1 / 20

Cybersecurity Analytics

Cybersecurity Analytics. Pavan Bulusu Samanth Chundi Sivaram Mallampati Shuhan Yang. Question 1:. What are the IP addresses of those devices that are more vulnerable ? Where can we find authentication information in devices ? Research on Linux devices’ “ passwd ” storing place

aviv
Download Presentation

Cybersecurity Analytics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cybersecurity Analytics PavanBulusu SamanthChundi SivaramMallampati Shuhan Yang

  2. Question 1: • What are the IP addresses of those devices that are more vulnerable? • Where can we find authentication information in devices? • Research on Linux devices’ “passwd” storing place • Query Shodan database with the keyword “banner” • Only searching for IP addresses • Store results in Excel file and ready to be read

  3. Question 2: • Where are the locations of these devices, and is there a pattern between different countries and vulnerable devices? • Assumptions of related variables: • GDP per capita • Number of PC ownership • Volume of hacking traffic

  4. Question 2: Research Design • Use automated JAVA application to extract the IP addresses from Q1 • Can read both excel file and CSV file • Sample code:

  5. Question 2: Research Design

  6. Question 2: Research Design • Write a loop using Python • Input IP addresses one by one • Return location information from Shodan database

  7. Question 2: Results

  8. Question 1+2: Analytics

  9. Question 1+2: Findings & Discussions • After using Tableau to combine all the factors we assume, we found the following facts: • The higher number of PC ownership, the more vulnerable machines in a country • The higher number of hacking traffic, the less vulnerable machines in a country • The correlation between GDP per capita and number of vulnerable machines are not very strong. But in this sample pool, higher GDP per capita indicates a lower number of vulnerable machines in a country.

  10. Question 3 • Who are the most important and influential cyber criminals? What are their motives/interests and to what extent these discussions have taken place over the years? • The Approach • Identify the important individuals on hacker forums • Extract relevant cyber security threats / vulnerabilities that are being discussed • Analyze the patterns of these discussions • Effect: Increases the probability of picking the trending topics in the hacker community and consequently predicting their motives

  11. Question 3: Collection • Select top 3 authors from a forum select authorid, authorName, cast(reputationscore as unsigned) as score from <forum-name> order by score desc; • Get the author name and threads with highest number of discussions and views select P.authorid, authorname, reputationscore, P.threadID, title, cast(numOfPosts as unsigned) as "No of Posts", numofview from anonposts P, anonthread T, anonauthor A where P.authorid = <authorID> and P.authorID = A.authorID and P.threadID = T.threadID order by 6 desc; • Analyze the discussions taking place for each thread over the years select month(str_to_date(postdate, '%d %M %Y')), count(postid) from anonposts where threadID=<threadID> group by 1;

  12. Question 3: Analytics • Most discussions take place during summer (May, June) • Author ID: 1 | Author name: Ivana | Topic: Vulnerable government websites SQLI

  13. Question 3: Analytics • Author ID: 116 | Author name: Blazze | Topics: Leak VPN with over 50 servers, Chat Spammer (Facebook and more), How to hack gmail and facebook using FudKeylogger

  14. Question 3: Analytics • Author ID: 417 | Author name: Namit2saxena | Topic: Stealth Booter 1.1

  15. Question 4: • To identify and extract data related to malware: Stuxnet from entire Hacker-Web database. Analyze the data collected to derive and identify similarities with malware such as Flame, Duqu, wiper, shamoon and disttrack. • Our Approach • 1. The first step is to extract information about ‘Stuxnet’ from entire Hacker-web database which involves complex SQL queries. • 2. The next step is to identify the tables with highest number of posts related to stuxnet. • 3. The third step is to drill down and identify the authors who posted the highest number of posts related to stuxnet or its sister malware. • 4. The fourth step is to select the authors with highest number of relevant posts from above results i.e. authorID: 1036454 and authorID: 3804 and analyze the content of their posts to know more about stuxnet and its sister malware.

  16. Question 4: Collections • SELECT postID , IF(CAST(postID AS CHAR) REGEXP 'stuxnet' , postID, '') AS postID , IF(CAST(flatContent AS CHAR) REGEXP 'stuxnet' , flatContent, '') AS flatContent , IF(CAST(contentWithHTMLTag AS CHAR) REGEXP 'stuxnet' , contentWithHTMLTag, '') AS contentWithHTMLTag , IF(CAST(hasAttachment AS CHAR) REGEXP 'stuxnet' , hasAttachment, '') AS hasAttachment , IF(CAST(postDate AS CHAR) REGEXP 'stuxnet' , postDate, '') AS postDate , IF(CAST(postTime AS CHAR) REGEXP 'stuxnet' , postTime, '') AS postTime , IF(CAST(postrank AS CHAR) REGEXP 'stuxnet' , postrank, '') AS postrank , IF(CAST(URL AS CHAR) REGEXP 'stuxnet' , URL, '') AS URL , IF(CAST(authorID AS CHAR) REGEXP 'stuxnet' , authorID, '') AS authorID , IF(CAST(threadID AS CHAR) REGEXP 'stuxnet' , threadID, '') AS threadID • FROM cybersecurity.<forum/table name> • WHERE • CAST(postID AS CHAR) REGEXP 'stuxnet' OR CAST(flatContent AS CHAR) REGEXP 'stuxnet' OR CAST(contentWithHTMLTag AS CHAR) REGEXP 'stuxnet' OR CAST(hasAttachment AS CHAR) REGEXP 'stuxnet' OR CAST(postDate AS CHAR) REGEXP 'stuxnet' OR CAST(postTime AS CHAR) REGEXP 'stuxnet' OR CAST(postrank AS CHAR) REGEXP 'stuxnet' OR CAST(URL AS CHAR) REGEXP 'stuxnet' OR CAST(authorID AS CHAR) REGEXP 'stuxnet' OR CAST(threadID AS CHAR) REGEXP 'stuxnet'

  17. Question 4: Collections Process 1: To identify top authors in ashiyaneposts forum Process 2: To identify top authors in shabgardposts forum

  18. Question 4: Collections Top authors in ashiyaneposts forum Top authors in shabgardposts forum:

  19. Question 4: Analytics – Rise of Zbot in 2013

  20. Question 4: Evidence – Rise of ZBOT/ZeuS in 2013

More Related