1 / 16

Khiem Lam

Profiling Hackers' Skill Level by Statistically Correlating the Relationship between TCP Connections and Snort Alerts. Khiem Lam. Challenges to Troubleshooting Compromised Network. Time consuming to find vulnerabilities Difficult to determine planted exploits Uncertain of the degree of damage.

reegan
Download Presentation

Khiem Lam

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ProfilingHackers' Skill Level by Statistically Correlating the Relationshipbetween TCP Connections and Snort Alerts Khiem Lam

  2. Challenges to Troubleshooting Compromised Network • Time consuming to find vulnerabilities • Difficult to determine planted exploits • Uncertain of the degree of damage

  3. Motivation for Profiling Hackers • Can profiling the attacker’s skill level assist with risk management? • Understand the level of threat • Know the possibilities of vulnerabilities • Reduce time and resource to investigate the “what if” scenarios

  4. Approach - Hypothesis of Skilled Attacker’s Behavior • Avoid IDS detection if they know the rule set in advance • Avoid common techniques to reduce chances of detection • Establishes many short connections • If these hypothesis are true, then there must be patterns to group attackers based on their behavior!

  5. Exploratory Approach Data Acquisition/Separation Data Standardization/Formatting Cluster Analysis

  6. Phase 1 – Data Acquisition/Separation TCP Connection Data IDS Alerts Data Snort Application Competition PCAP Captures Team A’s Pcap Team B’s Pcap Updated Snort Alerts Logs Team A Connection Info Team B Connection Info Competition Snort Alerts Logs

  7. Phase 2 – Data Standardization Updated Snort Alerts Logs Team A Connection Info Competition Snort Alerts Logs CSV Format Data Aggregation using R Statistical Tool Team A’s Aggregated Data by Time Period

  8. Phase 2 – Example of Actual Aggregated Data This is the aggregated data for two teams connecting to one service

  9. Results – Graph of the Aggregated Data

  10. Phase 3 – Cluster Analysis Using R Team A’s Aggregated Data by Time Period Team B’s Aggregated Data byTime Period Team C’s Aggregated Data by Time Period • Find correlation between attributes • Add weights Euclidean Distance Cluster Analysis Results + Graphs Cluster Data

  11. Phase 3 - Example of Actual Cluster Data This is the cluster data of all teams connecting to one service

  12. Results – Euclidean Cluster Graph

  13. Results – K-Mean Cluster K-Mean Cluster Plot

  14. Limitations of Current Approach • Rely on competition data (time period, team subnet info) • Assume attackers know of competition alerts in advance • Assume submitted flags is reliable criteria to measure attacker’s skills • Inconsistency between different services

  15. Future Work for Improvement • Experiment with varying time period (5 minutes, 15 minutes, 30 minutes) • Increase updated alert rules to capture more events • Add additional features (Andrew and Nikunj’s TCP stream distance) • Weigh the correlation between attributes • Explore other R’s analysis

  16. Questions?

More Related