Rethinking the Weakness of Stream Ciphers and Its Application to Encrypted Malware Detection
One critical vulnerability of stream ciphers is the reuse of an encryption key. Since most stream ciphers consist of only a key scheduling algorithm and an Exclusive OR (XOR) operation, an adversary may break the cipher by XORing two captured ciphertexts generated under the same key. Various cryptan...
| Main Authors: | , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2020-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/9222070/ |
| _version_ | 1818662639906062336 |
|---|---|
| author | William Stone Daeyoung Kim Victor Youdom Kemmoe Mingon Kang Junggab Son |
| author_facet | William Stone Daeyoung Kim Victor Youdom Kemmoe Mingon Kang Junggab Son |
| author_sort | William Stone |
| collection | DOAJ |
| description | One critical vulnerability of stream ciphers is the reuse of an encryption key. Since most stream ciphers consist of only a key scheduling algorithm and an Exclusive OR (XOR) operation, an adversary may break the cipher by XORing two captured ciphertexts generated under the same key. Various cryptanalysis techniques based on this property have been introduced in order to recover plaintexts or encryption keys; in contrast, this research reinterprets the vulnerability as a method of detecting stream ciphers from the ciphertexts it generates. Patterns found in the values (characters) expressed across the bytes of a ciphertext make the ciphertext distinguishable from random and are unique to each combination of ciphers and encryption keys. We propose a scheme that uses these patterns as a fingerprint, which is capable of detecting all ciphertexts of a given length generated by an encryption pair. The scheme can be utilized to detect a specific type of malware that exploits a stream cipher with a stored key such as the DarkComet Remote Access Trojan (RAT). We show that our scheme achieves 100% accuracy for messages longer than 13 bytes in about 17 μsec, providing a fast and highly accurate tool to aid in encrypted malware detection. |
| first_indexed | 2024-12-17T05:04:09Z |
| format | Article |
| id | doaj.art-bad0deee2c2345e7a74aa667f0c20091 |
| institution | Directory Open Access Journal |
| issn | 2169-3536 |
| language | English |
| last_indexed | 2024-12-17T05:04:09Z |
| publishDate | 2020-01-01 |
| publisher | IEEE |
| record_format | Article |
| series | IEEE Access |
| spelling | doaj.art-bad0deee2c2345e7a74aa667f0c200912022-12-21T22:02:28ZengIEEEIEEE Access2169-35362020-01-01819160219161610.1109/ACCESS.2020.30305599222070Rethinking the Weakness of Stream Ciphers and Its Application to Encrypted Malware DetectionWilliam Stone0https://orcid.org/0000-0002-2452-5544Daeyoung Kim1https://orcid.org/0000-0002-4297-3834Victor Youdom Kemmoe2https://orcid.org/0000-0003-1887-6396Mingon Kang3https://orcid.org/0000-0002-9565-9523Junggab Son4https://orcid.org/0000-0002-6206-083XDepartment of Computer Science, Kennesaw State University, Marietta, GA, USADepartment of Computer Science, Kennesaw State University, Marietta, GA, USADepartment of Computer Science, Kennesaw State University, Marietta, GA, USADepartment of Computer Science, University of Nevada Las Vegas, Las Vegas, NV, USADepartment of Computer Science, Kennesaw State University, Marietta, GA, USAOne critical vulnerability of stream ciphers is the reuse of an encryption key. Since most stream ciphers consist of only a key scheduling algorithm and an Exclusive OR (XOR) operation, an adversary may break the cipher by XORing two captured ciphertexts generated under the same key. Various cryptanalysis techniques based on this property have been introduced in order to recover plaintexts or encryption keys; in contrast, this research reinterprets the vulnerability as a method of detecting stream ciphers from the ciphertexts it generates. Patterns found in the values (characters) expressed across the bytes of a ciphertext make the ciphertext distinguishable from random and are unique to each combination of ciphers and encryption keys. We propose a scheme that uses these patterns as a fingerprint, which is capable of detecting all ciphertexts of a given length generated by an encryption pair. The scheme can be utilized to detect a specific type of malware that exploits a stream cipher with a stored key such as the DarkComet Remote Access Trojan (RAT). We show that our scheme achieves 100% accuracy for messages longer than 13 bytes in about 17 μsec, providing a fast and highly accurate tool to aid in encrypted malware detection.https://ieeexplore.ieee.org/document/9222070/EncryptionIntrusion Detectionmalwarenetwork securitystream ciphers |
| spellingShingle | William Stone Daeyoung Kim Victor Youdom Kemmoe Mingon Kang Junggab Son Rethinking the Weakness of Stream Ciphers and Its Application to Encrypted Malware Detection IEEE Access Encryption Intrusion Detection malware network security stream ciphers |
| title | Rethinking the Weakness of Stream Ciphers and Its Application to Encrypted Malware Detection |
| title_full | Rethinking the Weakness of Stream Ciphers and Its Application to Encrypted Malware Detection |
| title_fullStr | Rethinking the Weakness of Stream Ciphers and Its Application to Encrypted Malware Detection |
| title_full_unstemmed | Rethinking the Weakness of Stream Ciphers and Its Application to Encrypted Malware Detection |
| title_short | Rethinking the Weakness of Stream Ciphers and Its Application to Encrypted Malware Detection |
| title_sort | rethinking the weakness of stream ciphers and its application to encrypted malware detection |
| topic | Encryption Intrusion Detection malware network security stream ciphers |
| url | https://ieeexplore.ieee.org/document/9222070/ |
| work_keys_str_mv | AT williamstone rethinkingtheweaknessofstreamciphersanditsapplicationtoencryptedmalwaredetection AT daeyoungkim rethinkingtheweaknessofstreamciphersanditsapplicationtoencryptedmalwaredetection AT victoryoudomkemmoe rethinkingtheweaknessofstreamciphersanditsapplicationtoencryptedmalwaredetection AT mingonkang rethinkingtheweaknessofstreamciphersanditsapplicationtoencryptedmalwaredetection AT junggabson rethinkingtheweaknessofstreamciphersanditsapplicationtoencryptedmalwaredetection |