Cisco aims to detect malware hidden in encrypted traffic

"Identifying threats contained within encrypted network traffic poses a unique set of challenges," said two Cisco researchers.

Cisco Systems unveiled a new subscription service this week it says detects signs of malware inside encrypted traffic with 99.9 percent efficacy.

It’s a big unveil for Cisco, whose CEO Chuck Robbins said the project has been in the works in 75 field trials, including NASA, for two years — exactly the amount of time Robbins has been at the helm — and now offers something no other company can.

Half of all web traffic is encrypted as of February 2017 and that number, for enterprise web traffic, is set to rise to over 80 percent by 2019, according to Gartner.

The new product, called Encrypted Traffic Analytics (ETA), was outlined in a 2016 research paper by Blake Anderson, a technical leader at Cisco, and David McGrew, a Fellow in the company’s Advanced Security Research Group.


ETA is meant to catapult the software and subscription side of Cisco’s business, Robbins said in an interview with CNBC, as distinct from the company’s usual hardware core.

But the new software is also designed to drive up sales of Cisco’s network switches, roughly 30 percent of the company’s business. Despite wider growth for other companies, it’s a declining line of business for Cisco as made clear by the fact that Cisco’s revenue has fallen for six straight quarters.

ETA will be available in September 2017 as a subscription with Cisco’s new Catalyst 9000 switch and the Cisco 4000 Series Integrated Services Routers.

“Identifying threats contained within encrypted network traffic poses a unique set of challenges,” Anderson and McGrew wrote in the research paper. “In this work, we extend the current state-of-the-art by considering a data omnia approach. To this end, we develop supervised machine learning models that take advantage of a unique and diverse set of network flow data features. These data features include TLS handshake metadata, DNS contextual flows linked to the encrypted flow, and the HTTP headers of HTTP contextual flows from the same source IP address within a 5 minute window.”

All traffic passing through Cisco devices worldwide will feed back into the company’s threat detection system. The details on how this system works and how the information is handled remain sparse at this point. The fact that NASA participated in apparently successful field trials shows ETA is aiming for big government as well as private enterprise customers.


Security is an increasingly large and profitable business at Cisco with sales up 12 percent to $1.6 billion in this fiscal year, according to the Wall Street Journal.

Although numbers vary widely according to different research, the overall cybersecurity market is growing as increasingly connected worlds are opening up new sets of attackers and defenders daily.

Earlier this week, a South Korean web host paid a record $1 million ransom after it was hit with malware.

Patrick Howell O'Neill

Written by Patrick Howell O'Neill

Patrick Howell O’Neill is a cybersecurity reporter for CyberScoop based in San Francisco.

Latest Podcasts