There is no cybercrime without the backbone of digital crime, Command and Control (C&C) servers and spambots.
Building a tool that spots suspicious traffic is a challenge mainly due to the gargantuan amount of real-time data that must be analyzed. The number of factors to consider when making predictions renders the task even harder.
The pattern of traffic coming to and from C&C servers is repeatable and therefore amenable for pattern recognition techniques.
The model deepsense.ai built draws on a variety of techniques including random forests as well as convolutional and recurrent neural networks.
The model takes into account variables including:
The domains a suspicious IP connected with
Internet usage, including the frequency with which the most popular internet sites were used (Google, Facebook, Netflix etc.)
The frequency of DNS connections
How many other subjects the suspicious IP communicated with
The solution analyzes 5 terabytes of data every day to spot C&C servers. It also finds the zombie computers that are linked in the spambots and delivering various services to cybercriminals without users’ knowledge. The system was set to generate 100 suspicious IPs daily – throughout the observation period all of them were found to have been conducting malicious activity (per leading market solution). ~30% gained malicious activity reports in leading market solution with a 1-2 day lag compared to our solution.