Tools for global warming policy makers Harvey Lam, Princeton University lam.
Khiem Lam
description
Transcript of Khiem Lam
![Page 1: Khiem Lam](https://reader036.fdocuments.in/reader036/viewer/2022062811/5681625e550346895dd2b7b2/html5/thumbnails/1.jpg)
PROFILINGHACKERS' SKILL LEVEL BY STATISTICALLY CORRELATING THE RELATIONSHIPBETWEEN TCP CONNECTIONS AND SNORT ALERTS
Khiem Lam
![Page 2: Khiem Lam](https://reader036.fdocuments.in/reader036/viewer/2022062811/5681625e550346895dd2b7b2/html5/thumbnails/2.jpg)
Challenges to Troubleshooting Compromised Network
Time consuming to find vulnerabilities Difficult to determine planted exploits Uncertain of the degree of damage
![Page 3: Khiem Lam](https://reader036.fdocuments.in/reader036/viewer/2022062811/5681625e550346895dd2b7b2/html5/thumbnails/3.jpg)
Motivation for Profiling Hackers Can profiling the attacker’s skill level
assist with risk management? Understand the level of threat Know the possibilities of vulnerabilities Reduce time and resource to investigate
the “what if” scenarios
![Page 4: Khiem Lam](https://reader036.fdocuments.in/reader036/viewer/2022062811/5681625e550346895dd2b7b2/html5/thumbnails/4.jpg)
Approach - Hypothesis of Skilled Attacker’s Behavior
Avoid IDS detection if they know the rule set in advance
Avoid common techniques to reduce chances of detection
Establishes many short connections If these hypothesis are true, then there
must be patterns to group attackers based on their behavior!
![Page 5: Khiem Lam](https://reader036.fdocuments.in/reader036/viewer/2022062811/5681625e550346895dd2b7b2/html5/thumbnails/5.jpg)
Exploratory Approach
Data Acquisition/Separation
Data Standardization/Formatting
Cluster Analysis
![Page 6: Khiem Lam](https://reader036.fdocuments.in/reader036/viewer/2022062811/5681625e550346895dd2b7b2/html5/thumbnails/6.jpg)
Phase 1 – Data Acquisition/Separation
Competition Snort Alerts
Logs
Updated Snort Alerts Logs
TCP Connection Data IDS Alerts Data
Competition PCAP Captures
Team A’s
Pcap
Team B’s
Pcap
Team AConnection Info
Team BConnection Info
Snort Applicatio
n
![Page 7: Khiem Lam](https://reader036.fdocuments.in/reader036/viewer/2022062811/5681625e550346895dd2b7b2/html5/thumbnails/7.jpg)
Phase 2 – Data Standardization
Team AConnection Info
Updated Snort Alerts Logs
Data Aggregation using R Statistical Tool
Competition Snort Alerts
Logs
CSV Format
Team A’s Aggregated Data by Time Period
![Page 8: Khiem Lam](https://reader036.fdocuments.in/reader036/viewer/2022062811/5681625e550346895dd2b7b2/html5/thumbnails/8.jpg)
Phase 2 – Example of Actual Aggregated Data
This is the aggregated data for two teams connecting to one service
![Page 9: Khiem Lam](https://reader036.fdocuments.in/reader036/viewer/2022062811/5681625e550346895dd2b7b2/html5/thumbnails/9.jpg)
Results – Graph of the Aggregated Data
![Page 10: Khiem Lam](https://reader036.fdocuments.in/reader036/viewer/2022062811/5681625e550346895dd2b7b2/html5/thumbnails/10.jpg)
Phase 3 – Cluster Analysis Using R
• Find correlation between attributes
• Add weights
Team A’s Aggregated Data by Time Period
Team B’s Aggregated Data
byTime Period
Team C’s Aggregated Data by Time Period
Cluster Data Euclidean
Distance
Cluster Analysis
Results + Graphs
![Page 11: Khiem Lam](https://reader036.fdocuments.in/reader036/viewer/2022062811/5681625e550346895dd2b7b2/html5/thumbnails/11.jpg)
Phase 3 - Example of Actual Cluster Data
This is the cluster data of all teams connecting to one service
![Page 12: Khiem Lam](https://reader036.fdocuments.in/reader036/viewer/2022062811/5681625e550346895dd2b7b2/html5/thumbnails/12.jpg)
Results – Euclidean Cluster Graph
Team # flags submitted
3 514 408 292 286 89 710 77 21 05 0
![Page 13: Khiem Lam](https://reader036.fdocuments.in/reader036/viewer/2022062811/5681625e550346895dd2b7b2/html5/thumbnails/13.jpg)
Results – K-Mean ClusterK-Mean Cluster Plot
Team # flags submitted
3 514 408 292 286 89 710 77 21 05 0
![Page 14: Khiem Lam](https://reader036.fdocuments.in/reader036/viewer/2022062811/5681625e550346895dd2b7b2/html5/thumbnails/14.jpg)
Limitations of Current Approach Rely on competition data (time period,
team subnet info) Assume attackers know of competition
alerts in advance Assume submitted flags is reliable
criteria to measure attacker’s skills Inconsistency between different services
![Page 15: Khiem Lam](https://reader036.fdocuments.in/reader036/viewer/2022062811/5681625e550346895dd2b7b2/html5/thumbnails/15.jpg)
Future Work for Improvement Experiment with varying time period (5
minutes, 15 minutes, 30 minutes) Increase updated alert rules to capture
more events Add additional features (Andrew and
Nikunj’s TCP stream distance) Weigh the correlation between attributes Explore other R’s analysis
![Page 16: Khiem Lam](https://reader036.fdocuments.in/reader036/viewer/2022062811/5681625e550346895dd2b7b2/html5/thumbnails/16.jpg)
Questions?