How to Spot Unsafe Communications using nDPI Flow Risk Score

Posted · Add Comment

nDPI it is much more than a DPI library used to detect the application protocol. In the past year, nDPI has grown in terms of cybersecurity features used to detect threats and network issues leveraging on the concept of flow risk. Each nDPI-analysed flow has associated a numerical flow risk that in essence is a bitmap with a bit set to 1 whenever a risk has been detected for such flow. The list of (to date) supported flow risks are:

  • HTTP suspicious user-agent
  • HTTP numeric IP host contacted
  • HTTP suspicious URL
  • HTTP suspicious protocol header
  • TLS connections not carrying HTTPS
    (e.g. a VPN over TLS)
  • Suspicious DGA domain contacted
  • Malformed packet
  • SSH/SMB obsolete protocol
    or application version
  • TLS suspicious ESNI usage
  • Unsafe Protocol used
  • Suspicious DNS traffic
  • TLS with no SNI
  • XSS (Cross Site Scripting)
  • SQL Injection
  • Arbitrary Code Injection/Execution
  • Binary/.exe application transfer (e.g. in HTTP)
  • Known protocol on non standard port
  • TLS self-signed certificate
  • TLS obsolete version
  • TLS weak cipher
  • TLS certificate expired
  • TLS certificate mismatch
  • DNS suspicious traffic
  • HTTP suspicious content
  • Risky ASN
  • Risky Domain Name
  • Malicious JA3 Fingerprint
  • Malicious SHA1 Certificate
  • Desktop of File Sharing Session
  • TLS Uncommon ALPN

The flow risk bitmap can have zero (no risks), or more bits set, depending on the issues nDPI has found on the flow. For every risk, nDPI associates a severity, and for each severity a score. With “ndpiReader -h” you can display the list of know risks and their associated severity:

nDPI supported risks:
 Id Risk                                             Severity Score
  1 XSS attack                                       Severe   250
  2 SQL injection                                    Severe   250
  3 RCE injection                                    Severe   250
  4 Binary application transfer                      Severe   250
  5 Known protocol on non standard port              Low      10
  6 Self-signed Certificate                          Medium   50
  7 Obsolete TLS version (< 1.1)                     Medium   50
  8 Weak TLS cipher                                  Medium   50
  9 TLS Expired Certificate                          High     100
 10 TLS Certificate Mismatch                         High     100
 11 HTTP Suspicious User-Agent                       Medium   50
 12 HTTP Numeric IP Address                          Low      10
 13 HTTP Suspicious URL                              High     100
 14 HTTP Suspicious Header                           Medium   50
 15 TLS (probably) not carrying HTTPS                Low      10
 16 Suspicious DGA domain name                       High     100
 17 Malformed packet                                 Low      10
 18 SSH Obsolete Client Version/Cipher               Medium   50
 19 SSH Obsolete Server Version/Cipher               Medium   50
 20 SMB Insecure Version                             Medium   50
 21 TLS Suspicious ESNI Usage                        Medium   50
 22 Unsafe Protocol                                  Low      10
 23 Suspicious DNS traffic                           Medium   50
 24 SNI TLS extension was missing                    Medium   50
 25 HTTP suspicious content                          Medium   50
 26 Risky ASN                                        Medium   50
 27 Risky domain name                                Medium   50
 28 Possibly Malicious JA3 Fingerprint               Medium   50
 29 Possibly Malicious SSL Cert. SHA1 Fingerprint    Medium   50
 30 Desktop/File Sharing Session                     Low      10
 31 Uncommon TLS ALPN                                Medium   50

The flow risk score is computed as the sum of the severities for all bits set to one. Example:

TCP <-> [proto: 91.252/TLS.AnyDesk][cat: RemoteAccess/12][2942 pkts/175103 bytes <-> 4001 pkts/2618640 bytes][Goodput ratio: 9/92][55.97 sec][bytes ratio: -0.875 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 19/14 7028/7028 153/126][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 60/654 1514/1514 50/618][Risk: ** Known protocol on non standard port **** TLS (probably) not carrying HTTPS **** SNI TLS extension was missing **** Desktop/File Sharing Session **][Risk Score: 80][TLSv1.2][JA3C: 201999283915cc31cee6b15472ef3332][JA3S: 107030a763c7224285717ff1569a17f3][Issuer: CN=AnyNet Root CA, O=philandro Software GmbH, C=DE][Subject: C=DE, O=philandro Software GmbH, CN=AnyNet Relay][Certificate SHA-1: 9E:08:D2:58:A9:02:CD:4F:E2:4A:26:B8:48:5C:43:0B:81:29:99:E3][Firefox][Validity: 2018-11-18 02:14:23 – 2028-11-15 02:14:23][Cipher: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,7,17,2,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,3,0,0,33,0,0,0,0,29,0,0]

The flow risk score is computed as follows:

Known protocol on non standard port 10
TLS (probably) not carrying HTTPS 10
SNI TLS extension was missing 50
Desktop/File Sharing Session 10
Flow Score Total 80

The score value is a numerical value that represents how risky is a flow: the higher is the score, the more “risky” is a flow. Using this technique you can immediately spot flows that are more suspicious and that require more attention. This without using multivariate traffic analysis or complex algorithms. The flow score can be used a a good labelling technique for machine-learning based traffic analysis tools.

Enjoy !