Real-time detection of cybercrimes

There is no cybercrime without the backbone of digital crime, Command and Control (C&C) servers and spambots.

The challenge
Building a tool that spots suspicious traffic is a challenge mainly due to the gargantuan amount of real-time data that must be analyzed. The number of factors to consider when making predictions renders the task even harder.

The solution
The pattern of traffic coming to and from C&C servers is repeatable and therefore amenable for pattern recognition techniques.

The model deepsense.ai built draws on a variety of techniques including random forests as well as convolutional and recurrent neural networks.

The model takes into account variables including:

• The domains a suspicious IP connected with
• Internet usage, including the frequency with which the most popular internet sites were used (Google, Facebook, Netflix etc.)
• The frequency of DNS connections
• How many other subjects the suspicious IP communicated with

The effect
The solution analyzes 5 terabytes of data every day to spot C&C servers. It also finds the zombie computers that are linked in the spambots and delivering various services to cybercriminals without users’ knowledge. The system was set to generate 100 suspicious IPs daily – throughout the observation period all of them were found to have been conducting malicious activity (per leading market solution). ~30% gained malicious activity reports in leading market solution with a 1-2 day lag compared to our solution.