Using side channel TCP features for real-time detection of malware connections

During the past years, deep packet inspection has been prevalent in network intrusion detection systems. Most solutions employ complex algorithms to analyze the intended behaviour and underlying characteristics of packets and their payloads, in an effort to detect and prevent malicious users and software from communicating over business intranets and wider networks. Still, there are multiple issues that inhibit their success rate. Most signature-based security software is plagued by false positives and/or false negatives. On the other hand, behavioral-based solutions achieve better detection rates but need to analyze large amounts of traffic. In this article, we present a real-time network traffic monitoring system that implements machine learning over side channel characteristics of TCP network packets to distinguish normal from malicious TCP sessions, even when encryption is in place. We test in university networks and test multiple different types of traffic. We show that, our approach (i) requires notably less information to achieve similar (if not better) detection rates, (ii) works over encrypted traffic as well, and (iii) has notably low false positives and false negatives in everyday case study scenarios.