Profiling
Download
1 / 16

Khiem Lam - PowerPoint PPT Presentation


  • 106 Views
  • Uploaded on

Profiling Hackers' Skill Level by Statistically Correlating the Relationship between TCP Connections and Snort Alerts. Khiem Lam. Challenges to Troubleshooting Compromised Network. Time consuming to find vulnerabilities Difficult to determine planted exploits Uncertain of the degree of damage.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Khiem Lam' - reegan


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

ProfilingHackers' Skill Level by Statistically Correlating the Relationshipbetween TCP Connections and Snort Alerts

Khiem Lam


Challenges to troubleshooting compromised network
Challenges to Troubleshooting Compromised Network

  • Time consuming to find vulnerabilities

  • Difficult to determine planted exploits

  • Uncertain of the degree of damage


Motivation for profiling hackers
Motivation for Profiling Hackers

  • Can profiling the attacker’s skill level assist with risk management?

  • Understand the level of threat

  • Know the possibilities of vulnerabilities

  • Reduce time and resource to investigate the “what if” scenarios


Approach hypothesis of skilled attacker s behavior
Approach - Hypothesis of Skilled Attacker’s Behavior

  • Avoid IDS detection if they know the rule set in advance

  • Avoid common techniques to reduce chances of detection

  • Establishes many short connections

  • If these hypothesis are true, then there must be patterns to group attackers based on their behavior!


Exploratory approach
Exploratory Approach

Data Acquisition/Separation

Data Standardization/Formatting

Cluster Analysis


Phase 1 data acquisition separation
Phase 1 – Data Acquisition/Separation

TCP Connection Data

IDS Alerts Data

Snort Application

Competition PCAP Captures

Team A’s Pcap

Team B’s Pcap

Updated Snort Alerts Logs

Team A

Connection Info

Team B

Connection Info

Competition Snort Alerts Logs


Phase 2 data standardization
Phase 2 – Data Standardization

Updated Snort Alerts Logs

Team A

Connection Info

Competition Snort Alerts Logs

CSV Format

Data Aggregation using R Statistical Tool

Team A’s Aggregated Data by Time Period


Phase 2 example of actual aggregated data
Phase 2 – Example of Actual Aggregated Data

This is the aggregated data for two teams connecting to one service


Results graph of the aggregated data
Results – Graph of the Aggregated Data


Phase 3 cluster analysis using r
Phase 3 – Cluster Analysis Using R

Team A’s Aggregated Data by Time Period

Team B’s Aggregated Data byTime Period

Team C’s Aggregated Data by Time Period

  • Find correlation between attributes

  • Add weights

Euclidean Distance

Cluster Analysis Results + Graphs

Cluster Data


Phase 3 example of actual cluster data
Phase 3 - Example of Actual Cluster Data

This is the cluster data of all teams connecting to one service


Results euclidean cluster graph
Results – Euclidean Cluster Graph


Results k mean cluster
Results – K-Mean Cluster

K-Mean Cluster Plot


Limitations of current approach
Limitations of Current Approach

  • Rely on competition data (time period, team subnet info)

  • Assume attackers know of competition alerts in advance

  • Assume submitted flags is reliable criteria to measure attacker’s skills

  • Inconsistency between different services


Future work for improvement
Future Work for Improvement

  • Experiment with varying time period (5 minutes, 15 minutes, 30 minutes)

  • Increase updated alert rules to capture more events

  • Add additional features (Andrew and Nikunj’s TCP stream distance)

  • Weigh the correlation between attributes

  • Explore other R’s analysis



ad