large number of malicious actions.
Our detection algorithms use our known malicious behavioral models to detect new suspicious connections in the network. The detection is currently done using Markov Chains-based algorithms. Please see the Publications section for technical details about the algorithms.
The first part of our algorithm consist in learning and labeling the ground-truth traffic. This traffic is used to create verified models of network behaviors that are known and stable. Not all the models seen in the malicious traffic are used, since the models should have certain properties. For example, each model has a specific detection performance that has to be evaluated before putting it on production.
The second part of the algorithm consists in using these known and verified ground-truth models to detect similar behaviors in unknown networks. The Stratosphere IPS will capture traffic in a client computer and it will compare each unknown connection to the known models of traffic behavior. Because how the detection is done and how the models are created, each behavioral model can match a wide range of similar behaviors without being too general. The models are then useful to find similar behaviors without the risk of generating too much False Positives.
The Stratosphere IPS is not strictly an IPS in the sense that it can not prevent the intrusion. We use the IPS acronym because the Stratosphere IPS can block malicious connections using the firewall in your computer. However, due to the nature of the traffic connections, the Stratosphere IPS needs some time to detect the malicious behavior and hence can not block the first packets in the connection. The Stratosphere IPS can detect and block very subtle and dangerous network connections, and so it should be seen as a complement of current network security measures.