PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious...

of 31 /31

Transcript of PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious...

Page 1: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan
Page 2: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to

Intrusion Detection Traffic Analysis and BeyondStefan Prandl

Page 3: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

Who am I?

• Stefan Prandl, PhD Student, Curtin University

• From Perth, Western Australia

• Work on network security threat detection

3

Page 4: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

Who am I?

• Stefan Prandl, PhD Student, Curtin University

• From Perth, Western Australia

• Work on network security threat detection

[email protected]

Research Team:• Curtin University:

• Mihai Lazarescu• Duc-Son Pham• Sie Teng Soh

• Oklahoma State University:• Subhash Kak

4

Page 5: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

5

Page 6: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

6

Page 7: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

7

Page 8: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

What can we do?

8

Page 9: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

IDS Systems!

9

Page 10: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

Let AI solve our problems for us!

10

Page 11: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

Let AI solve our problems for us!…. Or not

11

Page 12: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

Introducing PEIMAProbability Engine to Identify Malicious Activity

12

Page 13: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

What can it do?

• Detects attacks within microseconds

• Accurate

• Uses only metadata

• No learning

13

Page 14: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

How?

14

Page 15: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

Power Law Probability Distributions

• Uses power law distributions

• Detects the “naturalness” of traffic

• Unnatural traffic is attack traffic!

15

Page 16: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

• Continuous power law distribution

• The one on which all others are based

• 80/20 principle

• Not as applicable as other power laws

Pareto Distribution

Page 17: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

Zipf’s Law

• Relates popularity to frequency

• Exponential decay

• Applies to all sorts of weird situations

0

10

20

30

40

50

60

70

80

90

100

1 2 3 4 5 6 7 8 9 10

Zipf's Law

17

Page 18: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

Benford’s Law

• Is a description of what the first digit of a number will be

• Never have to calculate it, it’s always the same.

• Used in detecting bank fraud for years

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

1 2 3 4 5 6 7 8 9

Benford's Law

18

Page 19: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

Network traffic is natural!

• So we can use power laws to detect “Fraud”, or in this case DoS/DDoS!

• Metadata follows various power laws!

• Just have to check if they match.

19

Page 20: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

20

Page 21: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

21

Page 22: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

22

Page 23: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

But wait, there’s more!

23

Page 24: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

This can be an IDS too!

• Attacks appear to be detectible too

• Any significant activity that changes a network is detectable

• Nmap, brute force, for example

24

Page 25: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

User Profiling

• Benford’s, Zipf’s laws are sensitive to changes in a system

• Can create unique profiles of users

• Are sensitive to when they change

• Thanks to power laws, are hard to fool too!

25

Page 26: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

How do I use this though?

• Is very lightweight

• Can run just as software

• Fully integratable into current systems

26

Page 27: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

PEIMA framework

• Gather metadata

• Create windows

• Perform analysis

• Make decisions

27

Page 28: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

Example One

• Running on a gateway

• Detects DoS/DDoS

• Configures Iptables to adapt

• Silent DoS mitigation

28

Page 29: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

Example Two

• Running alongside SIEM

• Performs analysis to assist SIEM alert generation

• More accurate alerts

• Better alert severity

29

Page 30: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

Conclusions

• Very early days for power law based analysis

• Possible that all kinds of computer metrics are power law compliant

• PEIMA solutions are coming.

30

Page 31: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan

A brand new and fast method of detecting DoS/DDoS attacks.

How to implement a PEIMA system.

A new, power law based way of analysing networks.

Black Hat Sound Bytes

Contact @ [email protected] you!