GT - DoH Deception: Evading ML-Based Tunnel Detection with Black-Box Attack Techniques

hi everyone thanks for joining um in this presentation at beside Las Vegas I I'm TR be here um I'd like to thank uh besides for the opportunity it's the first time uh as a speaker um so let's dive in uh this is the the quick overview of the presentation we're going to start with the introduction and then we're going to uh Define some concept that is important to understand the research and next we're going to see adversarial attacks um by the end of the presentation I will show you a a real world demonstration and also will provide uh all that source code so that you can reproduce uh the experiments and by the end we're going

to conclude our presentation so who am I I'm a sub secured engineer at Ty food um with more than more than 20 years of experience in networking and cyber security uh I've been also fxed on uh machine learning for the past two years um and also a master student at University of s Paulo about I food iFood is the biggest uh deliver food in Latin America it operates in Brazil uh it's a data driven companies since the beginning just to give you a idea iFood has now more than more than 2,000 uh machine learn models running on on production why am I here um this presentation was designed um by everyone including those who have not yet uh any prior uh

experience with machine learning so uh although this content is based on do um by the end of the presentation I will I will show you the generic algorithm so that you can attack any machine learning model any is any machine learning model so stay here uh I'm sure that you can uh get the the the techniques and the what we will discuss here okay so um stting 90s um in 90s attackers they established um DNS DNS tunnels um between the vit machines and and to the attacker machine um the attackers would be able to exfiltrate data and do the command control and here it's a paper that uh summarize all the all this time in 2010 um we got the first machine

learn models to identify um those tunnels the in the very beginning uh we got some neural networks but now uh the state of art models are uh um inem models like gradient boosting extend gradient boost boosting and models like that and today uh this is the scope of the my research we're going to attack those models so that we can bypass the the model and the communication with going through the the tunnel um I will show uh how in a few moment and also we'll defend the model against those attacks okay now uh some basic con Concepts um we have a traditional DNS and the new do do uh it's a DNS over htps basically um

you have a adsp load inside of the HPS payload uh why is that because do uh it uh solves many problems of the of the uh the old adns like like privac privac and if dropping if dropping um and things like that here's an example uh of of um do quy using flare do

server this image um summarize the the tunnel what we have here um in the red arrow we have the actual malicious atonal it use just the DNS infrastructure all the traic is is going through the tunnel using the DNS infrastructure and in in black arrows we have the regular traffic like web traffic and the regular do traffic here

okay now um this is the most common tools that you can create tunnels uh all of them are open source I prefer using DNS TP because uh is new is written in goang so it's easy to understand and all of and all of our experiments is based on dnst DT here is the big picture of dnst TT in backand side I have the applications that uh sends the the data to the the tunnel and on the other side I have the application running on the client's side uh here it could be and for instance a compromise machine and here I have the uh attacker machine now I going to show you the first demonstration uh it's a minimum uh

DNS tunel why I'll show that because we're going to use the same infrastructure to to build our uh main demonstration

okay let's pause here in the left in left column we have um the attacker machine it's a E2 instance running on AWS with with the elash KP um on the right side I have the infected machine I just log in on AWS just to establish the the

tunel is important to mention here that we don't have any model um evaluating the the connection we're going to discuss in a few moment

okay here's that cat in the attacker machine on the other side we close the the tunnel

taching the communication high and high was received here on the other side okay ah important I will provide all the video in the repository the video and the in the presentation

okay so um talk about Network features uh we use um Network features from Network flows basically we're going to get features from the from the peap Le um you can you can for example use TCP dump for getting those those uh features from Network here's an example on how how to get them um you can use a tool called duizer it's open source tool that can and capture and convert your data in CSV format and also you can use duizer to both capturing and converting on CSV format here's uh the models that are are state of art uh in the red is a gradient bushing model that we we will build here and and attack here

here now uh just to to recap or for those who don't know the adversarial attack just to summarize our model is representing uh the F function is our model and in thex is our input is our uh Network feature and why is the label uh in in our case it could be U benign connections or malicious connections from tun when I when I uh create some some perturbation in Delta we can um we can do the inference again using those perturbation and ultimately ultimately I can um the model can classify can predict to uh another class so for instance I could have here a malicious connection here and after perturbation I could have uh I can have

um a benine flow uh here's uh an example use images this image uh is from the um good fellow paper uh on the left side we have a Punda in the middle we have um a perturbation it looks like a rando bites but there's a logic behind it because when I sum up the the two images the third image is is the result of the of the sum um at the end the last image is classified as a gibbon is a a kind of monkey in Portuguese is

jibone now um definition of white box um different from the a traditional pentest in in machine learning um uh lingo right box is when the attacker has access to the model um architecture architecture and like the weights um the derivatives and all the information about the model in modern uh attacks the attacks are stated as a minimization a problem here we have a distortion and the loss Distortion is uh how big is our our perturbation and the loss is um how far I'm from my U how far I from the the the target label so here for for example my target label is benign and and my my actual label is is malicious so Alpha and beta are are factors to uh

attract threshold to to say what the what factors can contribute more during the process of minimization by the end I have a array here of um adversar examples here after the the the minimization problem on the other hand in blackbox attack I don't have access to the model architecture I just have access to the inference uh end point okay so the equation in this equation I don't have the derivatives here I just have the access to the the inference end the point so to implement our attacks we're going to use the art framework is a used uh framework nowadays here's an example of how we can generate a blackbox attack um we just install with Pip and then you

can uh load the model you you create a object of the model remember it's a black box attacks this object it guarantees that we just have access to the inference U end point inference method of the model and here is the where is the actual attack uh occurs

okay so um now this is a special case of Black Box attack it's called zero order optimization attack uh this this kind of attack is um is used when you don't have access to the D derivatives or or um when you can access to the derivative but is infusible to calculate so you can use zero order optimization attack why zero because you don't have access to the derivative but you can't um simulate uh a derivative in this case the simulation is the difference between the the actual um actual uh inference and the the perturbed

inference we use um and for minim for minimize we use Adam Optimizer here here uh if you would like we can discuss about the about the minimization process we use binary search to find the optimal uh value of C here and we use L2 Norm to uh calculate our um disturbation okay Distortion sorry uh this is called um Vana attack because it's from the the original Zoo attack so we call vanilla because there's no modification if compared to the original attack

okay you can run this attack use in the repository this is the steps that that you can that you must must follow to to replicate those attacks and all the details you can find in the repository okay um the vanilla attack is um you're going to get high high success rate because the algorithm has freedom to attack but on the on the other hand you're going to get some weird uh result like uh negative time for for time based features uh huge huge packet size like uh Giga and terabytes and you and it attacks uh complex uh features like coefficient of variation of packet time how do I uh can instrument the the tool to uh create the

same result of the attack impossible and to solve this this problem we came up with the target attack The Zo Target this attack was um was created during my research basically uh we we create more more two arguments that is in red here the first argument is the is the tunnel limit tools that say that minimum and minimum and maximum values of the of the features that I I will attack and the second new argument is the a feature list is array that's containing all the features I I wanted to attack okay after running this attack you're going to grb um low success rate but that's okay um because you can see all the results

uh those attacks and you just need one instance of success and having that you can you can see uh the values of the features and you can uh reproduce using your your your tool to uh accurate those those values to bypass the tunnel

here's an Autobook to run the new

attack and now a generic algorithm to attack any model we're going to go through uh that together with detail and after that I will show the demonstration so um the first step is having the tool um it could be a a do uh at2 but if you have another um model at you attack and if you have another two you can use those two and in our case we use dnst okay so dity is our uh main tool here in this case but you can use any to step two you have um you need um create the the connections using some tools for for capturing like TCP dump Ro CH scappy or Aizer and here we use the DCP dump in the

repository I give d to reproduce this in step three you have to identify which features to attack let me show you details here in peap um features you have more than you have um a 28 possible features to attack uh which uh I can choose the best features are that you can modify like uh a packet size um response time request time so these are these are are the best features to choose but it's important to mention that uh the model must uh use the same feature your attacking uh in the model okay it's the only requirement number four you have to set limits of your Tool uh here's is The Notebook that you can

use to get get the the limits of your tool basically you need just uh specify the CSV file that notebook will calculate the limits of your to after that you going to get this file here with the limits of your tool for each feature and after that you can um knowing the limits of your tool the possibilities of your tool you can Define uh greater values or or small values for each one of course um you don't want to uh add some negative numbers for uh for time uh features here here's an example of of um modify uh limits and for example here is um the first the first is the which features that flows by

scent in flows by I put 0.9 this dat are they are uh normalized so I put the the maximum not the maximum but the close to the maximum value 09 okay after that you execute your your attack um the targets your attack just run the notebook here I'll show you

here we specify which features which feature to attack and then just run this this attack and number six identify the most altered fatures like uh a top four using absolute value here um the attack was able to attack U at 22 instances and the foremost um features was was that five I'm sorry five most so last step is apply these values on on your tool okay I'm going to run a the final demo that we use this attack to bypass the the real scenario

now let me explain here uh in the left side we have the attacker machine on AWS now is a is a new guy in the middle in the middle we have um our model and um a script that loads loads uh the model and that captures all the traffic in the same time it captures it uh convert the features in the normalized format so that the the model can predict if if the the connection is beny or malicious all that is available on the reposter for you on the right side I have the infected machine instead of using a netcat in the backand we'll use a python script to uh adding our feature values that we

we got from

Attack okay uh loging on AWS

uh here um I just I just passed the model P you can create your own model using your own data um there's um all the steps that you can do in order to applicate the experiments so as you can see it loaded the gradient botion model a job liip file and starting to um listen the connections and now I starting the TCP dump on Port 443 and the tunnel is closed so now I'm going to use the the file to send data to the model the same file I used I used to I to train the model let me show here it just the connect to the 7,000 part and generates data okay and the model will will predict the

connection TCP dump here

is predicting as as malicious as expected because we trained the model

malicious after that I going to use the feature values that we got from

Attack that's important you don't need to uh to put the the the exactly value what's the matter here is that uh the magnitude of the of the value like uh 10 uh 100 uh a thousand okay important starting adding uh one feature per time if it doesn't work you're going to increase the number of the features until the model classific as benai

here uh we we're going to choose the the packet size 2,000 uh bytes 12

kilobytes that's important uh the flow Time by default is is 2 second you can you can change uh inside of the duizer tool to modify uh your flow our flow time is 2 seconds and now we're going to put uh 2 kilobytes as as packet

size and the model will classify as benign because we could bypass the model I going to back and forth using benign and

malicious you can use the same technique for any model and it works okay

okay I'm going to upload this video so you can check with with your time the PLC okay

so to wrap up this algorithm it can be applied for any model this technique the same

attack for defending uh the most basic uh uh a technique to to defend is um to train your model using the same adversarial examples which means that you're going to get the features attacked and you use the same attack data to train your model you can use um um another uh suggestion is not use features that are changeable by the user like packet time uh or any other time BAS it feature or uh any feature that depends on the on the size of that user can can change you can also use some auxiliary uh model to uh detect those kind of um

modifications for conclude um adding constraint in in the vanilla uh zero of order attack we could also we could to we could uh bypass the do model and we could also able to create a generic algorithm to attack any model that you can can

use feature work our goal here here is validate uh the same technique with other kind of of of of um problems like um the actual nids um model we can also we wanted to identify uh another feasible techniques to using other blackbox algorithms and we are open for contributors uh here's um a a contact from Dr Loreno and Dr

Julio and all the source code here is available on the on this GitHub poster feel free for taking the pictures okay

and that's [Applause] it if people have questions you can just come to the

are there uh snort or cicada modules that will detect these type of uh do teling I'm not sure I'm sorry I are there are there snort or cikata rules or modules which will detect yes um suata rules uh was available in 90s for uhal detection but uh they are root based uh uh rules so they are they are limited but when you when you create the models you have more more more flexibility the rate of success is high so but if you don't have nothing of course go use uh s cata that's okay thanks well done Emanuel great presentation amazing to see what's happening down there in Brazil at iFood fantastic work my impression is that you

have a really complex framework to work with at least for from from beginner's mindset I would say I just wanted to learn from you how generic the tools that you have created are currently so that it could be used for any sort of pcap handling so my question relates to peap how generic is the framework currently accepting the congestion of piap feeds good question um nowadays p app basically is the standard for the network models so um any paper uh you're going to see all the network features is based on on PAB so uh it's easy to uh to find tools that supports uh um AAP uh features in the wild all right let me

also mention if I make that nelu our friend is watching on YouTube so he sends kind regards to you thanks um and also um if I wanted to start like I know cyber security I don't really understand machine models from um a research perspective pure research what would be the first steps you would you would advise towards general public um I'm kind of biased but you can start using kago uh kago uh you can for instance learn machine learning basic machine learning 101 machine learning but also uh you can uh get a writeups from uh AI Village uh CTF of machine learning you can uh learn a lot of with that I I learned a lot uh

reading that uh even um at the beginning uh because you're going to get some uh different answers uh with the same problem and it is wonderful to learn uh I see and if I still May sorry um I understand this is like almost pure research you don't really need to have a clear goal but I would would like to ask you are you pursuing some sort of particular goal with this tool set that you're building and the contributions that you're making is there any research question that you want to answer with this platform that you're building I don't know let me try to guess let's say do you want to improve a food security at a certain aspect of the

platform by conducting this kind of research or it's like open research where anyone can figure out what they want to do with your Mo your attack models the goal here is to the open research so that uh all the people in the world can contribute can can uh benefit of the of the research so fantastic of course the future I will will benefit from that but the main goal is uh open the research for everyone yeah as as the the the the gentleman said here before eventually this could be part of some sort of intrusion detection Improvement in the future like tools such as for example snort and Surat could benefit from any sort of improvement your doing the AI

field to improving detection engineering maybe yes but um is important mention here that uh uh where can I find those kind of models and for instance I'm sure that uh cross trike runs that not in in your machine but in the in the cloud uh of course uh uh much better than than I did here but is a start point to to learn things and in the future contribute for more uh impacting uh research all right thank you very much and congratulations thank you very much

[Applause]