There is no cybercrime without the backbone of digital crime, Command and Control (C&C) servers and spambots.
Building a tool that spots suspicious traffic is a challenge mainly due to the gargantuan amount of real-time data that must be analyzed. The number of factors to consider when making predictions renders the task even harder.
The pattern of traffic coming to and from C&C servers is repeatable and therefore amenable for pattern recognition techniques.
The model deepsense.ai built draws on a variety of techniques including random forests as well as convolutional and recurrent neural networks.
The model takes into account variables including:
- The domains a suspicious IP connected with
- Internet usage, including the frequency with which the most popular internet sites were used (Google, Facebook, Netflix etc.)
- The frequency of DNS connections
- How many other subjects the suspicious IP communicated with
The solution analyzes 5 terabytes of data every day to spot C&C servers. It also finds the zombie computers that are linked in the spambots and delivering various services to cybercriminals without users’ knowledge. The system was set to generate 100 suspicious IPs daily – throughout the observation period all of them were found to have been conducting malicious activity (per leading market solution). ~30% gained malicious activity reports in leading market solution with a 1-2 day lag compared to our solution.