Friday 7 October 11:00 - 11:30, Red roomJosiah Hagen (Trend Micro TippingPoint)
Brandon Niemczyk (Trend Micro TippingPoint)
Jonathan Andersson (Trend Micro TippingPoint)Intrusion prevention systems identify and block threats at high bandwidth choke points within a network, in-line with traffic and requiring real-time capability in order not to incur latency. IPS have been restricted to rules limited to string or pattern matching, whether they are blacklists of malicious IPs and domains or are patterns for some vulnerability or exploit. We have developed IPS support for evaluating statistical models which were learned through application of machine-learning techniques. The first threats we have targeted are exploit kits that make use of obfuscated HTML, including the ever-changing Angler Exploit Kit. Pattern recognition through use of regular expressions is not sufficient to identify and block these threats, because of their mutable nature. We are now able to block the Angler Exploit Kit with the IPS, over millions of flows at 20 Gb/s.Our initial effort has been limited to processing linear models within the IPS. While these are simple models requiring no more calculation than a weighted sum of feature values, they are able to separate obfuscated HTML from benign web pages without false positives. We have begun by building models for the Angler Exploit Kit, and will extend this work to cover other prevalent exploit kits, such as Sweet Orange, Nuclear, KaiXin and others. Also we plan to extend our work to incorporate other types of models that are not linear but that can still be processed at line speed over large amounts of traffic.While there are some intrusion detection systems that make use of machine-learning techniques like anomaly detection or even classification using models, these systems do not have the requirements of an IPS. An intrusion prevention system works in-line with traffic, able to block threats as they come across the wire. We can now block threats that cannot be stopped by matching regular expressions, in real-time, for bandwidth required at the perimeter of enterprise networks.Click here for more details about the conference.