Profiling
This presentation is the property of its rightful owner.
Sponsored Links
1 / 16

Khiem Lam PowerPoint PPT Presentation


  • 70 Views
  • Uploaded on
  • Presentation posted in: General

Profiling Hackers' Skill Level by Statistically Correlating the Relationship between TCP Connections and Snort Alerts. Khiem Lam. Challenges to Troubleshooting Compromised Network. Time consuming to find vulnerabilities Difficult to determine planted exploits Uncertain of the degree of damage.

Download Presentation

Khiem Lam

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Khiem lam

ProfilingHackers' Skill Level by Statistically Correlating the Relationshipbetween TCP Connections and Snort Alerts

Khiem Lam


Challenges to troubleshooting compromised network

Challenges to Troubleshooting Compromised Network

  • Time consuming to find vulnerabilities

  • Difficult to determine planted exploits

  • Uncertain of the degree of damage


Motivation for profiling hackers

Motivation for Profiling Hackers

  • Can profiling the attacker’s skill level assist with risk management?

  • Understand the level of threat

  • Know the possibilities of vulnerabilities

  • Reduce time and resource to investigate the “what if” scenarios


Approach hypothesis of skilled attacker s behavior

Approach - Hypothesis of Skilled Attacker’s Behavior

  • Avoid IDS detection if they know the rule set in advance

  • Avoid common techniques to reduce chances of detection

  • Establishes many short connections

  • If these hypothesis are true, then there must be patterns to group attackers based on their behavior!


Exploratory approach

Exploratory Approach

Data Acquisition/Separation

Data Standardization/Formatting

Cluster Analysis


Phase 1 data acquisition separation

Phase 1 – Data Acquisition/Separation

TCP Connection Data

IDS Alerts Data

Snort Application

Competition PCAP Captures

Team A’s Pcap

Team B’s Pcap

Updated Snort Alerts Logs

Team A

Connection Info

Team B

Connection Info

Competition Snort Alerts Logs


Phase 2 data standardization

Phase 2 – Data Standardization

Updated Snort Alerts Logs

Team A

Connection Info

Competition Snort Alerts Logs

CSV Format

Data Aggregation using R Statistical Tool

Team A’s Aggregated Data by Time Period


Phase 2 example of actual aggregated data

Phase 2 – Example of Actual Aggregated Data

This is the aggregated data for two teams connecting to one service


Results graph of the aggregated data

Results – Graph of the Aggregated Data


Phase 3 cluster analysis using r

Phase 3 – Cluster Analysis Using R

Team A’s Aggregated Data by Time Period

Team B’s Aggregated Data byTime Period

Team C’s Aggregated Data by Time Period

  • Find correlation between attributes

  • Add weights

Euclidean Distance

Cluster Analysis Results + Graphs

Cluster Data


Phase 3 example of actual cluster data

Phase 3 - Example of Actual Cluster Data

This is the cluster data of all teams connecting to one service


Results euclidean cluster graph

Results – Euclidean Cluster Graph


Results k mean cluster

Results – K-Mean Cluster

K-Mean Cluster Plot


Limitations of current approach

Limitations of Current Approach

  • Rely on competition data (time period, team subnet info)

  • Assume attackers know of competition alerts in advance

  • Assume submitted flags is reliable criteria to measure attacker’s skills

  • Inconsistency between different services


Future work for improvement

Future Work for Improvement

  • Experiment with varying time period (5 minutes, 15 minutes, 30 minutes)

  • Increase updated alert rules to capture more events

  • Add additional features (Andrew and Nikunj’s TCP stream distance)

  • Weigh the correlation between attributes

  • Explore other R’s analysis


Questions

Questions?


  • Login